Comment 7 for bug 1031311
Revision history for this message
| Thierry Carrez (ttx) wrote Re: CVE-2012-3361 not fully addressed | #7 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
Please confirm patches and approve proposed impact description. Will be published as an ERRATA to OSSA-2012-008 if it gets the same CVE, and as a separate advisory if it gets a new CVE...
Title: OSSA-2012-008 ERRATA: Incomplete fix
Impact: Critical
Reporter: Pádraig Brady (Red Hat)
Products: Nova
Affects: All versions
Description:
Pádraig Brady from Red Hat discovered that the fix implemented for CVE-2012-3361 was not covering all attack scenarios. By crafting a malicious image with root-readable-only symlinks and requesting an instance based on it, an authenticated user could still corrupt arbitrary files (all setups affected) or inject arbitrary files (Essex and later setups with OpenStack API enabled and a libvirt-based hypervisor) on the host filesystem, potentially resulting in full compromise of that compute node.
Additional fixes needed:
...