Potential directory traversal in _untarzip_image

Bug #894755 reported by Thierry Carrez on 2011-11-25
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
High
Thierry Carrez
Diablo
Undecided
Unassigned

Bug Description

From David Black on bug 885167:

One more possible bug (I don't know if this is reachable) is that the tarfile.extractall method is used in the
 static method _untarzip_image. This method is also vulnerable to path traversal (as per the warning in the tarfile module documentation).

Filing this here for further investigation.

CVE References

Thierry Carrez (ttx) wrote :

We should definitely protect against directory traversal here... I'm pretty sure you can inject a malicious tarfile in the EC2 image upload process.

Changed in nova:
importance: Undecided → High
status: New → Confirmed
Thierry Carrez (ttx) wrote :

Proposed fix, nova-core please pre-review before we make it public.
Adding stable maintainers. Once this is pre-approved we'll coordinate disclosure.

Changed in nova:
assignee: nobody → Thierry Carrez (ttx)
status: Confirmed → In Progress
Soren Hansen (soren) wrote :

Can you include a test to make sure we actually plug the hole? Include a "malicious" tarball in the tests directory (remember to add it to MANIFEST.in) and run it through this routine.

Thierry Carrez (ttx) wrote :

Attached version including tarballs and test

Thierry Carrez (ttx) wrote :

Tarballs for the test case

Thierry Carrez (ttx) wrote :
Soren Hansen (soren) wrote :

Patch lgtm.

Mark McLoughlin (markmc) wrote :

Issue looks valid to me - we can't trust what users upload to s3/objectstore

Fix looks fine too - it's a bit odd to open the file twice, but the alternative of doing something like tar_file.fileobj.seek(0) is just too hacky. Also, no attempt is made to explicitly close the file if there's an exception, but that's true of the original untarzip_image() code too

So, yeah - lgtm too

Vish Ishaya (vishvananda) wrote :

lgtm. We might want to refactor into a specific exception later, but lets keep the patch small for now.

Thierry Carrez (ttx) wrote :

Notification sent to downstream distros / public users (common with bug 885167)
Proposed disclosure date set to Tuesday, December 13, 2011, 1500UTC

Thierry Carrez (ttx) wrote :

Assigned CVE-2011-4596

Thierry Carrez (ttx) on 2011-12-13
visibility: private → public

Reviewed: https://review.openstack.org/2283
Committed: http://github.com/openstack/nova/commit/ad3241929ea00569c74505ed002208ce360c667e
Submitter: Jenkins
Branch: master

 status fixcommitted
 done

commit ad3241929ea00569c74505ed002208ce360c667e
Author: Thierry Carrez <email address hidden>
Date: Thu Dec 1 17:54:16 2011 +0100

    Sanitize EC2 manifests and image tarballs

    Prevent potential directory traversal with malicious EC2 image tarballs,
    by making sure the tarfile is safe before unpacking it. Fixes bug 894755

    Prevent potential directory traversal with malicious file names in
    EC2 image manifests. Fixes bug 885167

    Change-Id: If6109047307bd6e654ee9d1254f0d7f31cf741c1

Changed in nova:
status: In Progress → Fix Committed

Reviewed: https://review.openstack.org/2284
Committed: http://github.com/openstack/nova/commit/76363226bd8533256f7795bba358d7f4b8a6c9e6
Submitter: James E. Blair (<email address hidden>)
Branch: stable/diablo

 tag in-stable-diablo
 done

commit 76363226bd8533256f7795bba358d7f4b8a6c9e6
Author: Thierry Carrez <email address hidden>
Date: Thu Dec 1 17:54:16 2011 +0100

    Sanitize EC2 manifests and image tarballs

    Prevent potential directory traversal with malicious EC2 image tarballs,
    by making sure the tarfile is safe before unpacking it. Fixes bug 894755

    Prevent potential directory traversal with malicious file names in
    EC2 image manifests. Fixes bug 885167

    (cherry picked from commit ad3241929ea00569c74505ed002208ce360c667e)

    Change-Id: If6109047307bd6e654ee9d1254f0d7f31cf741c1

Thierry Carrez (ttx) wrote :

Released as OSSA 2011-001

Thierry Carrez (ttx) on 2011-12-14
Changed in nova:
milestone: none → essex-2
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2012-04-05
Changed in nova:
milestone: essex-2 → 2012.1
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers