← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1398830] Re: [OSSA 2015-003] Glance image leak when in saving state (CVE-2014-9623)

 

** Changed in: glance
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1398830

Title:
  [OSSA 2015-003] Glance image leak when in saving state (CVE-2014-9623)

Status in OpenStack Image Registry and Delivery Service (Glance):
  Fix Released
Status in Glance icehouse series:
  Fix Committed
Status in Glance juno series:
  Fix Committed
Status in OpenStack Security Advisories:
  Fix Released

Bug description:
  Tushar Patil reported that
  https://bugs.launchpad.net/glance/+bug/1383973 can be leverage to
  conduct a denial of service attack on Glance backend store.

  The image in saving state is not taken into account by global quota
  enforcement.

  Attached is a script to reproduce the behavior:

  
  Steps to reproduce (tested on file backend store)

    1.  Check how many images are present in the directory that the Filesystem backend store write the image data to (filesystem_store_datadir parameter).
    2.  Run the program for 1 hour
    3.  Again count images (step 1), it should be the same as recorded in Step 1.

  We ran this program for 1 hour in our environment.
  Before running the program, count of images in the file store (/opt/stack/data/glance/images) was 6.

  After running the program for 1 hr,

    *   Total count of images in the folder /opt/stack/data/glance/images = 806 (it should have been 6)
    *   Total count of images created = 1014
    *   Total count of images deleted in saving state = 800
    *   Total count of images deleted = 1014


  Considering the bug is already public, fix should be proposed directly
  on gerrit, this new report will let us work on the impact statement
  and coordinate the security work in parallel to the public fix being
  merged.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1398830/+subscriptions