| 2015-04-27 14:32:56 |
Tristan Cacqueray |
bug |
|
|
added bug |
| 2015-04-27 14:32:56 |
Tristan Cacqueray |
attachment added |
|
afl1.img https://bugs.launchpad.net/bugs/1449062/+attachment/4385683/+files/afl1.img |
|
| 2015-04-27 14:33:11 |
Tristan Cacqueray |
attachment added |
|
afl2.img https://bugs.launchpad.net/ossa/+bug/1449062/+attachment/4385684/+files/afl2.img |
|
| 2015-04-27 14:33:23 |
Tristan Cacqueray |
attachment added |
|
afl3.img https://bugs.launchpad.net/ossa/+bug/1449062/+attachment/4385685/+files/afl3.img |
|
| 2015-04-27 14:34:19 |
Tristan Cacqueray |
bug task added |
|
nova |
|
| 2015-04-27 14:34:37 |
Tristan Cacqueray |
bug task added |
|
glance |
|
| 2015-04-27 14:35:10 |
Tristan Cacqueray |
bug |
|
|
added subscriber Richard Jones |
| 2015-04-27 14:35:33 |
Tristan Cacqueray |
bug |
|
|
added subscriber Daniel Berrange |
| 2015-04-27 14:36:14 |
Tristan Cacqueray |
bug |
|
|
added subscriber nikhil komawar |
| 2015-04-27 14:36:29 |
Tristan Cacqueray |
bug |
|
|
added subscriber Andrew Laski |
| 2015-04-27 14:36:37 |
Tristan Cacqueray |
ossa: status |
New |
Incomplete |
|
| 2015-04-27 14:52:04 |
Nikhil Komawar |
glance: status |
New |
Triaged |
|
| 2015-04-27 14:52:09 |
Nikhil Komawar |
glance: importance |
Undecided |
High |
|
| 2015-04-27 14:54:26 |
Richard Jones |
attachment added |
|
afl4.img https://bugs.launchpad.net/ossa/+bug/1449062/+attachment/4385687/+files/afl4.img |
|
| 2015-05-04 14:44:03 |
Thierry Carrez |
ossa: importance |
Undecided |
Medium |
|
| 2015-05-04 14:44:03 |
Thierry Carrez |
ossa: status |
Incomplete |
Confirmed |
|
| 2015-05-04 14:47:27 |
Thierry Carrez |
nova: status |
New |
Confirmed |
|
| 2015-05-06 03:26:12 |
Michael Still |
bug |
|
|
added subscriber Nova Core security contacts |
| 2015-05-20 08:29:25 |
Richard Jones |
bug |
|
|
added subscriber Garth Mollett |
| 2015-05-23 21:44:36 |
Nikhil Komawar |
glance: milestone |
|
liberty-1 |
|
| 2015-05-23 21:44:39 |
Nikhil Komawar |
glance: assignee |
|
nikhil komawar (nikhil-komawar) |
|
| 2015-06-15 17:04:58 |
Daniel Berrange |
nova: assignee |
|
Daniel Berrange (berrange) |
|
| 2015-06-16 15:05:32 |
Daniel Berrange |
attachment added |
|
Apply limits when running qemu-img info https://bugs.launchpad.net/ossa/+bug/1449062/+attachment/4415726/+files/0001-virt-restrict-resource-usage-of-qemu-img-info.patch |
|
| 2015-06-16 15:25:23 |
Daniel Berrange |
bug task added |
|
cinder |
|
| 2015-06-16 15:27:02 |
Tristan Cacqueray |
bug |
|
|
added subscriber Cinder Core security contacts |
| 2015-06-16 15:35:46 |
Daniel Berrange |
attachment added |
|
Apply limits when running qemu-img info https://bugs.launchpad.net/cinder/+bug/1449062/+attachment/4415742/+files/0001-virt-restrict-resource-usage-of-qemu-img-info.patch |
|
| 2015-06-16 19:18:16 |
Tristan Cacqueray |
attachment added |
|
cinder-liberty-qemu-prlimit.patch https://bugs.launchpad.net/ossa/+bug/1449062/+attachment/4415792/+files/cinder-liberty-qemu-prlimit.patch |
|
| 2015-06-23 15:02:09 |
Nikhil Komawar |
glance: milestone |
liberty-1 |
liberty-2 |
|
| 2015-06-23 23:37:03 |
Michael Still |
bug |
|
|
added subscriber Davanum Srinivas (DIMS) |
| 2015-06-29 14:24:47 |
Tristan Cacqueray |
description |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added as to the bug as attachments.
