← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1420696] Re: [OSSA 2015-004] Image data remains in backend after deleting the image created using task api (import-from) (CVE-2015-1881)

 

** Changed in: glance
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1420696

Title:
  [OSSA 2015-004] Image data remains in backend after deleting the image
  created using task api (import-from) (CVE-2015-1881)

Status in OpenStack Image Registry and Delivery Service (Glance):
  Fix Released
Status in Glance icehouse series:
  Invalid
Status in Glance juno series:
  Fix Committed
Status in OpenStack Security Advisories:
  Fix Released

Bug description:
  --
  This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added as to the bug as attachments.
  --

  Trying to delete image created using task api (import-from) image gets
  deleted from the database, but image data remains in the backend.

  Steps to reproduce:
  1. Create image using task api

  $ curl -i -X POST -H 'User-Agent: python-glanceclient' -H 'Content-
  Type: application/json' -H 'Accept-Encoding: gzip, deflate, compress'
  -H 'Accept: */*' -H 'X-Auth-Token: 35a9e49237b74eddbe5057eb434b3f9e'
  -d '{"type": "import", "input": {"import_from":
  "http://releases.ubuntu.com/14.10/ubuntu-14.10-server-i386.iso";,
  "import_from_format": "raw", "image_properties": {"disk_format":
  "raw", "container_format": "bare", "name": "task_image"}}}'
  http://10.69.4.176:9292/v2/tasks

  2. wait until image becomes active.
  3. Confirm image is in active state.
     $ glance image-list
  4. Delete the image
     $ glance image-delete <image-id>
  5. Verify image-list does not show deleted image
     $ glance image-list

  Image gets deleted from the database but image data presents in the
  backend.

  Problem:
  Import task does not update the location of the image and it remains None even image becomes active.
  Location entry is not added in the database in image_locations table.

  While deleting the image it checks if location is present for image
  [1][2] then only it deletes that image data from that location.

  [1] v1: https://github.com/openstack/glance/blob/master/glance/api/v1/images.py#L1066
  [2] v2: https://github.com/openstack/glance/blob/master/glance/location.py#L361

  This issue is reproducible in stable/juno as well as in current
  master.

  Note: You need to replace auth_token in above curl command, otherwise it will raise error for authentication failure.
  (Use 'keystone token-get' command to generate the new token)

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1420696/+subscriptions