[openstack-nova/f17] prohibit host file corruption through file injection (CVE-2012-3447)

Pádraig Brady pbrady at fedoraproject.org
Wed Aug 8 13:43:52 UTC 2012 

commit c444f28b1eda5f8e12dd85066e03d0e65f130f1f
Author: Pádraig Brady <P at draigBrady.com>
Date:   Wed Aug 8 14:41:00 2012 +0100

    prohibit host file corruption through file injection (CVE-2012-3447)

 ...file-injection-writing-to-host-filesystem.patch |   81 ++++++++++++++++++++
 openstack-nova.spec                                |    3 +
 2 files changed, 84 insertions(+), 0 deletions(-)
---
diff --git a/0046-Prohibit-file-injection-writing-to-host-filesystem.patch b/0046-Prohibit-file-injection-writing-to-host-filesystem.patch
new file mode 100644
index 0000000..2cf0ae8
--- /dev/null
+++ b/0046-Prohibit-file-injection-writing-to-host-filesystem.patch
@@ -0,0 +1,81 @@
+From dd746b9bfd441c1c71b5f343147bfeb4471256d3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?P=C3=A1draig=20Brady?= <pbrady at redhat.com>
+Date: Tue, 31 Jul 2012 14:05:35 +0100
+Subject: [PATCH] Prohibit file injection writing to host filesystem
+
+This is a refinement of the previous fix in commit 2427d4a9,
+which does the file name canonicalization as the root user.
+This is required so that guest images could not for example,
+protect malicious symlinks in a directory only readable by root.
+
+Fixes bug: 1031311, CVE-2012-3447
+Change-Id: I7f7cdeeffadebae7451e1e13f73f1313a7df9c5c
+---
+ nova/tests/test_virt.py   |   12 ++++++++++++
+ nova/tests/test_xenapi.py |    4 ++++
+ nova/virt/disk/api.py     |    4 +++-
+ 3 files changed, 19 insertions(+), 1 deletions(-)
+
+diff --git a/nova/tests/test_virt.py b/nova/tests/test_virt.py
+index c4aa828..4274c1d 100644
+--- a/nova/tests/test_virt.py
++++ b/nova/tests/test_virt.py
+@@ -18,6 +18,7 @@
+ from nova import exception
+ from nova import flags
+ from nova import test
++from nova import utils
+ from nova.virt.disk import api as disk_api
+ from nova.virt import driver
+ 
+@@ -86,6 +87,17 @@ class TestVirtDriver(test.TestCase):
+ 
+ 
+ class TestVirtDisk(test.TestCase):
++    def setUp(self):
++        super(TestVirtDisk, self).setUp()
++
++        real_execute = utils.execute
++
++        def nonroot_execute(*cmd_parts, **kwargs):
++            kwargs.pop('run_as_root', None)
++            return real_execute(*cmd_parts, **kwargs)
++
++        self.stubs.Set(utils, 'execute', nonroot_execute)
++
+     def test_check_safe_path(self):
+         ret = disk_api._join_and_check_path_within_fs('/foo', 'etc',
+                                                       'something.conf')
+diff --git a/nova/tests/test_xenapi.py b/nova/tests/test_xenapi.py
+index f7d3b79..f9444bc 100644
+--- a/nova/tests/test_xenapi.py
++++ b/nova/tests/test_xenapi.py
+@@ -597,9 +597,13 @@ class XenAPIVMTestCase(test.TestCase):
+             self._tee_executed = True
+             return '', ''
+ 
++        def _readlink_handler(cmd_parts, **kwargs):
++            return os.path.realpath(cmd_parts[2]), ''
++
+         fake_utils.fake_execute_set_repliers([
+             # Capture the tee .../etc/network/interfaces command
+             (r'tee.*interfaces', _tee_handler),
++            (r'readlink -nm.*', _readlink_handler),
+         ])
+         self._test_spawn(glance_stubs.FakeGlance.IMAGE_MACHINE,
+                          glance_stubs.FakeGlance.IMAGE_KERNEL,
+diff --git a/nova/virt/disk/api.py b/nova/virt/disk/api.py
+index 16d03c6..9dc5674 100644
+--- a/nova/virt/disk/api.py
++++ b/nova/virt/disk/api.py
+@@ -303,7 +303,9 @@ def _join_and_check_path_within_fs(fs, *args):
+     mounted guest fs.  Trying to be clever and specifying a
+     path with '..' in it will hit this safeguard.
+     '''
+-    absolute_path = os.path.realpath(os.path.join(fs, *args))
++    absolute_path, _err = utils.execute('readlink', '-nm',
++                                        os.path.join(fs, *args),
++                                        run_as_root=True)
+     if not absolute_path.startswith(os.path.realpath(fs) + '/'):
+         raise exception.Invalid(_('injected file path not valid'))
+     return absolute_path
diff --git a/openstack-nova.spec b/openstack-nova.spec
index 651e4a3..6a224eb 100644
--- a/openstack-nova.spec
+++ b/openstack-nova.spec
@@ -74,6 +74,7 @@ Patch0042: 0042-Convert-remaining-network-API-casts-to-calls.patch
 Patch0043: 0043-Moving-where-the-fixed-ip-deallocation-happens.patch
 Patch0044: 0044-fix-the-qpid_heartbeat-option-so-that-it-s-effective.patch
 Patch0045: 0045-Add-error-log-for-live-migration.patch
+Patch0046: 0046-Prohibit-file-injection-writing-to-host-filesystem.patch
 
 BuildArch:        noarch
 BuildRequires:    intltool
@@ -419,6 +420,7 @@ This package contains documentation files for nova.
 %patch0043 -p1
 %patch0044 -p1
 %patch0045 -p1
+%patch0046 -p1
 
 find . \( -name .gitignore -o -name .placeholder \) -delete
 
@@ -810,6 +812,7 @@ fi
 %changelog
 * Wed Aug  8 2012 Pádraig Brady <P at draigBrady.com> - 2012.1.1-13
 - Log live migration errors
+- Prohibit host file corruption through file injection (CVE-2012-3447)
 
 * Mon Aug  6 2012 Pádraig Brady <P at draigBrady.com> - 2012.1.1-12
 - Fix group installation issue introduced in 2012.1.1-10

More information about the scm-commits mailing list