Bug#797192: jessie-pu: package nova/2014.1.3-11 (CVE-2015-3241, #796109)
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
I've prepared an update of nova for Jessie which fixes CVE-2015-3241.
This CVE is about DoS nova-compute machines by resizing and immediately
after it delete the VM, which makes nova-compute consume all CPU.
The package is available here:
http://sid.gplhost.com/jessie-proposed-updates/nova/
Please allow me to upload it to jessie-p-u.
Cheers,
Thomas Goirand (zigo)
P.S: As we speak, I'm preparing the update for Sid, it should be
ready soonish today, and it will include the point release update.
diff -Nru nova-2014.1.3/debian/changelog nova-2014.1.3/debian/changelog
--- nova-2014.1.3/debian/changelog 2015-03-11 08:48:55.000000000 +0000
+++ nova-2014.1.3/debian/changelog 2015-08-28 09:24:00.000000000 +0000
@@ -1,3 +1,10 @@
+nova (2014.1.3-11+deb8u1) jessie-proposed-updates; urgency=medium
+
+ * CVE-2015-3241: Resize/delete combo allows to overload nova-compute. Applied
+ upstream patch (Closes: #796109).
+
+ -- Thomas Goirand <zigo@debian.org> Fri, 28 Aug 2015 11:10:06 +0200
+
nova (2014.1.3-11) unstable; urgency=high
* CVE-2015-0259: Websocket Hijacking Vulnerability in Nova VNC Server. Done
diff -Nru nova-2014.1.3/debian/patches/CVE-2015-3241_Resize_delete_combo_allow_to_overload_nova-compute.patch nova-2014.1.3/debian/patches/CVE-2015-3241_Resize_delete_combo_allow_to_overload_nova-compute.patch
--- nova-2014.1.3/debian/patches/CVE-2015-3241_Resize_delete_combo_allow_to_overload_nova-compute.patch 1970-01-01 00:00:00.000000000 +0000
+++ nova-2014.1.3/debian/patches/CVE-2015-3241_Resize_delete_combo_allow_to_overload_nova-compute.patch 2015-08-28 09:24:00.000000000 +0000
@@ -0,0 +1,103 @@
+Description: CVE-2015-3241: Sync process utils from oslo for execute callbacks
+ The sync pulls in the following changes:
+ .
+ Ifc23325 Add 2 callbacks to processutils.execute()
+ I22b2d7b processutils: ensure on_completion callback is always called
+ I59d5799 Let oslotest manage the six.move setting for mox
+ I245750f Remove `processutils` dependency on `log`
+ Ia5bb418 Fix exception message in openstack.common.processutils.execute
+Author: Abhishek Kekane <abhishek.kekane@nttdata.com>
+Bug-Debian: https://bugs.debian.org/796109
+Origin: upstream, https://review.openstack.org/#/c/208876/
+Bug-Ubuntu: https://launchpad.net/bugs/1387543
+Last-Update: 2015-08-28
+
+--- nova-2014.1.3.orig/nova/openstack/common/processutils.py
++++ nova-2014.1.3/nova/openstack/common/processutils.py
+@@ -112,6 +112,17 @@ def execute(*cmd, **kwargs):
+ :type shell: boolean
+ :param loglevel: log level for execute commands.
+ :type loglevel: int. (Should be logging.DEBUG or logging.INFO)
++ :param on_execute: This function will be called upon process creation
++ with the object as a argument. The Purpose of this
++ is to allow the caller of `processutils.execute` to
++ track process creation asynchronously.
++ :type on_execute: function(:class:`subprocess.Popen`)
++ :param on_completion: This function will be called upon process
++ completion with the object as a argument. The
++ Purpose of this is to allow the caller of
++ `processutils.execute` to track process completion
++ asynchronously.
++ :type on_completion: function(:class:`subprocess.Popen`)
+ :returns: (stdout, stderr) from process execution
+ :raises: :class:`UnknownArgumentError` on
+ receiving unknown arguments
+@@ -127,6 +138,8 @@ def execute(*cmd, **kwargs):
+ root_helper = kwargs.pop('root_helper', '')
+ shell = kwargs.pop('shell', False)
+ loglevel = kwargs.pop('loglevel', logging.DEBUG)
++ on_execute = kwargs.pop('on_execute', None)
++ on_completion = kwargs.pop('on_completion', None)
+
+ if isinstance(check_exit_code, bool):
+ ignore_exit_code = not check_exit_code
+@@ -135,8 +148,7 @@ def execute(*cmd, **kwargs):
+ check_exit_code = [check_exit_code]
+
+ if kwargs:
+- raise UnknownArgumentError(_('Got unknown keyword args '
+- 'to utils.execute: %r') % kwargs)
++ raise UnknownArgumentError(_('Got unknown keyword args: %r') % kwargs)
+
+ if run_as_root and hasattr(os, 'geteuid') and os.geteuid() != 0:
+ if not root_helper:
+@@ -168,23 +180,32 @@ def execute(*cmd, **kwargs):
+ close_fds=close_fds,
+ preexec_fn=preexec_fn,
+ shell=shell)
+- result = None
+- for _i in six.moves.range(20):
+- # NOTE(russellb) 20 is an arbitrary number of retries to
+- # prevent any chance of looping forever here.
+- try:
+- if process_input is not None:
+- result = obj.communicate(process_input)
+- else:
+- result = obj.communicate()
+- except OSError as e:
+- if e.errno in (errno.EAGAIN, errno.EINTR):
+- continue
+- raise
+- break
+- obj.stdin.close() # pylint: disable=E1101
+- _returncode = obj.returncode # pylint: disable=E1101
+- LOG.log(loglevel, _('Result was %s') % _returncode)
++
++ if on_execute:
++ on_execute(obj)
++
++ try:
++ result = None
++ for _i in six.moves.range(20):
++ # NOTE(russellb) 20 is an arbitrary number of retries to
++ # prevent any chance of looping forever here.
++ try:
++ if process_input is not None:
++ result = obj.communicate(process_input)
++ else:
++ result = obj.communicate()
++ except OSError as e:
++ if e.errno in (errno.EAGAIN, errno.EINTR):
++ continue
++ raise
++ break
++ obj.stdin.close() # pylint: disable=E1101
++ _returncode = obj.returncode # pylint: disable=E1101
++ LOG.log(loglevel, 'Result was %s' % _returncode)
++ finally:
++ if on_completion:
++ on_completion(obj)
++
+ if not ignore_exit_code and _returncode not in check_exit_code:
+ (stdout, stderr) = result
+ sanitized_stdout = strutils.mask_password(stdout)
diff -Nru nova-2014.1.3/debian/patches/series nova-2014.1.3/debian/patches/series
--- nova-2014.1.3/debian/patches/series 2015-03-11 08:48:55.000000000 +0000
+++ nova-2014.1.3/debian/patches/series 2015-08-28 09:24:00.000000000 +0000
@@ -25,3 +25,4 @@
CVE-2014-8333_Fix_VM_leak_when_deletion_of_VM_during_resizing.patch
avoid_changing_UUID_when_redefining_nwfilters.patch
CVE-2015-0259_Websocket_Proxy_should_verify_Origin_header_icehouse-debian.patch
+CVE-2015-3241_Resize_delete_combo_allow_to_overload_nova-compute.patch
Reply to: