Moderate severityNVD Advisory· Published Dec 23, 2011· Updated Apr 29, 2026
CVE-2011-4596
CVE-2011-4596
Description
Multiple directory traversal vulnerabilities in OpenStack Nova before 2011.3.1, when the EC2 API and the S3/RegisterImage image-registration method are enabled, allow remote authenticated users to overwrite arbitrary files via a crafted (1) tarball or (2) manifest.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
novaPyPI | < 12.0.0a0 | 12.0.0a0 |
Affected products
1Patches
276363226bd85Sanitize EC2 manifests and image tarballs
5 files changed · +23 −1
MANIFEST.in+1 −0 modified@@ -39,6 +39,7 @@ include nova/tests/bundle/1mb.part.0 include nova/tests/bundle/1mb.part.1 include nova/tests/public_key/* include nova/tests/db/nova.austin.sqlite +include nova/tests/image/*.tar.gz include plugins/xenapi/README include plugins/xenapi/etc/xapi.d/plugins/objectstore include plugins/xenapi/etc/xapi.d/plugins/pluginlib_nova.py
nova/image/s3.py+12 −1 modified@@ -100,7 +100,7 @@ def _conn(context): @staticmethod def _download_file(bucket, filename, local_dir): key = bucket.get_key(filename) - local_filename = os.path.join(local_dir, filename) + local_filename = os.path.join(local_dir, os.path.basename(filename)) key.get_contents_to_filename(local_filename) return local_filename @@ -315,8 +315,19 @@ def _decrypt_image(encrypted_filename, encrypted_key, encrypted_iv, {'image_file': encrypted_filename, 'err': err}) + @staticmethod + def _test_for_malicious_tarball(path, filename): + """Raises exception if extracting tarball would escape extract path""" + tar_file = tarfile.open(filename, 'r|gz') + for n in tar_file.getnames(): + if not os.path.abspath(os.path.join(path, n)).startswith(path): + tar_file.close() + raise exception.Error(_('Unsafe filenames in image')) + tar_file.close() + @staticmethod def _untarzip_image(path, filename): + S3ImageService._test_for_malicious_tarball(path, filename) tar_file = tarfile.open(filename, 'r|gz') tar_file.extractall(path) image_file = tar_file.getnames()[0]
nova/tests/image/abs.tar.gz+0 −0 addednova/tests/image/rel.tar.gz+0 −0 addednova/tests/image/test_s3.py+10 −0 modified@@ -15,6 +15,8 @@ # License for the specific language governing permissions and limitations # under the License. +import os + from nova import context from nova import test from nova.image import s3 @@ -112,3 +114,11 @@ def test_s3_create(self): {'device_name': '/dev/sdb0', 'no_device': True}] self.assertEqual(block_device_mapping, expected_bdm) + + def test_s3_malicious_tarballs(self): + self.assertRaises(exception.Error, + self.image_service._test_for_malicious_tarball, + "/unused", os.path.join(os.path.dirname(__file__), 'abs.tar.gz')) + self.assertRaises(exception.Error, + self.image_service._test_for_malicious_tarball, + "/unused", os.path.join(os.path.dirname(__file__), 'rel.tar.gz'))
ad3241929ea0Sanitize EC2 manifests and image tarballs
5 files changed · +23 −1
MANIFEST.in+1 −0 modified@@ -37,6 +37,7 @@ include nova/tests/bundle/1mb.part.0 include nova/tests/bundle/1mb.part.1 include nova/tests/api/ec2/public_key/* include nova/tests/db/nova.austin.sqlite +include nova/tests/image/*.tar.gz include plugins/xenapi/README include plugins/xenapi/etc/xapi.d/plugins/objectstore include plugins/xenapi/etc/xapi.d/plugins/pluginlib_nova.py
nova/image/s3.py+12 −1 modified@@ -155,7 +155,7 @@ def _conn(context): @staticmethod def _download_file(bucket, filename, local_dir): key = bucket.get_key(filename) - local_filename = os.path.join(local_dir, filename) + local_filename = os.path.join(local_dir, os.path.basename(filename)) key.get_contents_to_filename(local_filename) return local_filename @@ -387,8 +387,19 @@ def _decrypt_image(encrypted_filename, encrypted_key, encrypted_iv, {'image_file': encrypted_filename, 'err': err}) + @staticmethod + def _test_for_malicious_tarball(path, filename): + """Raises exception if extracting tarball would escape extract path""" + tar_file = tarfile.open(filename, 'r|gz') + for n in tar_file.getnames(): + if not os.path.abspath(os.path.join(path, n)).startswith(path): + tar_file.close() + raise exception.Error(_('Unsafe filenames in image')) + tar_file.close() + @staticmethod def _untarzip_image(path, filename): + S3ImageService._test_for_malicious_tarball(path, filename) tar_file = tarfile.open(filename, 'r|gz') tar_file.extractall(path) image_file = tar_file.getnames()[0]
nova/tests/image/abs.tar.gz+0 −0 addednova/tests/image/rel.tar.gz+0 −0 addednova/tests/image/test_s3.py+10 −0 modified@@ -15,6 +15,8 @@ # License for the specific language governing permissions and limitations # under the License. +import os + from nova import context import nova.db.api from nova import exception @@ -130,3 +132,11 @@ def test_s3_create(self): {'device_name': '/dev/sdb0', 'no_device': True}] self.assertEqual(block_device_mapping, expected_bdm) + + def test_s3_malicious_tarballs(self): + self.assertRaises(exception.Error, + self.image_service._test_for_malicious_tarball, + "/unused", os.path.join(os.path.dirname(__file__), 'abs.tar.gz')) + self.assertRaises(exception.Error, + self.image_service._test_for_malicious_tarball, + "/unused", os.path.join(os.path.dirname(__file__), 'rel.tar.gz'))
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- bugs.launchpad.net/nova/+bug/885167nvdThird Party AdvisoryWEB
- bugs.launchpad.net/nova/+bug/894755nvdThird Party AdvisoryWEB
- github.com/advisories/GHSA-qr62-r9xc-r2gjghsaADVISORY
- github.com/openstack/nova/commit/76363226bd8533256f7795bba358d7f4b8a6c9e6nvdThird Party AdvisoryWEB
- github.com/openstack/nova/commit/ad3241929ea00569c74505ed002208ce360c667envdThird Party AdvisoryWEB
- lists.launchpad.net/openstack/msg06105.htmlnvdThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2011-4596ghsaADVISORY
News mentions
0No linked articles in our index yet.