1 |
prometheanfire 14/01/27 08:44:51 |
2 |
|
3 |
Added: CVE-2013-7048-havana.patch |
4 |
CVE-2013-7048-grizzly.patch |
5 |
Log: |
6 |
fixes for bug 494026 CVE-2013-7048 |
7 |
|
8 |
(Portage version: 2.2.7/cvs/Linux x86_64, signed Manifest commit with key 0x2471eb3e40ac5ac3) |
9 |
|
10 |
Revision Changes Path |
11 |
1.1 sys-cluster/nova/files/CVE-2013-7048-havana.patch |
12 |
|
13 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sys-cluster/nova/files/CVE-2013-7048-havana.patch?rev=1.1&view=markup |
14 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sys-cluster/nova/files/CVE-2013-7048-havana.patch?rev=1.1&content-type=text/plain |
15 |
|
16 |
Index: CVE-2013-7048-havana.patch |
17 |
=================================================================== |
18 |
From 75be5abd6b3fa0f7f27fe9c805f832cd41d44a5d Mon Sep 17 00:00:00 2001 |
19 |
From: Xavier Queralt <xqueralt@××××××.com> |
20 |
Date: Wed, 27 Nov 2013 19:44:36 +0000 |
21 |
Subject: Enforce permissions in snapshots temporary dir |
22 |
|
23 |
Live snapshots creates a temporary directory where libvirt driver |
24 |
creates a new image from the instance's disk using blockRebase. |
25 |
Currently this directory is created with 777 permissions making this |
26 |
directory accessible by all the users in the system. |
27 |
|
28 |
This patch changes the tempdir permissions so they have the o+x |
29 |
flag set, which is what libvirt needs to be able to write in it and |
30 |
|
31 |
Closes-Bug: #1227027 |
32 |
Change-Id: I767ff5247b4452821727e92b668276004fc0f84d |
33 |
(cherry picked from commit 8a34fc3d48c467aa196f65eed444ccdc7c02f19f) |
34 |
--- |
35 |
diff --git a/nova/virt/libvirt/driver.py b/nova/virt/libvirt/driver.py |
36 |
index 5c05307..d427d65 100644 |
37 |
--- a/nova/virt/libvirt/driver.py |
38 |
+++ b/nova/virt/libvirt/driver.py |
39 |
@@ -1390,9 +1390,8 @@ class LibvirtDriver(driver.ComputeDriver): |
40 |
try: |
41 |
out_path = os.path.join(tmpdir, snapshot_name) |
42 |
if live_snapshot: |
43 |
- # NOTE (rmk): libvirt needs to be able to write to the |
44 |
- # temp directory, which is owned nova. |
45 |
- utils.execute('chmod', '777', tmpdir, run_as_root=True) |
46 |
+ # NOTE(xqueralt): libvirt needs o+x in the temp directory |
47 |
+ os.chmod(tmpdir, 0o701) |
48 |
self._live_snapshot(virt_dom, disk_path, out_path, |
49 |
image_format) |
50 |
else: |
51 |
-- |
52 |
cgit v0.9.2 |
53 |
|
54 |
|
55 |
|
56 |
1.1 sys-cluster/nova/files/CVE-2013-7048-grizzly.patch |
57 |
|
58 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sys-cluster/nova/files/CVE-2013-7048-grizzly.patch?rev=1.1&view=markup |
59 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sys-cluster/nova/files/CVE-2013-7048-grizzly.patch?rev=1.1&content-type=text/plain |
60 |
|
61 |
Index: CVE-2013-7048-grizzly.patch |
62 |
=================================================================== |
63 |
From 9bd7fff8c0160057643cfc37c5e2b1cd3337d6aa Mon Sep 17 00:00:00 2001 |
64 |
From: Xavier Queralt <xqueralt@××××××.com> |
65 |
Date: Wed, 27 Nov 2013 19:44:36 +0000 |
66 |
Subject: Enforce permissions in snapshots temporary dir |
67 |
|
68 |
Live snapshots creates a temporary directory where libvirt driver |
69 |
creates a new image from the instance's disk using blockRebase. |
70 |
Currently this directory is created with 777 permissions making this |
71 |
directory accessible by all the users in the system. |
72 |
|
73 |
This patch changes the tempdir permissions so they have the o+x |
74 |
flag set, which is what libvirt needs to be able to write in it and |
75 |
|
76 |
Closes-Bug: #1227027 |
77 |
Change-Id: I767ff5247b4452821727e92b668276004fc0f84d |
78 |
(cherry picked from commit 8a34fc3d48c467aa196f65eed444ccdc7c02f19f) |
79 |
--- |
80 |
diff --git a/nova/virt/libvirt/driver.py b/nova/virt/libvirt/driver.py |
81 |
index 6b977cb..4cc85f1 100755 |
82 |
--- a/nova/virt/libvirt/driver.py |
83 |
+++ b/nova/virt/libvirt/driver.py |
84 |
@@ -1191,9 +1191,8 @@ class LibvirtDriver(driver.ComputeDriver): |
85 |
try: |
86 |
out_path = os.path.join(tmpdir, snapshot_name) |
87 |
if live_snapshot: |
88 |
- # NOTE (rmk): libvirt needs to be able to write to the |
89 |
- # temp directory, which is owned nova. |
90 |
- utils.execute('chmod', '777', tmpdir, run_as_root=True) |
91 |
+ # NOTE(xqueralt): libvirt needs o+x in the temp directory |
92 |
+ os.chmod(tmpdir, 0o701) |
93 |
self._live_snapshot(virt_dom, disk_path, out_path, |
94 |
image_format) |
95 |
else: |
96 |
-- |
97 |
cgit v0.9.2 |