[OSSA 2014-001] Insecure directory permissions with snapshot code (CVE-2013-7048)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
High
|
Unassigned | ||
Grizzly |
Fix Released
|
High
|
Unassigned | ||
Havana |
Fix Released
|
High
|
Unassigned | ||
OpenStack Security Advisory |
Fix Released
|
Medium
|
Thierry Carrez |
Bug Description
In the following commit:
commit 46de2d1e2d0abd6
Author: Rafi Khardalian <email address hidden>
Date: Sat Jan 26 09:02:19 2013 +0000
Libvirt: Add support for live snapshots
blueprint libvirt-
There was the following chunk of code
with utils.tempdir(
try:
- snapshot.
+ if live_snapshot:
+ # NOTE (rmk): libvirt needs to be able to write to the
+ # temp directory, which is owned nova.
+ utils.execute(
+ self._live_
+ image_format)
+ else:
+ snapshot.
Making the temporary directory 777 does indeed give QEMU and libvirt permission to write there, because it gives every user on the whole system permission to write there. Yes, the directory name is unpredictable since it uses 'tempdir', this does not eliminate the security risk of making it world writable though.
This flaw is highlighted by the following public commit which makes the mode configurable, but still defaults to insecure 777.
CVE References
Changed in nova: | |
milestone: | none → havana-rc1 |
status: | New → Confirmed |
importance: | Undecided → High |
Changed in nova: | |
assignee: | Michael Still (mikalstill) → nobody |
status: | In Progress → Triaged |
tags: | added: havana-rc-potential |
Changed in nova: | |
milestone: | havana-rc1 → none |
tags: | added: libvirt |
tags: |
added: havana-backport-potential removed: havana-rc-potential |
Changed in nova: | |
assignee: | nobody → Xavier Queralt (xqueralt) |
Changed in nova: | |
status: | Triaged → In Progress |
Changed in nova: | |
milestone: | none → icehouse-2 |
Changed in nova: | |
status: | Fix Committed → Fix Released |
Changed in ossa: | |
status: | Fix Committed → Fix Released |
tags: | removed: havana-backport-potential |
Changed in nova: | |
milestone: | icehouse-2 → 2014.1 |
Given that you've commented publically in that review "Setting console world readable/writable is a security flaw" I'm not sure there's much point to keeping this bug report private/embargoed. Do you concur?