yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1076506] Re: [OSSA-2012-017] Non-admin users can cause public glance images to be deleted from the backend storage repository in the v2 api

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Fri, 07 Jun 2013 15:30:27 -0000
Reply-to: Bug 1076506 <1076506@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Summary changed:

- Non-admin users can cause public glance images to be deleted from the backend storage repository in the v2 api
+ [OSSA-2012-017] Non-admin users can cause public glance images to be deleted from the backend storage repository in the v2 api

** Also affects: ossa
   Importance: Undecided
       Status: New

** Changed in: ossa
       Status: New => Fix Released

** Changed in: ossa
     Assignee: (unassigned) => Russell Bryant (russellb)

** CVE removed: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-4573

** Summary changed:

- [OSSA-2012-017] Non-admin users can cause public glance images to be deleted from the backend storage repository in the v2 api
+ [OSSA-2012-017.1] Non-admin users can cause public glance images to be deleted from the backend storage repository in the v2 api

** Summary changed:

- [OSSA-2012-017.1] Non-admin users can cause public glance images to be deleted from the backend storage repository in the v2 api
+ [OSSA-2012-017.1] Non-admin users can cause public glance images to be deleted in the v2 api

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1076506

Title:
  [OSSA-2012-017.1] Non-admin users can cause public glance images to be
  deleted in the v2 api

Status in OpenStack Image Registry and Delivery Service (Glance):
  Fix Released
Status in Glance folsom series:
  Fix Released
Status in Glance grizzly series:
  Fix Released
Status in OpenStack Security Advisories:
  Fix Released
Status in “glance” package in Ubuntu:
  Fix Released
Status in “glance” source package in Quantal:
  Fix Released

Bug description:
  It appears that bug #1065187 also affects the v2 api. From the
  previous description:

  Given a public, non-protected image, a non-admin user can issue a
  delete against that image which may delete the image from the backend
  storage repository. The client will get a 403 unauthorized response,
  but the backend delete method is called prior to checking for those
  permissions on the glance registry.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1076506/+subscriptions