nova: Arbitrary file injection/corruption through directory traversal

Debian Bug report logs - #680110
nova: Arbitrary file injection/corruption through directory traversal

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: nova: Arbitrary file injection/corruption through directory traversal

Date: Tue, 03 Jul 2012 18:48:54 +0200

Package: nova
Severity: grave
Tags: security
Justification: user security hole

Hey,

two issues were found in nova compute nodes, allowing arbitrary file
corruption or injection on the host.

More details can be found on
http://www.openwall.com/lists/oss-security/2012/07/03/2

CVE-2012-3360, and CVE-2012-3361 have been allocated.

Regards,
-- 
Yves-Alexis

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Message #10 received at 680110-close@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>

To: 680110-close@bugs.debian.org

Subject: Bug#680110: fixed in nova 2012.1.1-2

Date: Tue, 03 Jul 2012 21:07:58 +0000

Source: nova
Source-Version: 2012.1.1-2

We believe that the bug you reported is fixed in the latest version of
nova, which is due to be installed in the Debian FTP archive:

nova-api-ec2_2012.1.1-2_all.deb
  to main/n/nova/nova-api-ec2_2012.1.1-2_all.deb
nova-api-metadata_2012.1.1-2_all.deb
  to main/n/nova/nova-api-metadata_2012.1.1-2_all.deb
nova-api-os-compute_2012.1.1-2_all.deb
  to main/n/nova/nova-api-os-compute_2012.1.1-2_all.deb
nova-api-os-volume_2012.1.1-2_all.deb
  to main/n/nova/nova-api-os-volume_2012.1.1-2_all.deb
nova-api_2012.1.1-2_all.deb
  to main/n/nova/nova-api_2012.1.1-2_all.deb
nova-cert_2012.1.1-2_all.deb
  to main/n/nova/nova-cert_2012.1.1-2_all.deb
nova-common_2012.1.1-2_all.deb
  to main/n/nova/nova-common_2012.1.1-2_all.deb
nova-compute-kvm_2012.1.1-2_all.deb
  to main/n/nova/nova-compute-kvm_2012.1.1-2_all.deb
nova-compute-lxc_2012.1.1-2_all.deb
  to main/n/nova/nova-compute-lxc_2012.1.1-2_all.deb
nova-compute-qemu_2012.1.1-2_all.deb
  to main/n/nova/nova-compute-qemu_2012.1.1-2_all.deb
nova-compute-uml_2012.1.1-2_all.deb
  to main/n/nova/nova-compute-uml_2012.1.1-2_all.deb
nova-compute-xen_2012.1.1-2_all.deb
  to main/n/nova/nova-compute-xen_2012.1.1-2_all.deb
nova-compute_2012.1.1-2_all.deb
  to main/n/nova/nova-compute_2012.1.1-2_all.deb
nova-console_2012.1.1-2_all.deb
  to main/n/nova/nova-console_2012.1.1-2_all.deb
nova-doc_2012.1.1-2_all.deb
  to main/n/nova/nova-doc_2012.1.1-2_all.deb
nova-network_2012.1.1-2_all.deb
  to main/n/nova/nova-network_2012.1.1-2_all.deb
nova-objectstore_2012.1.1-2_all.deb
  to main/n/nova/nova-objectstore_2012.1.1-2_all.deb
nova-scheduler_2012.1.1-2_all.deb
  to main/n/nova/nova-scheduler_2012.1.1-2_all.deb
nova-volume_2012.1.1-2_all.deb
  to main/n/nova/nova-volume_2012.1.1-2_all.deb
nova-xcp-network_2012.1.1-2_all.deb
  to main/n/nova/nova-xcp-network_2012.1.1-2_all.deb
nova-xcp-plugins_2012.1.1-2_all.deb
  to main/n/nova/nova-xcp-plugins_2012.1.1-2_all.deb
nova-xvpvncproxy_2012.1.1-2_all.deb
  to main/n/nova/nova-xvpvncproxy_2012.1.1-2_all.deb
nova_2012.1.1-2.debian.tar.gz
  to main/n/nova/nova_2012.1.1-2.debian.tar.gz
nova_2012.1.1-2.dsc
  to main/n/nova/nova_2012.1.1-2.dsc
python-nova_2012.1.1-2_all.deb
