OpenStack Compute (nova)

Potential directory traversal in _untarzip_image

Bug #894755 reported by Thierry Carrez on 2011-11-25

260

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Fix Released	High	Thierry Carrez	OpenStack Compute (nova) 2012.1 "essex"
	Diablo	Fix Released	Undecided	Unassigned	OpenStack Compute (nova) 2011.3.1

Bug Description

From David Black on bug 885167:

One more possible bug (I don't know if this is reachable) is that the tarfile.extractall method is used in the
static method _untarzip_image. This method is also vulnerable to path traversal (as per the warning in the tarfile module documentation).

Filing this here for further investigation.

Tags:

CVE References

2011-4596

Revision history for this message

Thierry Carrez (ttx) wrote on 2011-11-25:

We should definitely protect against directory traversal here... I'm pretty sure you can inject a malicious tarfile in the EC2 image upload process.

Changed in nova:
importance:	Undecided → High
status:	New → Confirmed

Revision history for this message

Thierry Carrez (ttx) wrote on 2011-12-01:

patch Edit (748 bytes, text/plain)

Proposed fix, nova-core please pre-review before we make it public.
Adding stable maintainers. Once this is pre-approved we'll coordinate disclosure.

Changed in nova:
assignee:	nobody → Thierry Carrez (ttx)
status:	Confirmed → In Progress

Revision history for this message

Soren Hansen (soren) wrote on 2011-12-02:

Can you include a test to make sure we actually plug the hole? Include a "malicious" tarball in the tests directory (remember to add it to MANIFEST.in) and run it through this routine.

Revision history for this message

Thierry Carrez (ttx) wrote on 2011-12-02:

patch2 Edit (2.7 KiB, text/plain)

Attached version including tarballs and test

Revision history for this message

Thierry Carrez (ttx) wrote on 2011-12-02:

abs.tar.gz Edit (153 bytes, application/x-tar)

Tarballs for the test case

Revision history for this message

Thierry Carrez (ttx) wrote on 2011-12-02:

rel.tar.gz Edit (165 bytes, application/x-tar)

Revision history for this message

Soren Hansen (soren) wrote on 2011-12-06:

Patch lgtm.

Revision history for this message

Thierry Carrez (ttx) wrote on 2011-12-06:

See proposed advisory at: https://bugs.launchpad.net/nova/+bug/885167/comments/15

Revision history for this message

Mark McLoughlin (markmc) wrote on 2011-12-06:

Issue looks valid to me - we can't trust what users upload to s3/objectstore

Fix looks fine too - it's a bit odd to open the file twice, but the alternative of doing something like tar_file.fileobj.seek(0) is just too hacky. Also, no attempt is made to explicitly close the file if there's an exception, but that's true of the original untarzip_image() code too

So, yeah - lgtm too

Revision history for this message

Vish Ishaya (vishvananda) wrote on 2011-12-07:

#10

lgtm. We might want to refactor into a specific exception later, but lets keep the patch small for now.

Revision history for this message

Thierry Carrez (ttx) wrote on 2011-12-08:

#11

Notification sent to downstream distros / public users (common with bug 885167)
Proposed disclosure date set to Tuesday, December 13, 2011, 1500UTC

Revision history for this message

Thierry Carrez (ttx) wrote on 2011-12-09:

#12

Assigned CVE-2011-4596

Thierry Carrez (ttx) on 2011-12-13

visibility:

private → public

Revision history for this message

Openstack Gerrit (openstack-gerrit) wrote on 2011-12-13: Fix merged to nova (master)

#13

Reviewed: https://review.openstack.org/2283
Committed: http://github.com/openstack/nova/commit/ad3241929ea00569c74505ed002208ce360c667e
Submitter: Jenkins
Branch: master

status fixcommitted
done

commit ad3241929ea00569c74505ed002208ce360c667e
Author: Thierry Carrez <email address hidden>
Date: Thu Dec 1 17:54:16 2011 +0100

Sanitize EC2 manifests and image tarballs

Prevent potential directory traversal with malicious EC2 image tarballs,
by making sure the tarfile is safe before unpacking it. Fixes bug 894755

Prevent potential directory traversal with malicious file names in
EC2 image manifests. Fixes bug 885167

Change-Id: If6109047307bd6e654ee9d1254f0d7f31cf741c1

Changed in nova:
status:	In Progress → Fix Committed

Revision history for this message

Openstack Gerrit (openstack-gerrit) wrote on 2011-12-13: Fix merged to nova (stable/diablo)

#14

Reviewed: https://review.openstack.org/2284
Committed: http://github.com/openstack/nova/commit/76363226bd8533256f7795bba358d7f4b8a6c9e6
Submitter: James E. Blair (<email address hidden>)
Branch: stable/diablo

tag in-stable-diablo
done

commit 76363226bd8533256f7795bba358d7f4b8a6c9e6
Author: Thierry Carrez <email address hidden>
Date: Thu Dec 1 17:54:16 2011 +0100

Sanitize EC2 manifests and image tarballs

Prevent potential directory traversal with malicious EC2 image tarballs,
by making sure the tarfile is safe before unpacking it. Fixes bug 894755

Prevent potential directory traversal with malicious file names in
EC2 image manifests. Fixes bug 885167

(cherry picked from commit ad3241929ea00569c74505ed002208ce360c667e)

Change-Id: If6109047307bd6e654ee9d1254f0d7f31cf741c1

Revision history for this message

Thierry Carrez (ttx) wrote on 2011-12-13:

#15

Released as OSSA 2011-001

Thierry Carrez (ttx) on 2011-12-14

Changed in nova:
milestone:	none → essex-2
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2012-04-05

Changed in nova:
milestone:	essex-2 → 2012.1

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

patch Edit
patch2 Edit

Add patch

Bug attachments

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.