Reported via private E-mail from Richard W.M. Jones.
Turns out qemu image parser is not hardened against malicious input and can be abused to allocated an arbitrary amount of memory and/or dump a lot of information when used with "--output=json".
The solution seems to be: limit qemu-img ressource using ulimit.
Example of abuse:
-- afl1.img --
$ /usr/bin/time qemu-img info afl1.img
image: afl1.img
[...]
0.13user 0.19system 0:00.36elapsed 92%CPU (0avgtext+0avgdata 642416maxresident)k
0inputs+0outputs (0major+156927minor)pagefaults 0swaps
The original image is 516 bytes, but it causes qemu-img to allocate 640 MB.
-- afl2.img --
$ qemu-img info --output=json afl2.img | wc -l
589843
This is a 200K image which causes qemu-img info to output half a
million lines of JSON (14 MB of JSON).
Glance runs the --output=json variant of the command.
-- afl3.img --
$ /usr/bin/time qemu-img info afl3.img
image: afl3.img
[...]
0.09user 0.35system 0:00.47elapsed 94%CPU (0avgtext+0avgdata 1262388maxresident)k
0inputs+0outputs (0major+311994minor)pagefaults 0swaps
qemu-img allocates 1.3 GB (actually, a bit more if you play with
ulimit -v). It appears that you could change it to allocate
arbitrarily large amounts of RAM. |
Reported via private E-mail from Richard W.M. Jones.
Turns out qemu image parser is not hardened against malicious input and can be abused to allocated an arbitrary amount of memory and/or dump a lot of information when used with "--output=json".
The solution seems to be: limit qemu-img ressource using ulimit.
Example of abuse:
-- afl1.img --
$ /usr/bin/time qemu-img info afl1.img
image: afl1.img
[...]
0.13user 0.19system 0:00.36elapsed 92%CPU (0avgtext+0avgdata 642416maxresident)k
0inputs+0outputs (0major+156927minor)pagefaults 0swaps
The original image is 516 bytes, but it causes qemu-img to allocate 640 MB.
-- afl2.img --
$ qemu-img info --output=json afl2.img | wc -l
589843
This is a 200K image which causes qemu-img info to output half a
million lines of JSON (14 MB of JSON).
Glance runs the --output=json variant of the command.
-- afl3.img --
$ /usr/bin/time qemu-img info afl3.img
image: afl3.img
[...]
