[OSSA 2012-011] CVE-2012-3361 not fully addressed
Bug #1031311 reported by
Pádraig Brady
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Compute (nova) |
Fix Released
|
Critical
|
Pádraig Brady | ||
| Essex |
Fix Released
|
Critical
|
Pádraig Brady | ||
| OpenStack Security Advisory |
Fix Released
|
Undecided
|
Thierry Carrez | ||
| nova (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
| Precise |
Fix Released
|
Undecided
|
Unassigned | ||
Bug Description
Unfortunately the patches released for bug 1015531, didn't consider permissions in the guest.
If there is a root only readable directory in the guest containing the dodgy symlinks, then they will not be detected by _join_and_
Therefore the equivalent of this function needs to run as the root user.
Folsom patch attached.
Diablo & Essex versions would need readlink added to rootwrap
Related branches
lp:~openstack-ubuntu-testing/nova/precise-essex-proposed
- Chuck Short: Pending requested
-
Diff: 56 lines (+14/-4)3 files modifieddebian/changelog (+8/-0)
debian/control (+6/-3)
debian/nova-console.install (+0/-1)
CVE References
| description: | updated |
| Changed in nova: | |
| importance: | High → Critical |
| status: | New → Confirmed |
| Changed in nova: | |
| status: | Confirmed → In Progress |
| Changed in nova: | |
| assignee: | nobody → Pádraig Brady (p-draigbrady) |
| Changed in nova: | |
| milestone: | none → folsom-3 |
| status: | Fix Committed → Fix Released |
| Changed in nova (Ubuntu): | |
| status: | New → Fix Released |
| Changed in nova (Ubuntu Precise): | |
| status: | New → Confirmed |
| Changed in nova: | |
| milestone: | folsom-3 → 2012.2 |
| summary: |
- CVE-2012-3361 not fully addressed + [OSSA 2012-011] CVE-2012-3361 not fully addressed |
| Changed in ossa: | |
| assignee: | nobody → Thierry Carrez (ttx) |
| status: | New → Fix Released |
| no longer affects: | nova/diablo |
To post a comment you must log in.

Adding Vish and MarkMC since this /may/ delay 2012.1.2.