Version in base suite: 22.0.1-2 Base version: nova_22.0.1-2 Target version: nova_22.0.1-2+deb11u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/n/nova/nova_22.0.1-2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/n/nova/nova_22.0.1-2+deb11u1.dsc changelog | 10 + patches/cve-2022-47951-nova-stable-victoria.patch | 139 ++++++++++++++++++++++ patches/series | 1 3 files changed, 150 insertions(+) diff -Nru nova-22.0.1/debian/changelog nova-22.0.1/debian/changelog --- nova-22.0.1/debian/changelog 2021-07-12 10:57:03.000000000 +0000 +++ nova-22.0.1/debian/changelog 2023-01-24 10:31:25.000000000 +0000 @@ -1,3 +1,13 @@ +nova (2:22.0.1-2+deb11u1) bullseye-security; urgency=medium + + * CVE-2022-47951: By supplying a specially created VMDK flat image which + references a specific backing file path, an authenticated user may convince + systems to return a copy of that file's contents from the server resulting + in unauthorized access to potentially sensitive data. Add upstream patch + cve-2022-47951-glance-stable-victoria.patch (Closes: #1029561). + + -- Thomas Goirand Tue, 24 Jan 2023 11:31:25 +0100 + nova (2:22.0.1-2) unstable; urgency=medium * Add depend on python3-q-text-as-data (Closes: #990705). diff -Nru nova-22.0.1/debian/patches/cve-2022-47951-nova-stable-victoria.patch nova-22.0.1/debian/patches/cve-2022-47951-nova-stable-victoria.patch --- nova-22.0.1/debian/patches/cve-2022-47951-nova-stable-victoria.patch 1970-01-01 00:00:00.000000000 +0000 +++ nova-22.0.1/debian/patches/cve-2022-47951-nova-stable-victoria.patch 2023-01-24 10:31:25.000000000 +0000 @@ -0,0 +1,139 @@ +Description: CVE-2022-47951: Check VMDK create-type against an allowed list +Author: Dan Smith +Date: Thu Nov 10 09:55:48 2022 -0800 +Change-Id: I5a399f1d3d702bfb76c067893e9c924904c8c360 +Bug: https://review.opendev.org/c/openstack/nova/+/871699 +Bug-Debian: https://bugs.debian.org/1029561 +Origin: Upstream, https://review.opendev.org/c/openstack/nova/+/871699 +Last-Update: 2022-01-30 + +diff --git a/nova/conf/compute.py b/nova/conf/compute.py +index 5cf8c31714..319d6571d1 100644 +--- a/nova/conf/compute.py ++++ b/nova/conf/compute.py +@@ -986,6 +986,15 @@ + https://docs.openstack.org/nova/latest/admin/managing-resource-providers.html + + """), ++ cfg.ListOpt('vmdk_allowed_types', ++ default=['streamOptimized', 'monolithicSparse'], ++ help=""" ++A list of strings describing allowed VMDK "create-type" subformats ++that will be allowed. This is recommended to only include ++single-file-with-sparse-header variants to avoid potential host file ++exposure due to processing named extents. If this list is empty, then no ++form of VMDK image will be allowed. ++"""), + ] + + interval_opts = [ +diff --git a/nova/tests/unit/virt/test_images.py b/nova/tests/unit/virt/test_images.py +index 085b169db3..563330b541 100644 +--- a/nova/tests/unit/virt/test_images.py ++++ b/nova/tests/unit/virt/test_images.py +@@ -16,6 +16,8 @@ + + import mock + from oslo_concurrency import processutils ++from oslo_serialization import jsonutils ++from oslo_utils import imageutils + import six + + from nova.compute import utils as compute_utils +@@ -136,3 +138,47 @@ + '-O', 'out_format', '-f', 'in_format', 'source', 'dest') + mock_disk_op_sema.