[openstack-nova] Sanitize EC2 manifests and image tarballs (#767236, CVE 2011-4596)
Pádraig Brady
pbrady at fedoraproject.org
Wed Dec 14 11:26:24 UTC 2011
commit f03970143803203b5362845a8451303d64564748
Author: Pádraig Brady <P at draigBrady.com>
Date: Wed Dec 14 11:12:52 2011 +0000
Sanitize EC2 manifests and image tarballs (#767236, CVE 2011-4596)
...Sanitize-EC2-manifests-and-image-tarballs.patch | 122 ++++++++++++++++++++
openstack-nova.spec | 5 +
2 files changed, 127 insertions(+), 0 deletions(-)
---
diff --git a/0041-Sanitize-EC2-manifests-and-image-tarballs.patch b/0041-Sanitize-EC2-manifests-and-image-tarballs.patch
new file mode 100644
index 0000000..3add583
--- /dev/null
+++ b/0041-Sanitize-EC2-manifests-and-image-tarballs.patch
@@ -0,0 +1,122 @@
+From 76363226bd8533256f7795bba358d7f4b8a6c9e6 Mon Sep 17 00:00:00 2001
+From: Thierry Carrez <thierry at openstack.org>
+Date: Thu, 1 Dec 2011 17:54:16 +0100
+Subject: [PATCH] Sanitize EC2 manifests and image tarballs
+
+Prevent potential directory traversal with malicious EC2 image tarballs,
+by making sure the tarfile is safe before unpacking it. Fixes bug 894755
+
+Prevent potential directory traversal with malicious file names in
+EC2 image manifests. Fixes bug 885167
+
+(cherry picked from commit ad3241929ea00569c74505ed002208ce360c667e)
+
+Change-Id: If6109047307bd6e654ee9d1254f0d7f31cf741c1
+---
+ MANIFEST.in | 1 +
+ nova/image/s3.py | 13 ++++++++++++-
+ nova/tests/image/abs.tar.gz | Bin 0 -> 153 bytes
+ nova/tests/image/rel.tar.gz | Bin 0 -> 165 bytes
+ nova/tests/image/test_s3.py | 10 ++++++++++
+ 5 files changed, 23 insertions(+), 1 deletions(-)
+ create mode 100644 nova/tests/image/abs.tar.gz
+ create mode 100644 nova/tests/image/rel.tar.gz
+
+diff --git a/MANIFEST.in b/MANIFEST.in
+index 883aba8..93bb5be 100644
+--- a/MANIFEST.in
++++ b/MANIFEST.in
+@@ -39,6 +39,7 @@ include nova/tests/bundle/1mb.part.0
+ include nova/tests/bundle/1mb.part.1
+ include nova/tests/public_key/*
+ include nova/tests/db/nova.austin.sqlite
++include nova/tests/image/*.tar.gz
+ include plugins/xenapi/README
+ include plugins/xenapi/etc/xapi.d/plugins/objectstore
+ include plugins/xenapi/etc/xapi.d/plugins/pluginlib_nova.py
+diff --git a/nova/image/s3.py b/nova/image/s3.py
+index abf01a9..801d9e5 100644
+--- a/nova/image/s3.py
++++ b/nova/image/s3.py
+@@ -100,7 +100,7 @@ class S3ImageService(service.BaseImageService):
+ @staticmethod
+ def _download_file(bucket, filename, local_dir):
+ key = bucket.get_key(filename)
+- local_filename = os.path.join(local_dir, filename)
++ local_filename = os.path.join(local_dir, os.path.basename(filename))
+ key.get_contents_to_filename(local_filename)
+ return local_filename
+
+@@ -316,7 +316,18 @@ class S3ImageService(service.BaseImageService):
+ 'err': err})
+
+ @staticmethod
++ def _test_for_malicious_tarball(path, filename):
++ """Raises exception if extracting tarball would escape extract path"""
++ tar_file = tarfile.open(filename, 'r|gz')
++ for n in tar_file.getnames():
++ if not os.path.abspath(os.path.join(path, n)).startswith(path):
++ tar_file.close()
++ raise exception.Error(_('Unsafe filenames in image'))
++ tar_file.close()
++
++ @staticmethod