0.09user 0.35system 0:00.47elapsed 94%CPU (0avgtext+0avgdata 1262388maxresident)k
0inputs+0outputs (0major+311994minor)pagefaults 0swaps
qemu-img allocates 1.3 GB (actually, a bit more if you play with
ulimit -v). It appears that you could change it to allocate
arbitrarily large amounts of RAM. |
|
| 2015-06-29 14:24:54 |
Tristan Cacqueray |
information type |
Private Security |
Public Security |
|
| 2015-06-29 16:20:05 |
Daniel Berrange |
attachment added |
|
oslo.concurrency process limits support https://bugs.launchpad.net/ossa/+bug/1449062/+attachment/4421984/+files/0001-processutils-allow-process-limits-to-be-set.patch |
|
| 2015-07-02 16:02:47 |
Tristan Cacqueray |
attachment removed |
cinder-liberty-qemu-prlimit.patch https://bugs.launchpad.net/ossa/+bug/1449062/+attachment/4415792/+files/cinder-liberty-qemu-prlimit.patch |
|
|
| 2015-07-28 13:16:26 |
Grant Murphy |
cve linked |
|
2015-5162 |
|
| 2015-07-28 13:16:35 |
Grant Murphy |
summary |
qemu-img calls need to be restricted by ulimit |
qemu-img calls need to be restricted by ulimit (CVE-2015-5162) |
|
| 2015-07-28 13:24:52 |
Thierry Carrez |
glance: milestone |
liberty-2 |
liberty-3 |
|
| 2015-07-29 11:42:21 |
Abhijeet Malawade |
bug |
|
|
added subscriber Abhijeet Malawade |
| 2015-08-05 18:50:12 |
OpenStack Infra |
nova: status |
Confirmed |
In Progress |
|
| 2015-08-05 18:50:12 |
OpenStack Infra |
nova: assignee |
Daniel Berrange (berrange) |
Tristan Cacqueray (tristan-cacqueray) |
|
| 2015-08-06 15:21:28 |
Tristan Cacqueray |
nominated for series |
|
nova/juno |
|
| 2015-08-06 15:21:28 |
Tristan Cacqueray |
nominated for series |
|
nova/kilo |
|
| 2015-09-03 15:19:36 |
Thierry Carrez |
glance: status |
Triaged |
In Progress |
|
| 2015-09-04 06:34:45 |
Thierry Carrez |
glance: milestone |
liberty-3 |
liberty-rc1 |
|
| 2015-09-25 14:18:58 |
Nikhil Komawar |
tags |
|
liberty-rc-potential |
|
| 2015-09-25 14:19:04 |
Nikhil Komawar |
glance: milestone |
liberty-rc1 |
ongoing |
|
| 2015-10-09 19:40:47 |
OpenStack Infra |
nova: assignee |
Tristan Cacqueray (tristan-cacqueray) |
Dan Smith (danms) |
|
| 2015-10-13 14:03:49 |
Daniel Berrange |
attachment added |
|
Proof of concept solution using preexecfn https://bugs.launchpad.net/nova/+bug/1449062/+attachment/4493554/+files/0001-virt-restrict-resource-usage-of-qemu-img-info.patch |
|
| 2015-10-13 18:40:18 |
OpenStack Infra |
nova: status |
In Progress |
Fix Committed |
|
| 2015-12-03 21:36:29 |
Doug Hellmann |
nova: status |
Fix Committed |
Fix Released |
|
| 2015-12-03 23:18:19 |
Tristan Cacqueray |
nova: status |
Fix Released |
Confirmed |
|
| 2016-01-27 14:46:00 |
Kashyap Chamarthy |
bug |
|
|
added subscriber Kashyap Chamarthy |
| 2016-04-06 23:06:58 |
Nikhil Komawar |
glance: assignee |
nikhil komawar (nikhil-komawar) |
|
|
| 2016-04-18 15:57:27 |
Sean Dague |
nova: assignee |
Dan Smith (danms) |
|
|
| 2016-04-18 15:57:38 |
Sean Dague |
nova: importance |
Undecided |
Medium |
|
| 2016-04-19 09:15:07 |
OpenStack Infra |
nova: status |
Confirmed |
In Progress |
|
| 2016-04-19 09:15:07 |
OpenStack Infra |
