--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openstack/nova/patches/07-CVE-2013-7048.patch	Mon Mar 17 09:51:44 2014 -0600
@@ -0,0 +1,36 @@
+Upstream patch fixed in Grizzly 2013.1.5, Havana 2013.2.2, Icehouse
+
+commit 9bd7fff8c0160057643cfc37c5e2b1cd3337d6aa
+Author: Xavier Queralt <[email protected]>
+Date:   Wed Nov 27 20:44:36 2013 +0100
+
+    Enforce permissions in snapshots temporary dir
+    
+    Live snapshots creates a temporary directory where libvirt driver
+    creates a new image from the instance's disk using blockRebase.
+    Currently this directory is created with 777 permissions making this
+    directory accessible by all the users in the system.
+    
+    This patch changes the tempdir permissions so they have the o+x
+    flag set, which is what libvirt needs to be able to write in it and
+    
+    Closes-Bug: #1227027
+    Change-Id: I767ff5247b4452821727e92b668276004fc0f84d
+    (cherry picked from commit 8a34fc3d48c467aa196f65eed444ccdc7c02f19f)
+
+diff --git a/nova/virt/libvirt/driver.py b/nova/virt/libvirt/driver.py
+index 6b977cb..4cc85f1 100755
+--- a/nova/virt/libvirt/driver.py
++++ b/nova/virt/libvirt/driver.py
+@@ -1191,9 +1191,8 @@ class LibvirtDriver(driver.ComputeDriver):
+             try:
+                 out_path = os.path.join(tmpdir, snapshot_name)
+                 if live_snapshot:
+-                    # NOTE (rmk): libvirt needs to be able to write to the
+-                    #             temp directory, which is owned nova.
+-                    utils.execute('chmod', '777', tmpdir, run_as_root=True)
++                    # NOTE(xqueralt): libvirt needs o+x in the temp directory
++                    os.chmod(tmpdir, 0o701)
+                     self._live_snapshot(virt_dom, disk_path, out_path,
+                                         image_format)
+                 else: