© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
Ian, so the only `configuration` that is needed is to set a work_dir for the glance service. The work_dir is used by the service for any sort of async operations it has to do on an image.
As by default in devstack, the glance work_dir is not writable, we have to set one but this feature(import OVA file task) is on by default. After a writable dir has been set, an admin can execute this attack.
In the spec even though some security considerations were raised, specifically on gzip expansion and tar privilege escalation, I couldn't find any discussions on attacks similar to the Billion laughs one. Also it has not been stated that, this feature is going to be deprecated, I feel it would be helpful for operators to know about this vulnerability, so that they can take the necessary action.