Moderate severityNVD Advisory· Published Jul 9, 2013· Updated Apr 29, 2026

CVE-2013-2096

Description

OpenStack Compute (Nova) Folsom, Grizzly, and Havana does not verify the virtual size of a QCOW2 image, which allows local users to cause a denial of service (host file system disk consumption) by creating an image with a large virtual size that does not contain a large amount of data.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
novaPyPI	< 12.0.0a0	12.0.0a0

Affected products

OpenStack/Folsom
cpe:2.3:a:openstack:folsom:-:*:*:*:*:*:*:*
OpenStack/Grizzly
cpe:2.3:a:openstack:grizzly:-:*:*:*:*:*:*:*
OpenStack/Havana
cpe:2.3:a:openstack:havana:-:*:*:*:*:*:*:*

Patches

0caeb8eaf20a

Merge "Check QCOW2 image size during root disk creation"

https://github.com/openstack/novaJenkinsMay 10, 2013via ghsa

commit

2 files changed · +29 −0

nova/tests/test_imagebackend.py+21 −0 modified

@@ -20,6 +20,7 @@
 import fixtures
 from oslo.config import cfg
 
+from nova import exception
 from nova.openstack.common import uuidutils
 from nova import test
 from nova.tests import fake_libvirt_utils
@@ -253,9 +254,12 @@ def test_create_image_with_size(self):
         fn = self.prepare_mocks()
         fn(target=self.TEMPLATE_PATH)
         self.mox.StubOutWithMock(os.path, 'exists')
+        self.mox.StubOutWithMock(imagebackend.disk, 'get_disk_size')
         if self.OLD_STYLE_INSTANCE_PATH:
             os.path.exists(self.OLD_STYLE_INSTANCE_PATH).AndReturn(False)
         os.path.exists(self.TEMPLATE_PATH).AndReturn(False)
+        imagebackend.disk.get_disk_size(self.TEMPLATE_PATH
+                                       ).AndReturn(self.SIZE)
         os.path.exists(self.PATH).AndReturn(False)
         imagebackend.libvirt_utils.create_cow_image(self.TEMPLATE_PATH,
                                                     self.PATH)
@@ -267,6 +271,23 @@ def test_create_image_with_size(self):
 
         self.mox.VerifyAll()
 
+    def test_create_image_too_small(self):
+        fn = self.prepare_mocks()
+        fn(target=self.TEMPLATE_PATH)
+        self.mox.StubOutWithMock(os.path, 'exists')
+        self.mox.StubOutWithMock(imagebackend.disk, 'get_disk_size')
+        if self.OLD_STYLE_INSTANCE_PATH:
+            os.path.exists(self.OLD_STYLE_INSTANCE_PATH).AndReturn(False)
+        os.path.exists(self.TEMPLATE_PATH).AndReturn(False)
+        imagebackend.disk.get_disk_size(self.TEMPLATE_PATH
+                                       ).AndReturn(self.SIZE)
+        self.mox.ReplayAll()
+
+        image = self.image_class(self.INSTANCE, self.NAME)
+        self.assertRaises(exception.ImageTooLarge, image.create_image, fn,
+                          self.TEMPLATE_PATH, 1)
+        self.mox.VerifyAll()
+
 
 class LvmTestCase(_ImageTestCase, test.TestCase):
     VG = 'FakeVG'

nova/virt/libvirt/imagebackend.py+8 −0 modified

@@ -21,6 +21,7 @@
 
 from oslo.config import cfg
 
+from nova import exception
 from nova.openstack.common import excutils
 from nova.openstack.common import fileutils
 from nova.openstack.common import lockutils
@@ -255,6 +256,13 @@ def copy_qcow2_image(base, target, size):
 
         if not os.path.exists(base):
             prepare_template(target=base, *args, **kwargs)
+        # NOTE(cfb): Having a flavor that sets the root size to 0 and having
+        #            nova effectively ignore that size and use the size of the
+        #            image is considered a feature at this time, not a bug.
+        if size and size < disk.get_disk_size(base):
+            LOG.error('%s virtual size larger than flavor root disk size %s' %
+                      (base, size))
+            raise exception.ImageTooLarge()
         if not os.path.exists(self.path):
             with utils.remove_path_on_error(self.path):
                 copy_qcow2_image(base, self.path, size)

