Bug#684452: marked as done (CVE-2012-3447 unblock: nova/2012.1.1-6)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sat, 11 Aug 2012 10:17:56 +0100
with message-id <1344676676.2978.30.camel@jacala.jungle.funky-badger.org>
and subject line Re: Bug#684452: CVE-2012-3447 unblock: nova/2012.1.1-6
has caused the Debian Bug report #684452,
regarding CVE-2012-3447 unblock: nova/2012.1.1-6
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
684452: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684452
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: CVE-2012-3447 unblock: nova/2012.1.1-6
• From: Thomas Goirand <zigo@debian.org>
• Date: Fri, 10 Aug 2012 14:25:55 +0800
• Message-id: <[🔎] 20120810062555.21593.55654.reportbug@buzig.gplhost.com>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock the nova package. This fixes CVE-2012-3447, which is a
file injection vulnerability in the host filesystem, using a specially
crafted guest image.

The relevant diff is available here:
http://anonscm.debian.org/gitweb/?p=openstack/nova.git;a=commitdiff;h=55e78f9cbaa1c4657a97c6b20797a94968030e75

The patch comes directly from upstream, as per the patch header (I just
applied it manually, then did dpkg-source --commit).

Note that this also includes a (needed) tweak in the configuration files
as per this commit:
http://anonscm.debian.org/gitweb/?p=openstack/nova.git;a=commitdiff;h=4cd725c5d164484a3ddb6bf95f37fb715cb51169

Also, Ubuntu folks already fixed the issue in 12.04.

Please unblock nova/2012.1.1-6 ASAP.

Cheers,

Thomas Goirand

--- End Message ---

--- Begin Message ---

• To: Thomas Goirand <zigo@debian.org>
• Cc: 684452-done@bugs.debian.org, Ghe Rivero <ghe@debian.org>, PKG OpenStack <openstack-devel@lists.alioth.debian.org>
• Subject: Re: Bug#684452: CVE-2012-3447 unblock: nova/2012.1.1-6
• From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
• Date: Sat, 11 Aug 2012 10:17:56 +0100
• Message-id: <1344676676.2978.30.camel@jacala.jungle.funky-badger.org>
• In-reply-to: <[🔎] 5025E714.4040408@debian.org>
• References: <[🔎] 20120810062555.21593.55654.reportbug@buzig.gplhost.com> <[🔎] 1344631308.2978.13.camel@jacala.jungle.funky-badger.org> <[🔎] 5025E714.4040408@debian.org>

On Sat, 2012-08-11 at 13:01 +0800, Thomas Goirand wrote:
> On 08/11/2012 04:41 AM, Adam D. Barratt wrote:
> > On Fri, 2012-08-10 at 14:25 +0800, Thomas Goirand wrote:
> >> Please unblock the nova package. This fixes CVE-2012-3447, which is a
> >> file injection vulnerability in the host filesystem, using a specially
> >> crafted guest image.
[...]
> >> Note that this also includes a (needed) tweak in the configuration files
> >> as per this commit:
> >> http://anonscm.debian.org/gitweb/?p=openstack/nova.git;a=commitdiff;h=4cd725c5d164484a3ddb6bf95f37fb715cb51169
> > 
> > Two questions:
> > 
> > 1) Why is there no mention of the above changes in the changelog?
> > 
> > 2) Why does "Add nova-compute.conf files to nova-compute init if exist"
> > require
[...]
> What happened is that CVE-2012-3447 was embargoed. Ghe Rivero asked me
> to take care of it
[...]
> So I did take care of it, and was expecting to see no change in our Git.
> So I did add the upstream patch for this CVE, built, then uploaded to SID.
> 
> But I was wrong, as Ghe did this commit, and didn't tell about it. He
> didn't fill debian/changelog, which is why I didn't notice it either.

Well it would have shown up in the debdiff.  But I don't think my
complaining about that any further is helpful now, so I'll leave it
there.

> Anyway, let me explain what I believe this patch does. Previously, we
> had only a single configuration file, called /etc/nova/nova.conf. But we
> changed that, and we are now using /etc/nova/nova-compute.conf also,
> which has hypervisor specific flags (for example, nova-compute-kvm will
> have libvirt_type=kvm when nova-compute-xen will have
> connection_type=xenapi).
[...]
> I believe that using --flagfile or --config-file does the exact same
> thing. --flagfile was the old option, which has been replaced by
> --config-file (and --flagfile is now deprecated). It's a good thing to
> do that, so that it matches future releases of Openstack nova.

Okay, thanks.

> Anyway, I'm deeply concerned about this CVE. A lot more than these small
> changes in the configuration files. I believe it is necessary to
> unblock, even if I can't comment as much as I should on the above
> changes. Holding the package to enter testing can be harmful to some users.

Unblocked.

> One last thing: in our Git, I have already a debian/po/es.po update. I
> didn't upload the package with it, because of the urgency=high. Was this
> the correct thing to do (eg: plan for a later upload then unblock), or
> should I have include the template update? Please give me the release
> team view on this, so I know how to handle such situation later on.

At this stage yes, the translation could have been included.  As
Christian said, it's also understandable to want to get the security
changes out of the way.

> Also, is it ok to amend the debian/changelog for this release (eg:
> 2012.1.1-6) on the next upload?

To include details of the configuration file related changes?  That
should be okay, yes; in the long term it's preferable to not having the
changes documented.

Regards,

Adam

--- End Message ---