  to main/n/nova/python-nova_2012.1.1-2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 680110@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated nova package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 03 Jul 2012 18:18:38 +0000
Source: nova
Binary: python-nova nova-common nova-compute nova-compute-lxc nova-compute-uml nova-compute-xen nova-compute-qemu nova-compute-kvm nova-scheduler nova-volume nova-api nova-network nova-objectstore nova-console nova-cert nova-xcp-plugins nova-xcp-network nova-doc nova-xvpvncproxy nova-api-metadata nova-api-os-compute nova-api-os-volume nova-api-ec2
Architecture: source all
Version: 2012.1.1-2
Distribution: unstable
Urgency: high
Maintainer: PKG OpenStack <openstack-devel@lists.alioth.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description: 
 nova-api   - OpenStack Compute - compute API frontend
 nova-api-ec2 - OpenStack Compute - EC2 API frontend
 nova-api-metadata - OpenStack Compute - metadata API frontend
 nova-api-os-compute - OpenStack Compute - compute API frontend
 nova-api-os-volume - OpenStack Compute - Volume API frontend
 nova-cert  - OpenStack Compute - certificate manager
 nova-common - OpenStack Compute - common files
 nova-compute - OpenStack Compute - compute node
 nova-compute-kvm - OpenStack Compute - compute node (KVM)
 nova-compute-lxc - OpenStack Compute - compute node (LXC)
 nova-compute-qemu - OpenStack Compute - compute node (QEmu)
 nova-compute-uml - OpenStack Compute - compute node (UserModeLinux)
 nova-compute-xen - OpenStack Compute - compute node (Xen)
 nova-console - OpenStack Compute - console
 nova-doc   - OpenStack Compute - documentation
 nova-network - OpenStack Compute - network manager
 nova-objectstore - OpenStack Compute - object store
 nova-scheduler - OpenStack Compute - virtual machine scheduler
 nova-volume - OpenStack Compute - storage
 nova-xcp-network - OpenStack Compute network plugin for the Xen Cloud Platform
 nova-xcp-plugins - OpenStack Compute plugin for the Xen Cloud Platform
 nova-xvpvncproxy - OpenStack Compute - XVP VNC proxy
 python-nova - OpenStack Compute - libraries
Closes: 679009 679422 679445 679497 679670 680110
Changes: 
 nova (2012.1.1-2) unstable; urgency=high
 .
   * Fixes CVE-2012-3360, CVE-2012-3361 (Closes: #680110).
   * Debconf translation updates with thanks to:
     - cs.po Michal Simunek <michal.simunek@gmail.com> (Closes: #679670).
     - pt.po Miguel Figueiredo <elmig@debianpt.org> (Closes: #679497).
     - sk.po helix84 <helix84@centrum.sk> (Closes: #679445).
     - fr.po Julien Patriarca <patriarcaj@gmail.com> (Closes: #679422).
     - sv.po Martin Bagge <brother@bsnet.se> (Closes: #679009).
Checksums-Sha1: 
 5dd9637e7918990abd72af6f69d639443739e4e1 3047 nova_2012.1.1-2.dsc
 441dfd71e75897771f50889c9535c0540d40e888 50818 nova_2012.1.1-2.debian.tar.gz
 1bb8ea870dfbfeaa87076406380096076a063d28 1776378 python-nova_2012.1.1-2_all.deb
 909657915e0b77a1f16b7b36fbfebbb6646708ff 39292 nova-common_2012.1.1-2_all.deb
 eab516f752fdb941f21adfa4de6b1a9887db0894 16178 nova-compute_2012.1.1-2_all.deb
 6d977ec657853cdc37c910e276f6c9f7b5ef876f 11422 nova-compute-lxc_2012.1.1-2_all.deb
 99c005d48bd59e6307767517a052faa1af2bd113 11440 nova-compute-uml_2012.1.1-2_all.deb