nova: assignee |
|
Daniel Berrange (berrange) |
|
| 2016-06-07 20:11:22 |
Nikhil Komawar |
glance: importance |
High |
Low |
|
| 2016-06-09 10:17:23 |
OpenStack Infra |
nova: status |
In Progress |
Fix Released |
|
| 2016-06-11 00:04:08 |
OpenStack Infra |
tags |
liberty-rc-potential |
in-stable-mitaka liberty-rc-potential |
|
| 2016-06-13 16:14:37 |
Corey Bryant |
bug task added |
|
python-oslo.concurrency (Ubuntu) |
|
| 2016-06-13 16:17:11 |
Corey Bryant |
nominated for series |
|
Ubuntu Yakkety |
|
| 2016-06-13 16:17:11 |
Corey Bryant |
bug task added |
|
python-oslo.concurrency (Ubuntu Yakkety) |
|
| 2016-06-13 16:17:11 |
Corey Bryant |
nominated for series |
|
Ubuntu Xenial |
|
| 2016-06-13 16:17:11 |
Corey Bryant |
bug task added |
|
python-oslo.concurrency (Ubuntu Xenial) |
|
| 2016-06-13 16:17:24 |
Corey Bryant |
python-oslo.concurrency (Ubuntu Yakkety): status |
New |
Fix Released |
|
| 2016-06-13 16:17:33 |
Corey Bryant |
python-oslo.concurrency (Ubuntu Xenial): status |
New |
Triaged |
|
| 2016-06-13 16:17:39 |
Corey Bryant |
python-oslo.concurrency (Ubuntu Xenial): importance |
Undecided |
Medium |
|
| 2016-06-13 16:17:43 |
Corey Bryant |
python-oslo.concurrency (Ubuntu Yakkety): importance |
Undecided |
Medium |
|
| 2016-06-13 16:17:48 |
Corey Bryant |
python-oslo.concurrency (Ubuntu Xenial): assignee |
|
Corey Bryant (corey.bryant) |
|
| 2016-06-13 16:48:04 |
Corey Bryant |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2016-06-15 11:03:21 |
Chris J Arges |
python-oslo.concurrency (Ubuntu Xenial): status |
Triaged |
Fix Committed |
|
| 2016-06-15 11:03:29 |
Chris J Arges |
bug |
|
|
added subscriber SRU Verification |
| 2016-06-15 11:03:59 |
Chris J Arges |
tags |
in-stable-mitaka liberty-rc-potential |
in-stable-mitaka liberty-rc-potential verification-needed |
|
| 2016-06-27 13:40:44 |
Corey Bryant |
tags |
in-stable-mitaka liberty-rc-potential verification-needed |
in-stable-mitaka liberty-rc-potential verification-done |
|
| 2016-06-28 07:30:56 |
Launchpad Janitor |
python-oslo.concurrency (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
| 2016-06-28 07:31:30 |
Launchpad Janitor |
python-oslo.concurrency (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
| 2016-06-28 07:36:39 |
Martin Pitt |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
| 2016-07-06 18:19:59 |
Corey Bryant |
nominated for series |
|
Ubuntu Wily |
|
| 2016-07-06 18:19:59 |
Corey Bryant |
bug task added |
|
python-oslo.concurrency (Ubuntu Wily) |
|
| 2016-07-06 18:20:12 |
Corey Bryant |
python-oslo.concurrency (Ubuntu Wily): importance |
Undecided |
Medium |
|
| 2016-07-07 15:27:54 |
Corey Bryant |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2016-07-13 14:54:04 |
Chris J Arges |
python-oslo.concurrency (Ubuntu Wily): status |
New |
Fix Committed |
|
| 2016-07-13 14:54:16 |
Chris J Arges |
tags |
in-stable-mitaka liberty-rc-potential verification-done |
in-stable-mitaka liberty-rc-potential |
|
| 2016-07-13 14:54:19 |
Chris J Arges |
tags |
in-stable-mitaka liberty-rc-potential |
