Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu
Hi, I've prepared an update of nova for Jessie which fixes CVE-2015-3241. This CVE is about DoS nova-compute machines by resizing and immediately after it delete the VM, which makes nova-compute consume all CPU. The package is available here: http://sid.gplhost.com/jessie-proposed-updates/nova/ Please allow me to upload it to jessie-p-u. Cheers, Thomas Goirand (zigo) P.S: As we speak, I'm preparing the update for Sid, it should be ready soonish today, and it will include the point release update.
diff -Nru nova-2014.1.3/debian/changelog nova-2014.1.3/debian/changelog --- nova-2014.1.3/debian/changelog 2015-03-11 08:48:55.000000000 +0000 +++ nova-2014.1.3/debian/changelog 2015-08-28 09:24:00.000000000 +0000 @@ -1,3 +1,10 @@ +nova (2014.1.3-11+deb8u1) jessie-proposed-updates; urgency=medium + + * CVE-2015-3241: Resize/delete combo allows to overload nova-compute. Applied + upstream patch (Closes: #796109). + + -- Thomas Goirand <z...@debian.org> Fri, 28 Aug 2015 11:10:06 +0200 + nova (2014.1.3-11) unstable; urgency=high * CVE-2015-0259: Websocket Hijacking Vulnerability in Nova VNC Server. Done diff -Nru nova-2014.1.3/debian/patches/CVE-2015-3241_Resize_delete_combo_allow_to_overload_nova-compute.patch nova-2014.1.3/debian/patches/CVE-2015-3241_Resize_delete_combo_allow_to_overload_nova-compute.patch --- nova-2014.1.3/debian/patches/CVE-2015-3241_Resize_delete_combo_allow_to_overload_nova-compute.patch 1970-01-01 00:00:00.000000000 +0000 +++ nova-2014.1.3/debian/patches/CVE-2015-3241_Resize_delete_combo_allow_to_overload_nova-compute.patch 2015-08-28 09:24:00.000000000 +0000 @@ -0,0 +1,103 @@ +Description: CVE-2015-3241: Sync process utils from oslo for execute callbacks + The sync pulls in the following changes: + . + Ifc23325 Add 2 callbacks to processutils.execute() + I22b2d7b processutils: ensure on_completion callback is always called + I59d5799 Let oslotest manage the six.move setting for mox + I245750f Remove `processutils` dependency on `log` + Ia5bb418 Fix exception message in openstack.common.processutils.execute +Author: Abhishek Kekane <abhishek.kek...@nttdata.com> +Bug-Debian: https://bugs.debian.org/796109 +Origin: upstream, https://review.openstack.org/#/c/208876/ +Bug-Ubuntu: https://launchpad.net/bugs/1387543 +Last-Update: 2015-08-28 + +--- nova-2014.1.3.orig/nova/openstack/common/processutils.py ++++ nova-2014.1.3/nova/openstack/common/processutils.py +@@ -112,6 +112,17 @@ def execute(*cmd, **kwargs): + :type shell: boolean + :param loglevel: log level for execute commands. + :type loglevel: int. (Should be logging.DEBUG or logging.INFO) ++ :param on_execute: This function will be called upon process creation ++ with the object as a argument. The Purpose of this ++ is to allow the caller of `processutils.execute` to ++ track process creation asynchronously. ++ :type on_execute: function(:class:`subprocess.Popen`) ++ :param on_completion: This function will be called upon process ++ completion with the object as a argument. The ++ Purpose of this is to allow the caller of ++ `processutils.execute` to track process completion ++ asynchronously. ++ :type on_completion: function(:class:`subprocess.Popen`) + :returns: (stdout, stderr) from process execution + :raises: :class:`UnknownArgumentError` on + receiving unknown arguments +@@ -127,6 +138,8 @@ def execute(*cmd, **kwargs): + root_helper = kwargs.pop('root_helper', '') + shell = kwargs.pop('shell', False) + loglevel = kwargs.pop('loglevel', logging.DEBUG) ++ on_execute = kwargs.pop('on_execute', None) ++ on_completion = kwargs.pop('on_completion', None) + + if isinstance(check_exit_code, bool): + ignore_exit_code = not check_exit_code +@@ -135,8 +148,7 @@ def execute(*cmd, **kwargs): + check_exit_code = [check_exit_code] + + if kwargs: +- raise UnknownArgumentError(_('Got unknown keyword args ' +- 'to utils.execute: %r') % kwargs) ++ raise UnknownArgumentError(_('Got unknown keyword args: %r') % kwargs) + + if run_as_root and hasattr(os, 'geteuid') and os.geteuid() != 0: + if not root_helper: +@@ -168,23 +180,32 @@ def execute(*cmd, **kwargs): + close_fds=close_fds, + preexec_fn=preexec_fn, + shell=shell) +- result = None +- for _i in six.moves.range(20): +- # NOTE(russellb) 20 is an arbitrary number of retries to +- # prevent any chance of looping forever here. +- try: +- if process_input is not None: +- result = obj.communicate(process_input) +- else: +- result = obj.communicate() +- except OSError as e: +- if e.errno in (errno.EAGAIN, errno.EINTR): +- continue +- raise +- break +- obj.stdin.close() # pylint: disable=E1101 +- _returncode = obj.returncode # pylint: disable=E1101 +- LOG.log(loglevel, _('Result was %s') % _returncode) ++ ++ if on_execute: ++ on_execute(obj) ++ ++ try: ++ result = None ++ for _i in six.moves.range(20): ++ # NOTE(russellb) 20 is an arbitrary number of retries to ++ # prevent any chance of looping forever here. ++ try: ++ if process_input is not None: ++ result = obj.communicate(process_input) ++ else: ++ result = obj.communicate() ++ except OSError as e: ++ if e.errno in (errno.EAGAIN, errno.EINTR): ++ continue ++ raise ++ break ++ obj.stdin.close() # pylint: disable=E1101 ++ _returncode = obj.returncode # pylint: disable=E1101 ++ LOG.log(loglevel, 'Result was %s' % _returncode) ++ finally: ++ if on_completion: ++ on_completion(obj) ++ + if not ignore_exit_code and _returncode not in check_exit_code: + (stdout, stderr) = result + sanitized_stdout = strutils.mask_password(stdout) diff -Nru nova-2014.1.3/debian/patches/series nova-2014.1.3/debian/patches/series --- nova-2014.1.3/debian/patches/series 2015-03-11 08:48:55.000000000 +0000 +++ nova-2014.1.3/debian/patches/series 2015-08-28 09:24:00.000000000 +0000 @@ -25,3 +25,4 @@ CVE-2014-8333_Fix_VM_leak_when_deletion_of_VM_during_resizing.patch avoid_changing_UUID_when_redefining_nwfilters.patch CVE-2015-0259_Websocket_Proxy_should_verify_Origin_header_icehouse-debian.patch +CVE-2015-3241_Resize_delete_combo_allow_to_overload_nova-compute.patch
