← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1400966] Re: [OSSA-2014-041] Glance allows users to download and delete any file in glance-api server (CVE-2014-9493)

 

invalid Bug  ID mentioned in commit

** Changed in: juniperopenstack/trunk
       Status: In Progress => Invalid

** Changed in: juniperopenstack/trunk
     Assignee: Grant Murphy (gmurphy) => (unassigned)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1400966

Title:
  [OSSA-2014-041] Glance allows users to download and delete any file in
  glance-api server (CVE-2014-9493)

Status in Glance:
  Fix Released
Status in Glance icehouse series:
  Fix Released
Status in Glance juno series:
  Fix Released
Status in Juniper Openstack:
  Invalid
Status in Juniper Openstack trunk series:
  Invalid
Status in openstack-ansible:
  Fix Released
Status in openstack-ansible icehouse series:
  Fix Released
Status in openstack-ansible juno series:
  Fix Released
Status in OpenStack Security Advisory:
  Fix Released

Bug description:
  Updating image-location by update images API users can download any file for which glance-api has read permission. 
  And the file for which glance-api has write permission will be deleted when users delete the image.

  
  For example:
  When users specify '/etc/passwd' as locations value of an image user can get the file by image download.

  When locations of an image is set with 'file:///path/to/glance-
  api.conf' the conf will be deleted when users delete the image.

  How to recreate the bug:
  download files:
   - set show_multiple_locations True in glance-api.conf
   - create a new image
   - set locations of the image's property a path you want to get such as file:///etc/passwd.
   - download the image

  delete files:
   - set show_multiple_locations True in glance-api.conf
   - create a new image
   - set locations of the image's property a path you want to delete such as file:///path/to/glance-api.conf
   - delete the image

  I found this bug in 2014.2 (742c898956d655affa7351505c8a3a5c72881eae).

  What a big A RE RE!!

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1400966/+subscriptions