yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #45133
[Bug 1482371] Re: [OSSA 2015-019] Image status can be changed by passing header 'x-image-meta-status' with PUT operation using v1 (CVE-2015-5251)
** Changed in: glance/kilo
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1482371
Title:
[OSSA 2015-019] Image status can be changed by passing header 'x
-image-meta-status' with PUT operation using v1 (CVE-2015-5251)
Status in Glance:
Fix Released
Status in Glance juno series:
Fix Released
Status in Glance kilo series:
Fix Released
Status in OpenStack Security Advisory:
Fix Released
Bug description:
Using Glance v1, one is able to change the status of an image to any
one of the valid statuses by passing the header 'x-image-meta-status'
with PUT on /images/<image id>. This bug provides a way for an image
to transition states that are otherwise not possible in an image's
lifecycle.
See http://paste.openstack.org/show/pNL7kvIZUz7cWJQwX64d/ for a
reproduction of this behavior on devstack.
As shown in the above paste, though one is able to change the status
of an active image to queued, uploading data after re-setting the
status to queued fails with a 400[1]. Though the purpose of [1]
appears to be slightly different, it's fortunately saving us from
badly breaking the immutability guarantees of glance images.
[1]
https://github.com/openstack/glance/blob/master/glance/api/v1/images.py#L760-L765
NOTE: Marking this as a security vulnerability for now as users would
be able to activate the deactivated images on their own. This probably
affects deployments only where v1 is exposed publicly. However, it's
probably worth discussing this from a security perspective as well.
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1482371/+subscriptions