Reviewed: https://review.openstack.org/378012 Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=58311904a73f931404416649dc6ed3958adc59c8 Submitter: Jenkins Branch: stable/liberty
commit 58311904a73f931404416649dc6ed3958adc59c8 Author: Brian Rosmaita <[email protected]> Date: Tue Sep 27 16:11:17 2016 -0400 Adding constraints around qemu-img calls * All "qemu-img info" calls are now run under resource limitations that limit CPU time to 2 seconds and address space usage to 1 GB. This helps avoid any DoS attacks via malicious images. * All "qemu-img convert" calls now specify the import format so that it does not have to be inferred by qemu-img. SecurityImpact (Hemanth did all the work on this, I'm just doing the backport.) Co-authored-by: Hemanth Makkapati <[email protected]> Closes-Bug: #1449062 (cherry picked from commit 69a9b659fd48aa3c1f84fc7bc9ae236b6803d31f) Change-Id: I65f30b85439a8811545b0ca590555528631954df -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1449062 Title: qemu-img calls need to be restricted by ulimit (CVE-2015-5162) To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1449062/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