44a8aba1d5da

Check QCOW2 image size during root disk creation

https://github.com/openstack/novaChet BurgessMay 9, 2013via ghsa

commit

2 files changed · +29 −0

nova/tests/test_imagebackend.py+21 −0 modified

@@ -20,6 +20,7 @@
 import fixtures
 from oslo.config import cfg
 
+from nova import exception
 from nova.openstack.common import uuidutils
 from nova import test
 from nova.tests import fake_libvirt_utils
@@ -253,9 +254,12 @@ def test_create_image_with_size(self):
         fn = self.prepare_mocks()
         fn(target=self.TEMPLATE_PATH)
         self.mox.StubOutWithMock(os.path, 'exists')
+        self.mox.StubOutWithMock(imagebackend.disk, 'get_disk_size')
         if self.OLD_STYLE_INSTANCE_PATH:
             os.path.exists(self.OLD_STYLE_INSTANCE_PATH).AndReturn(False)
         os.path.exists(self.TEMPLATE_PATH).AndReturn(False)
+        imagebackend.disk.get_disk_size(self.TEMPLATE_PATH
+                                       ).AndReturn(self.SIZE)
         os.path.exists(self.PATH).AndReturn(False)
         imagebackend.libvirt_utils.create_cow_image(self.TEMPLATE_PATH,
                                                     self.PATH)
@@ -267,6 +271,23 @@ def test_create_image_with_size(self):
 
         self.mox.VerifyAll()
 
+    def test_create_image_too_small(self):
+        fn = self.prepare_mocks()
+        fn(target=self.TEMPLATE_PATH)
+        self.mox.StubOutWithMock(os.path, 'exists')
+        self.mox.StubOutWithMock(imagebackend.disk, 'get_disk_size')
+        if self.OLD_STYLE_INSTANCE_PATH:
+            os.path.exists(self.OLD_STYLE_INSTANCE_PATH).AndReturn(False)
+        os.path.exists(self.TEMPLATE_PATH).AndReturn(False)
+        imagebackend.disk.get_disk_size(self.TEMPLATE_PATH
+                                       ).AndReturn(self.SIZE)
+        self.mox.ReplayAll()
+
+        image = self.image_class(self.INSTANCE, self.NAME)
+        self.assertRaises(exception.ImageTooLarge, image.create_image, fn,
+                          self.TEMPLATE_PATH, 1)
+        self.mox.VerifyAll()
+
 
 class LvmTestCase(_ImageTestCase, test.TestCase):
     VG = 'FakeVG'

nova/virt/libvirt/imagebackend.py+8 −0 modified

@@ -21,6 +21,7 @@
 
 from oslo.config import cfg
 
+from nova import exception
 from nova.openstack.common import excutils
 from nova.openstack.common import fileutils
 from nova.openstack.common import lockutils
@@ -255,6 +256,13 @@ def copy_qcow2_image(base, target, size):
 
         if not os.path.exists(base):
             prepare_template(target=base, *args, **kwargs)
+        # NOTE(cfb): Having a flavor that sets the root size to 0 and having
+        #            nova effectively ignore that size and use the size of the
+        #            image is considered a feature at this time, not a bug.
+        if size and size < disk.get_disk_size(base):
+            LOG.error('%s virtual size larger than flavor root disk size %s' %
+                      (base, size))
+            raise exception.ImageTooLarge()
         if not os.path.exists(self.path):
             with utils.remove_path_on_error(self.path):
                 copy_qcow2_image(base, self.path, size)

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

lists.openstack.org/pipermail/openstack-announce/2013-May/000102.htmlnvdVendor AdvisoryWEB
github.com/advisories/GHSA-m674-hmx2-ffhqghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2013-2096ghsaADVISORY
www.ubuntu.com/usn/USN-1831-1nvdWEB
github.com/openstack/nova/commit/0caeb8eaf20abcdc77828f5c6b79fc104619e231ghsaWEB
github.com/openstack/nova/commit/44a8aba1d5da87d54db48079103fdef946666d80ghsaWEB
review.openstack.orgghsaWEB
review.openstack.orgghsaWEB
review.openstack.orgghsaWEB
web.archive.org/web/20130726040108/http://www.securityfocus.com/bid/59924ghsaWEB
www.securityfocus.com/bid/59924nvd
review.openstack.orgnvd
review.openstack.orgnvd
review.openstack.orgnvd

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000