yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #85580
[Bug 1552042] Re: Host data corruption through nova inject_key feature
Thanks for following up on this longstanding report. Given the fix is
unlikely to be backported to supported stable branches, the VMT
considers such reports class B1 ( https://security.openstack.org/vmt-
process.html#incident-report-taxonomy ) so there's no call for issuing
an advisory.
** Changed in: ossa
Status: Incomplete => Won't Fix
** Information type changed from Public Security to Public
** Tags added: security
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1552042
Title:
Host data corruption through nova inject_key feature
Status in OpenStack Compute (nova):
Fix Released
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
Reported by Garth Mollett from Red Hat.
The nova.virt.disk.vfs.VFSLocalFS has measures to prevent symlink
traversal outside of the root of the images directory but it does not
prevent access to device nodes inside the image itself. A simple fix
should be to mount with the 'nodev' option.
Under certain circumstances, the boot process will fold back to
VFSLocalFS when trying to inject the public key, for libvirt:
* when libguestfs is not installed or can't be loaded.
* use_cow_images=false and inject_partition for non-nbd
* for loopback mount at least, there is a race condition to win in virt/disk/mount/api.py between kpartx and a /dev/mapper/ file creation: os.path.exists can run before the path exists even though it's there half a second later.
The xenapi is also likely vulnerable, though untested.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1552042/+subscriptions