 6e8f5bcb1ba28404bb0730e6cfabe4e384ae52dd 13880 nova-compute-xen_2012.1.1-2_all.deb
 dbb11a970e831b82ca1db31e7d43db8d3d6aa166 11340 nova-compute-qemu_2012.1.1-2_all.deb
 38aac9c763f347f673a13c4527ede20d981fe1ec 11426 nova-compute-kvm_2012.1.1-2_all.deb
 a1279ff8d23003bb93d8593301136bf228b39fbd 13926 nova-scheduler_2012.1.1-2_all.deb
 55bf6f280f88592cbfb112e59520da0ef938d8f4 14820 nova-volume_2012.1.1-2_all.deb
 5204cfac41bf91518e4f80c7996920bc862e50fd 13820 nova-api_2012.1.1-2_all.deb
 35c85f6602e91558d10cb59a237be19e6ac50ed9 16676 nova-network_2012.1.1-2_all.deb
 a429702fdc850477e4563ca30fec1530f09db165 14032 nova-objectstore_2012.1.1-2_all.deb
 5da228e7f7d339339d15edcd082f6448a620fb84 14522 nova-console_2012.1.1-2_all.deb
 6539904e58025172b80a561b3c3f422a09ca1f8b 13890 nova-cert_2012.1.1-2_all.deb
 815424c413baaba3efa30d9b69ac95252ee47b1a 33906 nova-xcp-plugins_2012.1.1-2_all.deb
 58818e5e548d23067461b6bfcbb84b5e5fabda4e 18530 nova-xcp-network_2012.1.1-2_all.deb
 29e8809bf8cde814d08f27fdd4b62f79c1c4c751 1710196 nova-doc_2012.1.1-2_all.deb
 8ddaff3ab9299335f62e7516e2356d6aae312183 13804 nova-xvpvncproxy_2012.1.1-2_all.deb
 e8533583100df0da1faab6bfe73fc27e7bd8b2ff 13716 nova-api-metadata_2012.1.1-2_all.deb
 74ef667f27e5efb0825f37aaf4ea2f9c4cafce3a 13720 nova-api-os-compute_2012.1.1-2_all.deb
 013ef21f4c7d1cbc85fbdfd76175d20c60f49312 13730 nova-api-os-volume_2012.1.1-2_all.deb
 54fdf0859dd4114b2fddf018724bc334e6914215 13690 nova-api-ec2_2012.1.1-2_all.deb
Checksums-Sha256: 
 bf9508fa08f58f2907cb87605bee11c380bafc4e9dda1642e744dc7c64a578f7 3047 nova_2012.1.1-2.dsc
 ac8b62c21a28222c8d3af8d9f80752c707d92f6c57e4a5bef9bfc6f314386713 50818 nova_2012.1.1-2.debian.tar.gz
 85383a4e8714bde8450481d9fd07afeb29c263557655a33a219e519720f0c937 1776378 python-nova_2012.1.1-2_all.deb
 b9667e2dc7982189dab59f7b259cb0421893cff3996519f03736db584394d888 39292 nova-common_2012.1.1-2_all.deb
 4445144464327cec2e77be1d3aeb27948bac51c48699b7e9cb3e434309abecd6 16178 nova-compute_2012.1.1-2_all.deb
 a747025936a9519bc3777ea846b7406420a7d343099a2dfa789e58d7d5537fdc 11422 nova-compute-lxc_2012.1.1-2_all.deb
 e55d387220c5944ac70ac8f4620407eaae5b74ae01925780adea6c3f826d31ad 11440 nova-compute-uml_2012.1.1-2_all.deb
 502b81948c6c1051894c4be2538408449cfef51f8a6e472aeb61962ab14a02cb 13880 nova-compute-xen_2012.1.1-2_all.deb
 798d139b161bd2eeedf45813d433ab049a99c51dea12aa28dfb2328583ea2b8e 11340 nova-compute-qemu_2012.1.1-2_all.deb
 b31783bd1804eb8435545b7a5e9ba0ee1de6738f5829f5ae91459f4ec5a04458 11426 nova-compute-kvm_2012.1.1-2_all.deb
 7f082df3a4848d8aba0f73aaa9d5976a3fbcfcc888aa18f8796c81638d8cfa4a 13926 nova-scheduler_2012.1.1-2_all.deb
 f6f42639ff4b58dd214677866a7cd2d0ee399f3c7a890b2222f7ae5a60ce94ec 14820 nova-volume_2012.1.1-2_all.deb
 8023ff0bfdd3a029377fb496d1bcde07a384783d2a64133117e76f654a4df1c1 13820 nova-api_2012.1.1-2_all.deb
 b8d87c5b54cf557762a37a47de9df193497505e02b47b4735aa10f20c7ade5e9 16676 nova-network_2012.1.1-2_all.deb
 7a1e8a69e8cd7fdf5d2141598993e5f4f2ac7c430237331ae05062c27fe7f09d 14032 nova-objectstore_2012.1.1-2_all.deb
 b81c5ec0fabd614fdd3e53df185fd5d3f557e9491e8637d50f9a9569861f497a 14522 nova-console_2012.1.1-2_all.deb
