Michael Still (mikal) reports:
Title: Nova fails to verify image virtual size
Reporter: Loganathan Parthipan
Affects: All versions
Loganathan Parthipan publicly reported a vulnerability in Nova. Nova
did not implement checking for the virtual size of a qcow2 image used
as ephemeral storage for instances. It is therefore possible for a
user to create an image which has a large virtual size, but little
data. Once the instance is created, the user can then proceed to fill
the virtual disk, and consume all available disk on the host node file
Havana (development branch) fix:
This issue did NOT affect the version of the openstack-nova package, as shipped with Fedora release of 17.
This issue affects the version of the openstack-nova package, as shipped with Fedora release of 18. Please schedule an update.
This issue affects the version of the openstack-nova package, as shipped with Fedora EPEL-6. Please schedule an update.
Created openstack-nova tracking bugs for this issue
Affects: fedora-18 [bug 963727]
Affects: epel-6 [bug 963728]
This issue has been addressed in following products:
Red Hat OpenStack 3.0 Snap 1
Via RHBA-2013-0878 https://rhn.redhat.com/errata/RHBA-2013-0878.html
The Red Hat Security Response Team has rated this issue as having moderate security impact. This issue is not currently planned to be addressed in OpenStack 2.1 (Folsom). This issue is planned to be addressed in version OpenStack 3.0 (Grizzly). For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.