yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #36703
[Bug 1415087] Re: [OSSA 2015-011] Format-guessing and file disclosure in image convert (CVE-2015-1850, CVE-2015-1851)
The OSSA tasks is now closed. If Nova turns out to be affected, a new
OSSA will be required anyway.
** Changed in: ossa
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1415087
Title:
[OSSA 2015-011] Format-guessing and file disclosure in image convert
(CVE-2015-1850, CVE-2015-1851)
Status in Cinder:
Fix Released
Status in Cinder icehouse series:
Fix Released
Status in Cinder juno series:
Fix Committed
Status in Cinder kilo series:
Fix Released
Status in OpenStack Compute (nova):
Triaged
Status in OpenStack Security Advisory:
Fix Released
Bug description:
Cinder does not provide input format to several calls of "qemu-img
convert". This allows the attacker to play the format guessing by
providing a volume with a qcow2 signature. If this signature contains
a base file, this file will be read by a process running as root and
embedded in the output. This bug is similar to CVE-2013-1922.
Tested with: lvm backed volume storage, it may apply to others as well
Steps to reproduce:
- create volume and attach to vm,
- create a qcow2 signature with base-file[1] from within the vm and
- trigger upload to glance with "cinder upload-to-image --disk-type qcow2"[2].
The image uploaded to glance will have /etc/passwd from the cinder-volume host embedded.
Affected versions: tested on 2014.1.3, found while reading 2014.2.1
Fix: Always specify both input "-f" and output format "-O" to "qemu-
img convert". The code is in module cinder.image.image_utils.
Bastian Blank
[1]: qemu-img create -f qcow2 -b /etc/passwd /dev/vdb
[2]: The disk-type != raw triggers the use of "qemu-img convert"
To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1415087/+subscriptions