 a754fb9c1ea43a7864565ffcc882ca5f0b352c5fce3cbd45a466331312235ba5 13890 nova-cert_2012.1.1-2_all.deb
 ee0f38d26ddc426b9ca49b8132903cb577633befe75cb9e21573fe2ce91eb4f5 33906 nova-xcp-plugins_2012.1.1-2_all.deb
 6cf326402410c4b75008d7271f9ffb4bdf5da7025889cd79a690b9c287a4835b 18530 nova-xcp-network_2012.1.1-2_all.deb
 398f6661777580986ef716d77824ae5074ad0cc88e2394395c3fef76c2385dcb 1710196 nova-doc_2012.1.1-2_all.deb
 72fd508ea1eb95f789887b8561cc7633d5b0f001e36cba999b659af910e93b9e 13804 nova-xvpvncproxy_2012.1.1-2_all.deb
 1dbb52e1e1f1275265ae3fe211d6f3aa158d330e666a32635df356db3600c3a4 13716 nova-api-metadata_2012.1.1-2_all.deb
 2beef7cefdf7d0702415d539079beda96aa643971e2799e357be5b40076386a0 13720 nova-api-os-compute_2012.1.1-2_all.deb
 b1994c4908063c1b330f8db88e0f3187aa12b60ce71bb0fd75c2c5888f7ed01e 13730 nova-api-os-volume_2012.1.1-2_all.deb
 4463a7c6f568977a9419eb3552a9c44bf549b8df843119b6d0e83ea9df6ce3de 13690 nova-api-ec2_2012.1.1-2_all.deb
Files: 
 ff6bebd2d48500fe0ac0eb267d1cbb0a 3047 net extra nova_2012.1.1-2.dsc
 75ee07a9b33950d9159d3c310f969ab7 50818 net extra nova_2012.1.1-2.debian.tar.gz
 63a30f5cd421e76d1cfeb908ff591776 1776378 python extra python-nova_2012.1.1-2_all.deb
 073b69288f0434853b54cad87a576746 39292 net extra nova-common_2012.1.1-2_all.deb
 7dfc93df8872380f2af8810c5a4d8fb7 16178 net extra nova-compute_2012.1.1-2_all.deb
 3b0aeaf3491c10c7657500df2a5e6176 11422 net extra nova-compute-lxc_2012.1.1-2_all.deb
 2f8acb4a84d704f06d04a54414e31395 11440 net extra nova-compute-uml_2012.1.1-2_all.deb
 387544f3d5e08891900d2a520a88ccae 13880 net extra nova-compute-xen_2012.1.1-2_all.deb
 9a08aff2f715c661f43a4bce33a82970 11340 net extra nova-compute-qemu_2012.1.1-2_all.deb
 f34556e8b4d0a4177366f1d1b468f7fd 11426 net extra nova-compute-kvm_2012.1.1-2_all.deb
 b013fd80f4e10d0e866c28bf8fbc9575 13926 net extra nova-scheduler_2012.1.1-2_all.deb
 7f42f6e2557060ce674d3e0b5b9532e7 14820 net extra nova-volume_2012.1.1-2_all.deb
 ec184e49b56d599db96ffc1620bb834e 13820 net extra nova-api_2012.1.1-2_all.deb
 f4bf543cec34bb25bb1b5490ecef147f 16676 net extra nova-network_2012.1.1-2_all.deb
 5e9a6ead4cf34fabe448e23e10fac517 14032 net extra nova-objectstore_2012.1.1-2_all.deb
 035bad580c5b27990efac0dd72aa1431 14522 net extra nova-console_2012.1.1-2_all.deb
 cf8bb736f9e4ea0e5a1ed58b66644e32 13890 net extra nova-cert_2012.1.1-2_all.deb
 80aec7dde339b3aee9a26932a9c46f56 33906 net extra nova-xcp-plugins_2012.1.1-2_all.deb
 c305e708c69d65cf34e8641182a33ea5 18530 net extra nova-xcp-network_2012.1.1-2_all.deb
 0deeecf89557cff55b3cb2b0eb50295b 1710196 doc extra nova-doc_2012.1.1-2_all.deb
 4bef3ffe4fa5fb13822cf3bd2cd3f7f4 13804 net extra nova-xvpvncproxy_2012.1.1-2_all.deb
 33febbe7fe3012b5b777152045b3aa02 13716 net extra nova-api-metadata_2012.1.1-2_all.deb
 b525ed259bf7e07ef51455a5215035bf 13720 net extra nova-api-os-compute_2012.1.1-2_all.deb
 f16a3012ebe1fb503b6fa18ee442f91b 13730 net extra nova-api-os-volume_2012.1.1-2_all.deb
 4edf396b69475bac2bd8692c72e3b858 13690 net extra nova-api-ec2_2012.1.1-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAk/zSpwACgkQl4M9yZjvmknsDQCgnyRp14RBRmo7uBbjNckE67wm
TdkAoKgA7garqO07F04/DjIZjIOPWISW
=jlO2
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.