Bug#797192: jessie-pu: package nova/2014.1.3-11 (CVE-2015-3241, #796109)

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#797192: jessie-pu: package nova/2014.1.3-11 (CVE-2015-3241, #796109)
From: Thomas Goirand <zigo@debian.org>
Date: Fri, 28 Aug 2015 14:02:14 +0200
Message-id: <[🔎] 20150828120214.17939.48576.reportbug@buzig2.mirantis.com>
Reply-to: Thomas Goirand <zigo@debian.org>, 797192@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

I've prepared an update of nova for Jessie which fixes CVE-2015-3241.
This CVE is about DoS nova-compute machines by resizing and immediately
after it delete the VM, which makes nova-compute consume all CPU.

The package is available here:
http://sid.gplhost.com/jessie-proposed-updates/nova/

Please allow me to upload it to jessie-p-u.

Cheers,

Thomas Goirand (zigo)

P.S: As we speak, I'm preparing the update for Sid, it should be
ready soonish today, and it will include the point release update.

diff -Nru nova-2014.1.3/debian/changelog nova-2014.1.3/debian/changelog
--- nova-2014.1.3/debian/changelog	2015-03-11 08:48:55.000000000 +0000
+++ nova-2014.1.3/debian/changelog	2015-08-28 09:24:00.000000000 +0000
@@ -1,3 +1,10 @@
+nova (2014.1.3-11+deb8u1) jessie-proposed-updates; urgency=medium
+
+  * CVE-2015-3241: Resize/delete combo allows to overload nova-compute. Applied
+    upstream patch (Closes: #796109).
+
+ -- Thomas Goirand <zigo@debian.org>  Fri, 28 Aug 2015 11:10:06 +0200
+
 nova (2014.1.3-11) unstable; urgency=high
 
   * CVE-2015-0259: Websocket Hijacking Vulnerability in Nova VNC Server. Done
diff -Nru nova-2014.1.3/debian/patches/CVE-2015-3241_Resize_delete_combo_allow_to_overload_nova-compute.patch nova-2014.1.3/debian/patches/CVE-2015-3241_Resize_delete_combo_allow_to_overload_nova-compute.patch
--- nova-2014.1.3/debian/patches/CVE-2015-3241_Resize_delete_combo_allow_to_overload_nova-compute.patch	1970-01-01 00:00:00.000000000 +0000
+++ nova-2014.1.3/debian/patches/CVE-2015-3241_Resize_delete_combo_allow_to_overload_nova-compute.patch	2015-08-28 09:24:00.000000000 +0000
@@ -0,0 +1,103 @@
+Description: CVE-2015-3241: Sync process utils from oslo for execute callbacks
+ The sync pulls in the following changes:
+ .
+  Ifc23325 Add 2 callbacks to processutils.execute()
+  I22b2d7b processutils: ensure on_completion callback is always called
+  I59d5799 Let oslotest manage the six.move setting for mox
+  I245750f Remove `processutils` dependency on `log`
+  Ia5bb418 Fix exception message in openstack.common.processutils.execute
+Author: Abhishek Kekane <abhishek.kekane@nttdata.com>
+Bug-Debian: https://bugs.debian.org/796109
+Origin: upstream, https://review.openstack.org/#/c/208876/
+Bug-Ubuntu: https://launchpad.net/bugs/1387543
+Last-Update: 2015-08-28
+
+--- nova-2014.1.3.orig/nova/openstack/common/processutils.py
++++ nova-2014.1.3/nova/openstack/common/processutils.py
+@@ -112,6 +112,17 @@ def execute(*cmd, **kwargs):
+     :type shell:            boolean
+     :param loglevel:        log level for execute commands.
+     :type loglevel:         int.  (Should be logging.DEBUG or logging.INFO)
++    :param on_execute:      This function will be called upon process creation
++                            with the object as a argument.  The Purpose of this
++                            is to allow the caller of `processutils.execute` to
++                            track process creation asynchronously.
++    :type on_execute:       function(:class:`subprocess.Popen`)
++    :param on_completion:   This function will be called upon process
++                            completion with the object as a argument.  The
++                            Purpose of this is to allow the caller of
++                            `processutils.execute` to track process completion
++                            asynchronously.
++    :type on_completion:    function(:class:`subprocess.Popen`)
+     :returns:               (stdout, stderr) from process execution
+     :raises:                :class:`UnknownArgumentError` on
+                             receiving unknown arguments
+@@ -127,6 +138,8 @@ def execute(*cmd, **kwargs):
+     root_helper = kwargs.pop('root_helper', '')
+     shell = kwargs.pop('shell', False)
+     loglevel = kwargs.pop('loglevel', logging.DEBUG)
++    on_execute = kwargs.pop('on_execute', None)
++    on_completion = kwargs.pop('on_completion', None)
+ 
+     if isinstance(check_exit_code, bool):
+         ignore_exit_code = not check_exit_code
+@@ -135,8 +148,7 @@ def execute(*cmd, **kwargs):
+         check_exit_code = [check_exit_code]
+ 
+     if kwargs:
+-        raise UnknownArgumentError(_('Got unknown keyword args '
+-                                     'to utils.execute: %r') % kwargs)
++        raise UnknownArgumentError(_('Got unknown keyword args: %r') % kwargs)
+ 
+     if run_as_root and hasattr(os, 'geteuid') and os.geteuid() != 0:
+         if not root_helper:
+@@ -168,23 +180,32 @@ def execute(*cmd, **kwargs):
+                                    close_fds=close_fds,
+                                    preexec_fn=preexec_fn,
+                                    shell=shell)
+-            result = None
+-            for _i in six.moves.range(20):
+-                # NOTE(russellb) 20 is an arbitrary number of retries to
+-                # prevent any chance of looping forever here.
+-                try:
+-                    if process_input is not None:
+-                        result = obj.communicate(process_input)
+-                    else:
+-                        result = obj.communicate()
+-                except OSError as e:
+-                    if e.errno in (errno.EAGAIN, errno.EINTR):
+-                        continue
+-                    raise
+-                break
+-            obj.stdin.close()  # pylint: disable=E1101
+-            _returncode = obj.returncode  # pylint: disable=E1101
+-            LOG.log(loglevel, _('Result was %s') % _returncode)
++
++            if on_execute:
++                on_execute(obj)
++
++            try:
++                result = None
++                for _i in six.moves.range(20):
++                    # NOTE(russellb) 20 is an arbitrary number of retries to
++                    # prevent any chance of looping forever here.
++                    try:
++                        if process_input is not None:
++                            result = obj.communicate(process_input)
++                        else:
++                            result = obj.communicate()
++                    except OSError as e:
++                        if e.errno in (errno.EAGAIN, errno.EINTR):
++                            continue
++                        raise
++                    break
++                obj.stdin.close()  # pylint: disable=E1101
++                _returncode = obj.returncode  # pylint: disable=E1101
++                LOG.log(loglevel, 'Result was %s' % _returncode)
++            finally:
++                if on_completion:
++                    on_completion(obj)
++
+             if not ignore_exit_code and _returncode not in check_exit_code:
+                 (stdout, stderr) = result
+                 sanitized_stdout = strutils.mask_password(stdout)
diff -Nru nova-2014.1.3/debian/patches/series nova-2014.1.3/debian/patches/series
--- nova-2014.1.3/debian/patches/series	2015-03-11 08:48:55.000000000 +0000
+++ nova-2014.1.3/debian/patches/series	2015-08-28 09:24:00.000000000 +0000
@@ -25,3 +25,4 @@
 CVE-2014-8333_Fix_VM_leak_when_deletion_of_VM_during_resizing.patch
 avoid_changing_UUID_when_redefining_nwfilters.patch
 CVE-2015-0259_Websocket_Proxy_should_verify_Origin_header_icehouse-debian.patch
+CVE-2015-3241_Resize_delete_combo_allow_to_overload_nova-compute.patch

Reply to:

Follow-Ups:
- Processed: Re: Bug#797192: Hang on
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Processed: reopening 790996
Next by Date: Bug#797192: Hang on
Previous by thread: Processed: reopening 790996
Next by thread: Processed: Re: Bug#797192: Hang on
Index(es):
- Date
- Thread