in-stable-mitaka liberty-rc-potential verification-needed |
|
| 2016-08-08 04:21:29 |
Mathew Hodson |
affects |
cinder |
ubuntu-translations |
|
| 2016-08-08 04:21:52 |
Mathew Hodson |
bug task deleted |
ubuntu-translations |
|
|
| 2016-08-08 04:23:00 |
Mathew Hodson |
affects |
glance |
ubuntu-translations |
|
| 2016-08-08 04:23:00 |
Mathew Hodson |
ubuntu-translations: milestone |
ongoing |
|
|
| 2016-08-08 04:23:19 |
Mathew Hodson |
bug task deleted |
ubuntu-translations |
|
|
| 2016-08-08 14:02:39 |
Corey Bryant |
bug task added |
|
cloud-archive |
|
| 2016-08-08 14:03:22 |
Corey Bryant |
cloud-archive: status |
New |
Fix Released |
|
| 2016-08-08 14:03:32 |
Corey Bryant |
cloud-archive: importance |
Undecided |
Medium |
|
| 2016-08-08 14:03:42 |
Corey Bryant |
nominated for series |
|
cloud-archive/liberty |
|
| 2016-08-08 14:03:42 |
Corey Bryant |
bug task added |
|
cloud-archive/liberty |
|
| 2016-08-08 14:03:42 |
Corey Bryant |
nominated for series |
|
cloud-archive/newton |
|
| 2016-08-08 14:03:42 |
Corey Bryant |
bug task added |
|
cloud-archive/newton |
|
| 2016-08-08 14:03:42 |
Corey Bryant |
nominated for series |
|
cloud-archive/mitaka |
|
| 2016-08-08 14:03:42 |
Corey Bryant |
bug task added |
|
cloud-archive/mitaka |
|
| 2016-08-08 14:04:14 |
Corey Bryant |
cloud-archive/liberty: importance |
Undecided |
Medium |
|
| 2016-08-08 14:04:31 |
Corey Bryant |
cloud-archive/mitaka: importance |
Undecided |
Medium |
|
| 2016-08-08 14:05:38 |
Corey Bryant |
cloud-archive/mitaka: status |
New |
Fix Committed |
|
| 2016-09-20 17:29:47 |
Jeremy Stanley |
ossa: status |
Confirmed |
Incomplete |
|
| 2016-09-22 14:30:28 |
OpenStack Infra |
cloud-archive/liberty: status |
New |
Fix Committed |
|
| 2016-09-22 18:50:31 |
Jeremy Stanley |
ossa: status |
Incomplete |
In Progress |
|
| 2016-09-22 18:50:31 |
Jeremy Stanley |
ossa: assignee |
|
Jeremy Stanley (fungi) |
|
| 2016-09-22 20:23:41 |
Sean McGinnis |
bug task added |
|
cinder |
|
| 2016-09-22 20:24:22 |
Sean McGinnis |
cinder: importance |
Undecided |
Medium |
|
| 2016-09-22 20:24:43 |
Sean McGinnis |
cinder: assignee |
|
Sean McGinnis (sean-mcginnis) |
|
| 2016-09-22 20:30:18 |
Sean McGinnis |
nominated for series |
|
cinder/mitaka |
|
| 2016-09-22 20:30:18 |
Sean McGinnis |
bug task added |
|
cinder/mitaka |
|
| 2016-09-22 20:30:18 |
Sean McGinnis |
nominated for series |
|
cinder/newton |
|
| 2016-09-22 20:30:18 |
Sean McGinnis |
bug task added |
|
cinder/newton |
|
| 2016-09-22 20:35:26 |
OpenStack Infra |
cinder: status |
New |
In Progress |
|
| 2016-09-22 20:36:18 |
Sean McGinnis |
cinder/newton: milestone |
|
newton-rc2 |
|
| 2016-09-22 20:52:44 |
Hemanth Makkapati |
bug task added |
|
glance |
|
| 2016-09-23 12:45:41 |
Ian Cordasco |
nominated for series |
|
glance/mitaka |
|
| 2016-09-23 12:45:41 |
Ian Cordasco |
bug task added |
|
glance/mitaka |
|
| 2016-09-23 12:45:41 |
Ian Cordasco |
nominated for series |
|
glance/liberty |
|
| 2016-09-23 12:45:41 |
Ian Cordasco |
bug task added |
|
glance/liberty |
|
| 2016-09-23 12:45:41 |
Ian Cordasco |
nominated for series |
|
glance/newton |
|
| 2016-09-23 12:45:41 |
Ian Cordasco |
bug task added |
|
glance/newton |
|
| 2016-09-23 14:22:03 |
OpenStack Infra |
cinder: status |
In Progress |
Fix Released |
|
| 2016-09-23 15:48:09 |
Ian Cordasco |
glance: importance |
Undecided |
High |
|
| 2016-09-23 15:48:09 |
Ian Cordasco |
glance: status |
New |
In Progress |
|
| 2016-09-23 15:48:09 |
Ian Cordasco |
glance: assignee |
|
Hemanth Makkapati (hemanth-makkapati) |
|
| 2016-09-23 16:56:21 |
OpenStack Infra |
glance/newton: status |
New |
Fix Committed |
|
| 2016-09-23 17:05:31 |
OpenStack Infra |
cinder/mitaka: status |
New |
In Progress |
|
| 2016-09-26 17:40:36 |
Kashyap Chamarthy |
cve linked |
|
2015-1850 |
|
| 2016-09-26 17:40:36 |
Kashyap Chamarthy |
cve linked |
|
2015-1851 |
|
| 2016-09-27 04:03:21 |
OpenStack Infra |
glance: status |
In Progress |
Fix Released |
|
| 2016-09-27 12:54:52 |
Brian Rosmaita |
tags |
in-stable-mitaka liberty-rc-potential verification-needed |
in-stable-mitaka liberty-rc-potential newton-rc-potential verification-needed |
|
| 2016-09-27 14:23:43 |
OpenStack Infra |
cinder/mitaka: assignee |
|
Hemanth Makkapati (hemanth-makkapati) |
|
| 2016-09-28 12:42:56 |
Ian Cordasco |
glance: status |
Fix Released |
Fix Committed |
|
| 2016-09-28 12:43:49 |
Ian Cordasco |
glance/newton: importance |
Undecided |
Critical |
|
| 2016-09-28 12:43:49 |
Ian Cordasco |
glance/newton: assignee |
|
Hemanth Makkapati (hemanth-makkapati) |
|
| 2016-09-28 12:46:05 |
Ian Cordasco |
glance/newton: milestone |
|
newton-rc2 |
|
| 2016-09-28 12:46:54 |
Ian Cordasco |
glance/mitaka: importance |
Undecided |
High |
|
| 2016-09-28 12:46:54 |
Ian Cordasco |
glance/mitaka: status |
New |
Fix Committed |
|
| 2016-09-28 12:46:54 |
Ian Cordasco |
glance/mitaka: assignee |
|
Hemanth Makkapati (hemanth-makkapati) |
|
| 2016-09-28 12:55:02 |
OpenStack Infra |
cinder/mitaka: status |
In Progress |
Fix Committed |
|
| 2016-10-05 17:00:34 |
OpenStack Infra |
glance/liberty: status |
New |
In Progress |
|
| 2016-10-06 19:43:33 |
Jeremy Stanley |
summary |
qemu-img calls need to be restricted by ulimit (CVE-2015-5162) |
[OSSA 2016-012] qemu-img calls need to be restricted by ulimit (CVE-2015-5162) |
|
| 2016-10-06 19:44:03 |
Jeremy Stanley |
ossa: status |
In Progress |
Fix Released |
|
| 2016-10-11 11:17:04 |
layla,louise spencer |
bug |
|
|
added subscriber layla,louise spencer |
| 2016-10-18 19:54:23 |
Brian Rosmaita |
glance/liberty: status |
In Progress |
Fix Committed |
|
| 2016-10-18 19:55:23 |
Brian Rosmaita |
glance/liberty: status |
Fix Committed |
Fix Released |
|
| 2016-10-18 19:55:48 |
Brian Rosmaita |
glance/mitaka: status |
Fix Committed |
Fix Released |
|
| 2016-10-18 19:56:23 |
Brian Rosmaita |
glance/newton: status |
Fix Committed |
Fix Released |
|
| 2016-10-18 19:56:23 |
Brian Rosmaita |
glance/newton: milestone |
newton-rc2 |
|
|
| 2016-10-18 19:56:57 |
Brian Rosmaita |
glance: status |
Fix Committed |
Fix Released |
|
| 2017-09-18 19:02:48 |
Sean McGinnis |
cinder/mitaka: status |
Fix Committed |
Fix Released |
|
