--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openstack/nova/patches/07-CVE-2013-7048.patch Mon Mar 17 09:51:44 2014 -0600
@@ -0,0 +1,36 @@
+Upstream patch fixed in Grizzly 2013.1.5, Havana 2013.2.2, Icehouse
+
+commit 9bd7fff8c0160057643cfc37c5e2b1cd3337d6aa
+Author: Xavier Queralt <[email protected]>
+Date: Wed Nov 27 20:44:36 2013 +0100
+
+ Enforce permissions in snapshots temporary dir
+
+ Live snapshots creates a temporary directory where libvirt driver
+ creates a new image from the instance's disk using blockRebase.
+ Currently this directory is created with 777 permissions making this
+ directory accessible by all the users in the system.
+
+ This patch changes the tempdir permissions so they have the o+x
+ flag set, which is what libvirt needs to be able to write in it and
+
+ Closes-Bug: #1227027
+ Change-Id: I767ff5247b4452821727e92b668276004fc0f84d
+ (cherry picked from commit 8a34fc3d48c467aa196f65eed444ccdc7c02f19f)
+
+diff --git a/nova/virt/libvirt/driver.py b/nova/virt/libvirt/driver.py
+index 6b977cb..4cc85f1 100755
+--- a/nova/virt/libvirt/driver.py
++++ b/nova/virt/libvirt/driver.py
+@@ -1191,9 +1191,8 @@ class LibvirtDriver(driver.ComputeDriver):
+ try:
+ out_path = os.path.join(tmpdir, snapshot_name)
+ if live_snapshot:
+- # NOTE (rmk): libvirt needs to be able to write to the
+- # temp directory, which is owned nova.
+- utils.execute('chmod', '777', tmpdir, run_as_root=True)
++ # NOTE(xqueralt): libvirt needs o+x in the temp directory
++ os.chmod(tmpdir, 0o701)
+ self._live_snapshot(virt_dom, disk_path, out_path,
+ image_format)
+ else: