Following discussion with Sean and Hemanth, it looks like we ought to get fixes for this into supported branches of Cinder and Glance after all. Hopefully getting them merged goes quickly now that Nova has already trodden this ground and the fixes are basically identical between them.
Assuming all fixes merge before Newton releases and prior to any stable branch point releases, this is the updated proposed impact description. I'm using our YAML format here both for convenience and clarity due to the number of repos and releases involved. I've also shortened the title and referenced the affected software in it. Should I include a note about the updated versions of oslo.concurrency required, or are the references to patches in consuming projects sufficient for this purpose? I'd like to avoid unnecessary additional complexity if possible here. -- date: TBD id: TBD title: Malicious qemu-img input may exhaust resources in Cinder, Glance, Nova description: > Richard W.M. Jones of Red Hat reported a vulnerability that affects OpenStack Cinder, Glance and Nova. By providing a maliciously crafted disk image an attacker can consume considerable amounts of RAM and CPU time resulting in a denial of service via resource exhaustion. Any project which makes calls to qemu-img without appropriate ulimit restrictions in place is affected by this flaw. affected-products: - product: cinder version: "<=7.0.2, >=8.0.0 <=8.1.1" - product: glance version: "<=11.0.1, ==12.0.0" - product: nova version: "<=12.0.4 and ==13.0.0" vulnerabilities: - cve-id: CVE-2015-5162 reporters: - name: Richard W.M. Jones affiliation: Red Hat reported: - CVE-2015-5162 issues: links: - https://launchpad.net/bugs/1449062 reviews: ocata: - https://review.openstack.org/375099 (cinder) - https://review.openstack.org/TBD (glance) newton: - https://review.openstack.org/375102 (cinder) - https://review.openstack.org/TBD (glance) - https://review.openstack.org/307663 (nova) mitaka: - https://review.openstack.org/TBD (cinder) - https://review.openstack.org/TBD (glance) - https://review.openstack.org/326327 (nova) liberty: - https://review.openstack.org/TBD (cinder) - https://review.openstack.org/TBD (glance) - https://review.openstack.org/327624 (nova) notes: - > Separate Ocata patches are listed for Cinder and Glance, as they were fixed during the Newton release freeze after it branched from master. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1449062 Title: qemu-img calls need to be restricted by ulimit (CVE-2015-5162) To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1449062/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs