Potential directory traversal in _untarzip_image

Bug #894755 reported by Thierry Carrez
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
High
Thierry Carrez
Diablo
Fix Released
Undecided
Unassigned

Bug Description

From David Black on bug 885167:

One more possible bug (I don't know if this is reachable) is that the tarfile.extractall method is used in the
 static method _untarzip_image. This method is also vulnerable to path traversal (as per the warning in the tarfile module documentation).

Filing this here for further investigation.

CVE References

Revision history for this message
Thierry Carrez (ttx) wrote :

We should definitely protect against directory traversal here... I'm pretty sure you can inject a malicious tarfile in the EC2 image upload process.

Changed in nova:
importance: Undecided → High
status: New → Confirmed
Revision history for this message
Thierry Carrez (ttx) wrote :

Proposed fix, nova-core please pre-review before we make it public.
Adding stable maintainers. Once this is pre-approved we'll coordinate disclosure.

Changed in nova:
assignee: nobody → Thierry Carrez (ttx)
status: Confirmed → In Progress
Revision history for this message
Soren Hansen (soren) wrote :

Can you include a test to make sure we actually plug the hole? Include a "malicious" tarball in the tests directory (remember to add it to MANIFEST.in) and run it through this routine.

Revision history for this message
Thierry Carrez (ttx) wrote :

Attached version including tarballs and test

Revision history for this message
Thierry Carrez (ttx) wrote :

Tarballs for the test case

Revision history for this message
Thierry Carrez (ttx) wrote :
Revision history for this message
Soren Hansen (soren) wrote :

Patch lgtm.

Revision history for this message
Thierry Carrez (ttx) wrote :
Revision history for this message
Mark McLoughlin (markmc) wrote :

Issue looks valid to me - we can't trust what users upload to s3/objectstore

Fix looks fine too - it's a bit odd to open the file twice, but the alternative of doing something like tar_file.fileobj.seek(0) is just too hacky. Also, no attempt is made to explicitly close the file if there's an exception, but that's true of the original untarzip_image() code too

So, yeah - lgtm too

Revision history for this message
Vish Ishaya (vishvananda) wrote :

lgtm. We might want to refactor into a specific exception later, but lets keep the patch small for now.

Revision history for this message
Thierry Carrez (ttx) wrote :

Notification sent to downstream distros / public users (common with bug 885167)
Proposed disclosure date set to Tuesday, December 13, 2011, 1500UTC

Revision history for this message
Thierry Carrez (ttx) wrote :

Assigned CVE-2011-4596

Thierry Carrez (ttx)
visibility: private → public
Revision history for this message
Openstack Gerrit (openstack-gerrit) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/2283
Committed: http://github.com/openstack/nova/commit/ad3241929ea00569c74505ed002208ce360c667e
Submitter: Jenkins
Branch: master

 status fixcommitted
 done

commit ad3241929ea00569c74505ed002208ce360c667e
Author: Thierry Carrez <email address hidden>
Date: Thu Dec 1 17:54:16 2011 +0100

    Sanitize EC2 manifests and image tarballs

    Prevent potential directory traversal with malicious EC2 image tarballs,
    by making sure the tarfile is safe before unpacking it. Fixes bug 894755

    Prevent potential directory traversal with malicious file names in
    EC2 image manifests. Fixes bug 885167

    Change-Id: If6109047307bd6e654ee9d1254f0d7f31cf741c1

Changed in nova:
status: In Progress → Fix Committed
Revision history for this message
Openstack Gerrit (openstack-gerrit) wrote : Fix merged to nova (stable/diablo)

Reviewed: https://review.openstack.org/2284
Committed: http://github.com/openstack/nova/commit/76363226bd8533256f7795bba358d7f4b8a6c9e6
Submitter: James E. Blair (<email address hidden>)
Branch: stable/diablo

 tag in-stable-diablo
 done

commit 76363226bd8533256f7795bba358d7f4b8a6c9e6
Author: Thierry Carrez <email address hidden>
Date: Thu Dec 1 17:54:16 2011 +0100

    Sanitize EC2 manifests and image tarballs

    Prevent potential directory traversal with malicious EC2 image tarballs,
    by making sure the tarfile is safe before unpacking it. Fixes bug 894755

    Prevent potential directory traversal with malicious file names in
    EC2 image manifests. Fixes bug 885167

    (cherry picked from commit ad3241929ea00569c74505ed002208ce360c667e)

    Change-Id: If6109047307bd6e654ee9d1254f0d7f31cf741c1

Revision history for this message
Thierry Carrez (ttx) wrote :

Released as OSSA 2011-001

Thierry Carrez (ttx)
Changed in nova:
milestone: none → essex-2
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in nova:
milestone: essex-2 → 2012.1
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.