OpenStack Compute (nova)

  1. Bug #1031311
  2. Comment #21

Comment 21 for bug 1031311

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (stable/diablo)

Reviewed: https://review.openstack.org/10953
Committed: http://github.com/openstack/nova/commit/ed89587d525e0214cb367aa4632df45903c6ac09
Submitter: Jenkins
Branch: stable/diablo

commit ed89587d525e0214cb367aa4632df45903c6ac09
Author: Pádraig Brady <email address hidden>
Date: Tue Jul 31 14:34:19 2012 +0100

    Prohibit file injection writing to host filesystem

    This is a refinement of the previous fix in commit 2427d4a9,
    which does the file name canonicalization as the root user.
    This is required so that guest images could not for example,
    protect malicious symlinks in a directory only readable by root.

    Note this requires adding the 'readlink' binary to the
    nova sudoers file.

    Fixes bug: 1031311, CVE-2012-3447
    Change-Id: I7f7cdeeffadebae7451e1e13f73f1313a7df9c5c