[openstack-nova/f17] prohibit host file corruption through file injection (CVE-2012-3447)
Pádraig Brady
pbrady at fedoraproject.org
Wed Aug 8 13:43:52 UTC 2012
commit c444f28b1eda5f8e12dd85066e03d0e65f130f1f
Author: Pádraig Brady <P at draigBrady.com>
Date: Wed Aug 8 14:41:00 2012 +0100
prohibit host file corruption through file injection (CVE-2012-3447)
...file-injection-writing-to-host-filesystem.patch | 81 ++++++++++++++++++++
openstack-nova.spec | 3 +
2 files changed, 84 insertions(+), 0 deletions(-)
---
diff --git a/0046-Prohibit-file-injection-writing-to-host-filesystem.patch b/0046-Prohibit-file-injection-writing-to-host-filesystem.patch
new file mode 100644
index 0000000..2cf0ae8
--- /dev/null
+++ b/0046-Prohibit-file-injection-writing-to-host-filesystem.patch
@@ -0,0 +1,81 @@
+From dd746b9bfd441c1c71b5f343147bfeb4471256d3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?P=C3=A1draig=20Brady?= <pbrady at redhat.com>
+Date: Tue, 31 Jul 2012 14:05:35 +0100
+Subject: [PATCH] Prohibit file injection writing to host filesystem
+
+This is a refinement of the previous fix in commit 2427d4a9,
+which does the file name canonicalization as the root user.
+This is required so that guest images could not for example,
+protect malicious symlinks in a directory only readable by root.
+
+Fixes bug: 1031311, CVE-2012-3447
+Change-Id: I7f7cdeeffadebae7451e1e13f73f1313a7df9c5c
+---
+ nova/tests/test_virt.py | 12 ++++++++++++
+ nova/tests/test_xenapi.py | 4 ++++
+ nova/virt/disk/api.py | 4 +++-
+ 3 files changed, 19 insertions(+), 1 deletions(-)
+
+diff --git a/nova/tests/test_virt.py b/nova/tests/test_virt.py
+index c4aa828..4274c1d 100644
+--- a/nova/tests/test_virt.py
++++ b/nova/tests/test_virt.py
+@@ -18,6 +18,7 @@
+ from nova import exception
+ from nova import flags
+ from nova import test
++from nova import utils
+ from nova.virt.disk import api as disk_api
+ from nova.virt import driver
+
+@@ -86,6 +87,17 @@ class TestVirtDriver(test.TestCase):
+
+
+ class TestVirtDisk(test.TestCase):
++ def setUp(self):
++ super(TestVirtDisk, self).setUp()
++
++ real_execute = utils.execute
++
++ def nonroot_execute(*cmd_parts, **kwargs):
++ kwargs.pop('run_as_root', None)
++ return real_execute(*cmd_parts, **kwargs)
++
++ self.stubs.Set(utils, 'execute', nonroot_execute)
++
+ def test_check_safe_path(self):
+ ret = disk_api._join_and_check_path_within_fs('/foo', 'etc',
+ 'something.conf')
+diff --git a/nova/tests/test_xenapi.py b/nova/tests/test_xenapi.py
+index f7d3b79..f9444bc 100644
+--- a/nova/tests/test_xenapi.py
++++ b/nova/tests/test_xenapi.py
+@@ -597,9 +597,13 @@ class XenAPIVMTestCase(test.TestCase):
+ self._tee_executed = True
+ return '', ''
+
++ def _readlink_handler(cmd_parts, **kwargs):
++ return os.path.realpath(cmd_parts[2]), ''
++
+ fake_utils.fake_execute_set_repliers([
+ # Capture the tee .../etc/network/interfaces command
+ (r'tee.*interfaces', _tee_handler),
++ (r'readlink -nm.*', _readlink_handler),
+ ])
+ self._test_spawn(glance_stubs.FakeGlance.IMAGE_MACHINE,
+ glance_stubs.FakeGlance.IMAGE_KERNEL,
+diff --git a/nova/virt/disk/api.py b/nova/virt/disk/api.py
+index 16d03c6..9dc5674 100644
+--- a/nova/virt/disk/api.py
++++ b/nova/virt/disk/api.py
+@@ -303,7 +303,9 @@ def _join_and_check_path_within_fs(fs, *args):
+ mounted guest fs. Trying to be clever and specifying a
+ path with '..' in it will hit this safeguard.
+ '''
+- absolute_path = os.path.realpath(os.path.join(fs, *args))
++ absolute_path, _err = utils.execute('readlink', '-nm',
++ os.path.join(fs, *args),
++ run_as_root=True)
+ if not absolute_path.startswith(os.path.realpath(fs) + '/'):
+ raise exception.Invalid(_('injected file path not valid'))
+ return absolute_path
diff --git a/openstack-nova.spec b/openstack-nova.spec
index 651e4a3..6a224eb 100644
--- a/openstack-nova.spec
+++ b/openstack-nova.spec
@@ -74,6 +74,7 @@ Patch0042: 0042-Convert-remaining-network-API-casts-to-calls.patch
Patch0043: 0043-Moving-where-the-fixed-ip-deallocation-happens.patch
Patch0044: 0044-fix-the-qpid_heartbeat-option-so-that-it-s-effective.patch
Patch0045: 0045-Add-error-log-for-live-migration.patch
+Patch0046: 0046-Prohibit-file-injection-writing-to-host-filesystem.patch
BuildArch: noarch
BuildRequires: intltool
@@ -419,6 +420,7 @@ This package contains documentation files for nova.
%patch0043 -p1
%patch0044 -p1
%patch0045 -p1
+%patch0046 -p1
find . \( -name .gitignore -o -name .placeholder \) -delete
@@ -810,6 +812,7 @@ fi
%changelog
* Wed Aug 8 2012 Pádraig Brady <P at draigBrady.com> - 2012.1.1-13
- Log live migration errors
+- Prohibit host file corruption through file injection (CVE-2012-3447)
* Mon Aug 6 2012 Pádraig Brady <P at draigBrady.com> - 2012.1.1-12
- Fix group installation issue introduced in 2012.1.1-10
More information about the scm-commits
mailing list