__enter__.assert_called_once() + self.assertTupleEqual(expected, mock_execute.call_args[0]) ++ ++ def test_convert_image_vmdk_allowed_list_checking(self): ++ info = {'format': 'vmdk', ++ 'format-specific': { ++ 'type': 'vmdk', ++ 'data': { ++ 'create-type': 'monolithicFlat', ++ }}} ++ ++ # If the format is not in the allowed list, we should get an error ++ self.assertRaises(exception.ImageUnacceptable, ++ images.check_vmdk_image, 'foo', ++ imageutils.QemuImgInfo(jsonutils.dumps(info), ++ format='json')) ++ ++ # With the format in the allowed list, no error ++ self.flags(vmdk_allowed_types=['streamOptimized', 'monolithicFlat', ++ 'monolithicSparse'], ++ group='compute') ++ images.check_vmdk_image('foo', ++ imageutils.QemuImgInfo(jsonutils.dumps(info), ++ format='json')) ++ ++ # With an empty list, allow nothing ++ self.flags(vmdk_allowed_types=[], group='compute') ++ self.assertRaises(exception.ImageUnacceptable, ++ images.check_vmdk_image, 'foo', ++ imageutils.QemuImgInfo(jsonutils.dumps(info), ++ format='json')) ++ ++ @mock.patch.object(images, 'fetch') ++ @mock.patch('nova.privsep.qemu.unprivileged_qemu_img_info') ++ def test_fetch_checks_vmdk_rules(self, mock_info, mock_fetch): ++ info = {'format': 'vmdk', ++ 'format-specific': { ++ 'type': 'vmdk', ++ 'data': { ++ 'create-type': 'monolithicFlat', ++ }}} ++ mock_info.return_value = jsonutils.dumps(info) ++ with mock.patch('os.path.exists', return_value=True): ++ e = self.assertRaises(exception.ImageUnacceptable, ++ images.fetch_to_raw, None, 'foo', 'anypath') ++ self.assertIn('Invalid VMDK create-type specified', str(e)) +diff --git a/nova/virt/images.py b/nova/virt/images.py +index 5358f3766a..f13c872290 100644 +--- a/nova/virt/images.py ++++ b/nova/virt/images.py +@@ -110,6 +110,34 @@ def get_info(context, image_href): + return IMAGE_API.get(context, image_href) + + ++def check_vmdk_image(image_id, data): ++ # Check some rules about VMDK files. Specifically we want to make ++ # sure that the "create-type" of the image is one that we allow. ++ # Some types of VMDK files can reference files outside the disk ++ # image and we do not want to allow those for obvious reasons. ++ ++ types = CONF.compute.vmdk_allowed_types ++ ++ if not len(types): ++ LOG.warning('Refusing to allow VMDK image as vmdk_allowed_' ++ 'types is empty') ++ msg = _('Invalid VMDK create-type specified') ++ raise exception.ImageUnacceptable(image_id=image_id, reason=msg) ++ ++ try: ++ create_type = data.format_specific['data']['create-type'] ++ except KeyError: ++ msg = _('Unable to determine VMDK create-type') ++ raise exception.ImageUnacceptable(image_id=image_id, reason=msg) ++ ++ if create_type not in CONF.compute.vmdk_allowed_types: ++ LOG.warning('Refusing to process VMDK file with create-type of %r ' ++ 'which is not in allowed set of: %s', create_type, ++ ','.join(CONF.compute.vmdk_allowed_types)) ++ msg = _('Invalid VMDK create-type specified') ++ raise exception.ImageUnacceptable(image_id=image_id, reason=msg) ++ ++ + def fetch_to_raw(context, image_href, path, trusted_certs=None): + path_tmp = "%s.part" % path + fetch(context, image_href, path_tmp, trusted_certs) +@@ -129,6 +157,9 @@ def fetch_to_raw(context, image_href, path, trusted_certs=None): + reason=(_("fmt=%(fmt)s backed by: %(backing_file)s") % + {'fmt': fmt, 'backing_file': backing_file})) + ++ if fmt == 'vmdk': ++ check_vmdk_image(image_href, data) ++ + if fmt != "raw" and CONF.force_raw_images: + staged = "%s.converted" % path + LOG.debug("%s was %s, converting to raw", image_href, fmt) diff -Nru nova-22.0.1/debian/patches/series nova-22.0.1/debian/patches/series --- nova-22.0.1/debian/patches/series 2021-07-12 10:57:03.000000000 +0000 +++ nova-22.0.1/debian/patches/series 2023-01-24 10:31:25.000000000 +0000 @@ -3,3 +3,4 @@ remove-crashing-blockdiag-doc-line.patch remove-svg-converter-from-doc-conf.py.patch Add-a-healtcheck-url.patch +cve-2022-47951-nova-stable-victoria.patch