yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #26687
[Bug 1400966] Re: [OSSA-2014-041] Glance allows users to download and delete any file in glance-api server (CVE-2014-9493)
Reopening bug as fix was incomplete. Will request a new CVE id when a
fix is ready.
** Changed in: glance
Status: Fix Released => In Progress
** Changed in: glance
Assignee: Zhi Yan Liu (lzy-dev) => Grant Murphy (gmurphy)
** Changed in: ossa
Assignee: (unassigned) => Grant Murphy (gmurphy)
** Changed in: ossa
Status: Fix Released => In Progress
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1400966
Title:
[OSSA-2014-041] Glance allows users to download and delete any file in
glance-api server (CVE-2014-9493)
Status in OpenStack Image Registry and Delivery Service (Glance):
In Progress
Status in Glance icehouse series:
Fix Committed
Status in Glance juno series:
Fix Committed
Status in Ansible playbooks for deploying OpenStack:
Fix Committed
Status in openstack-ansible icehouse series:
In Progress
Status in openstack-ansible juno series:
In Progress
Status in OpenStack Security Advisories:
In Progress
Bug description:
Updating image-location by update images API users can download any file for which glance-api has read permission.
And the file for which glance-api has write permission will be deleted when users delete the image.
For example:
When users specify '/etc/passwd' as locations value of an image user can get the file by image download.
When locations of an image is set with 'file:///path/to/glance-
api.conf' the conf will be deleted when users delete the image.
How to recreate the bug:
download files:
- set show_multiple_locations True in glance-api.conf
- create a new image
- set locations of the image's property a path you want to get such as file:///etc/passwd.
- download the image
delete files:
- set show_multiple_locations True in glance-api.conf
- create a new image
- set locations of the image's property a path you want to delete such as file:///path/to/glance-api.conf
- delete the image
I found this bug in 2014.2 (742c898956d655affa7351505c8a3a5c72881eae).
What a big A RE RE!!
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1400966/+subscriptions