Reviewed: https://review.openstack.org/375526 Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=69a9b659fd48aa3c1f84fc7bc9ae236b6803d31f Submitter: Jenkins Branch: master
commit 69a9b659fd48aa3c1f84fc7bc9ae236b6803d31f Author: Hemanth Makkapati <[email protected]> Date: Fri Sep 23 09:29:12 2016 -0500 Adding constraints around qemu-img calls * All "qemu-img info" calls are now run under resource limitations that limit CPU time to 2 seconds and address space usage to 1 GB. This helps avoid any DoS attacks via malicious images. * All "qemu-img convert" calls now specify the import format so that it does not have to be inferred by qemu-img. SecurityImpact Change-Id: Ib900bbc05cb9ccd90c6f56ccb4bf2006e30cdc80 Closes-Bug: #1449062 ** Changed in: glance Status: In Progress => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1449062 Title: qemu-img calls need to be restricted by ulimit (CVE-2015-5162) Status in Cinder: Fix Released Status in Cinder mitaka series: In Progress Status in Cinder newton series: Fix Released Status in Ubuntu Cloud Archive: Fix Released Status in Ubuntu Cloud Archive liberty series: Fix Committed Status in Ubuntu Cloud Archive mitaka series: Fix Committed Status in Ubuntu Cloud Archive newton series: Fix Released Status in Glance: Fix Released Status in Glance liberty series: New Status in Glance mitaka series: New Status in Glance newton series: Fix Committed Status in OpenStack Compute (nova): Fix Released Status in OpenStack Security Advisory: In Progress Status in python-oslo.concurrency package in Ubuntu: Fix Released Status in python-oslo.concurrency source package in Wily: Fix Committed Status in python-oslo.concurrency source package in Xenial: Fix Released Status in python-oslo.concurrency source package in Yakkety: Fix Released Bug description: Reported via private E-mail from Richard W.M. Jones. Turns out qemu image parser is not hardened against malicious input and can be abused to allocated an arbitrary amount of memory and/or dump a lot of information when used with "--output=json". The solution seems to be: limit qemu-img ressource using ulimit. Example of abuse: -- afl1.img -- $ /usr/bin/time qemu-img info afl1.img image: afl1.img [...] 0.13user 0.19system 0:00.36elapsed 92%CPU (0avgtext+0avgdata 642416maxresident)k 0inputs+0outputs (0major+156927minor)pagefaults 0swaps The original image is 516 bytes, but it causes qemu-img to allocate 640 MB. -- afl2.img -- $ qemu-img info --output=json afl2.img | wc -l 589843 This is a 200K image which causes qemu-img info to output half a million lines of JSON (14 MB of JSON). Glance runs the --output=json variant of the command. -- afl3.img -- $ /usr/bin/time qemu-img info afl3.img image: afl3.img [...] 0.09user 0.35system 0:00.47elapsed 94%CPU (0avgtext+0avgdata 1262388maxresident)k 0inputs+0outputs (0major+311994minor)pagefaults 0swaps qemu-img allocates 1.3 GB (actually, a bit more if you play with ulimit -v). It appears that you could change it to allocate arbitrarily large amounts of RAM. To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1449062/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : [email protected] Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