+ def _untarzip_image(path, filename):
++ S3ImageService._test_for_malicious_tarball(path, filename)
+ tar_file = tarfile.open(filename, 'r|gz')
+ tar_file.extractall(path)
+ image_file = tar_file.getnames()[0]
+diff --git a/nova/tests/image/abs.tar.gz b/nova/tests/image/abs.tar.gz
+new file mode 100644
+index 0000000000000000000000000000000000000000..4d39507340b2afa707112791ed3af4a3597667c9
+GIT binary patch
+literal 153
+zcmb2|=3wYvb;FN=`RzqVu0sX_tq<4Oy5>!oIm_o<u=qQ#C2k*n%yM12Bg2tH>EHb{
+zF=GS%xD}UG=Xi6jldn8wxpk%G$tt}$t7g8OaD`1>EB9^iaUcEd*|O>HW7mE^yL<27
+zelG9-%M0IqT`Za-X8x-`|8KU<s?V3SFWj2{-F|A(k1{p}WH7&yA at E7N0)qwv0{~cE
+BLu~*6
+
+literal 0
+HcmV?d00001
+
+diff --git a/nova/tests/image/rel.tar.gz b/nova/tests/image/rel.tar.gz
+new file mode 100644
+index 0000000000000000000000000000000000000000..b54f55aa790e66950b09ff69033d0e66d2c0c839
+GIT binary patch
+literal 165
+zcmb2|=3vlSeZ!A|`Rye~u0sX_tq<4Oy82y6$uhF_k1YvTGF)`;UYVlDMo|@oNB;$9
+z9A)|RAk|~%ol~kim(BE-?9cN!Idj&ZC9faZEbabRX(u5VI at PRe+p*L8rY7X9nU!?(
+zXUMOdwVF?NRldLb&z*PuZ~HGh?@1RQT$Q-^|Asg5%ikx}?&Wy>Z_j_jrFXX*Ga!Q>
+PXJo%RS=%sZFfafBwk1wR
+
+literal 0
+HcmV?d00001
+
+diff --git a/nova/tests/image/test_s3.py b/nova/tests/image/test_s3.py
+index f1ceeb7..4ab36a0 100644
+--- a/nova/tests/image/test_s3.py
++++ b/nova/tests/image/test_s3.py
+@@ -15,6 +15,8 @@
+ # License for the specific language governing permissions and limitations
+ # under the License.
+
++import os
++
+ from nova import context
+ from nova import test
+ from nova.image import s3
+@@ -112,3 +114,11 @@ class TestS3ImageService(test.TestCase):
+ {'device_name': '/dev/sdb0',
+ 'no_device': True}]
+ self.assertEqual(block_device_mapping, expected_bdm)
++
++ def test_s3_malicious_tarballs(self):
++ self.assertRaises(exception.Error,
++ self.image_service._test_for_malicious_tarball,
++ "/unused", os.path.join(os.path.dirname(__file__), 'abs.tar.gz'))
++ self.assertRaises(exception.Error,
++ self.image_service._test_for_malicious_tarball,
++ "/unused", os.path.join(os.path.dirname(__file__), 'rel.tar.gz'))
+--
+1.7.6.4
+
diff --git a/openstack-nova.spec b/openstack-nova.spec
index 4088749..cf5c888 100644
--- a/openstack-nova.spec
+++ b/openstack-nova.spec
@@ -74,6 +74,7 @@ Patch37: 0037-Have-nova-api-add-the-INPUT-rule-for-EC2-metadata-lp.patc
Patch38: 0038-Allow-the-user-to-choose-either-ietadm-or-tgtadm-lp-.patch
Patch39: 0039-Remove-VolumeDriver.sync_exec-method-lp-819997.patch
Patch40: 0040-Refactor-ietadm-tgtadm-calls-out-into-helper-classes.patch
+Patch41: 0041-Sanitize-EC2-manifests-and-image-tarballs.patch
# These are fedora specific
Patch100: openstack-nova-nonet.patch
@@ -253,6 +254,7 @@ This package contains documentation files for nova.
%patch38 -p1
%patch39 -p1
%patch40 -p1
+%patch41 -p1
# apply local patches
%patch100 -p1
@@ -444,6 +446,9 @@ fi
%endif
%changelog
+* Tue Dec 14 2011 Pádraig Brady <P at draigBrady.com> - 2011.3-12
+- Sanitize EC2 manifests and image tarballs (#767236, CVE 2011-4596)
+
* Tue Dec 06 2011 Russell Bryant <rbryant at redhat.com> - 2011.3-11
- Add --yes, --rootpw, and --novapw options to openstack-nova-db-setup.
More information about the scm-commits
mailing list