← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1415087] Re: [OSSA 2015-011] Format-guessing and file disclosure in image convert (CVE-2015-1850, CVE-2015-1851)

 

** Changed in: cinder/icehouse
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1415087

Title:
  [OSSA 2015-011] Format-guessing and file disclosure in image convert
  (CVE-2015-1850, CVE-2015-1851)

Status in Cinder:
  Fix Committed
Status in Cinder icehouse series:
  Fix Released
Status in Cinder juno series:
  Fix Committed
Status in Cinder kilo series:
  Fix Committed
Status in OpenStack Compute (Nova):
  Triaged
Status in OpenStack Security Advisories:
  Fix Committed

Bug description:
  Cinder does not provide input format to several calls of "qemu-img
  convert". This allows the attacker to play the format guessing by
  providing a volume with a qcow2 signature. If this signature contains
  a base file, this file will be read by a process running as root and
  embedded in the output. This bug is similar to CVE-2013-1922.

  Tested with: lvm backed volume storage, it may apply to others as well
  Steps to reproduce:
  - create volume and attach to vm,
  - create a qcow2 signature with base-file[1] from within the vm and
  - trigger upload to glance with "cinder upload-to-image --disk-type qcow2"[2].
  The image uploaded to glance will have /etc/passwd from the cinder-volume host embedded.
  Affected versions: tested on 2014.1.3, found while reading 2014.2.1

  Fix: Always specify both input "-f" and output format "-O" to "qemu-
  img convert". The code is in module cinder.image.image_utils.

  Bastian Blank

  [1]: qemu-img create -f qcow2 -b /etc/passwd /dev/vdb
  [2]: The disk-type != raw triggers the use of "qemu-img convert"

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1415087/+subscriptions