| 2015-01-27 15:59:37 |
Bastian Blank |
bug |
|
|
added bug |
| 2015-01-27 16:35:56 |
Tristan Cacqueray |
bug task added |
|
ossa |
|
| 2015-01-27 16:36:11 |
Tristan Cacqueray |
ossa: status |
New |
Incomplete |
|
| 2015-01-27 16:37:06 |
Tristan Cacqueray |
description |
Cinder does not provide input format to several calls of "qemu-img convert". This allows the attacker to play the format guessing by providing a volume with a qcow2 signature. If this signature contains a base file, this file will be read by a process running as root and embedded in the output. This bug is similar to CVE-2013-1922.
Tested with: lvm backed volume storage, it may apply to others as well
Steps to reproduce:
- create volume and attach to vm,
- create a qcow2 signature with base-file[1] from within the vm and
- trigger upload to glance with "cinder upload-to-image --disk-type qcow2"[2].
The image uploaded to glance will have /etc/passwd from the cinder-volume host embedded.
Affected versions: tested on 2014.1.3, found while reading 2014.2.1
Fix: Always specify both input "-f" and output format "-O" to "qemu-img convert". The code is in module cinder.image.image_utils.
Bastian Blank
[1]: qemu-img create -f qcow2 -b /etc/passwd /dev/vdb
[2]: The disk-type != raw triggers the use of "qemu-img convert" |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added as to the bug as attachments.
Cinder does not provide input format to several calls of "qemu-img convert". This allows the attacker to play the format guessing by providing a volume with a qcow2 signature. If this signature contains a base file, this file will be read by a process running as root and embedded in the output. This bug is similar to CVE-2013-1922.
Tested with: lvm backed volume storage, it may apply to others as well
Steps to reproduce:
- create volume and attach to vm,
- create a qcow2 signature with base-file[1] from within the vm and
- trigger upload to glance with "cinder upload-to-image --disk-type qcow2"[2].
The image uploaded to glance will have /etc/passwd from the cinder-volume host embedded.
Affected versions: tested on 2014.1.3, found while reading 2014.2.1
Fix: Always specify both input "-f" and output format "-O" to "qemu-img convert". The code is in module cinder.image.image_utils.
Bastian Blank
[1]: qemu-img create -f qcow2 -b /etc/passwd /dev/vdb
[2]: The disk-type != raw triggers the use of "qemu-img convert" |
|
| 2015-01-29 10:33:40 |
Thierry Carrez |
bug |
|
|
added subscriber Cinder Core security contacts |
| 2015-02-02 18:18:22 |
Mike Perez |
cinder: status |
New |
Confirmed |
|
| 2015-02-05 13:21:20 |
Thierry Carrez |
ossa: status |
Incomplete |
Confirmed |
|
| 2015-02-05 13:22:02 |
Thierry Carrez |
ossa: importance |
Undecided |
High |
|
| 2015-02-05 13:22:18 |
Thierry Carrez |
cinder: importance |
Undecided |
High |
|
| 2015-02-05 13:22:56 |
Thierry Carrez |
bug task added |
|
nova |
|
| 2015-02-05 13:23:32 |
Thierry Carrez |
bug |
|
|
added subscriber Nova Core security contacts |
| 2015-02-18 22:52:17 |
Tony Breeds |
nova: importance |
Undecided |
Medium |
|
| 2015-02-18 22:52:17 |
Tony Breeds |
nova: status |
New |
Confirmed |
|
| 2015-02-18 22:52:17 |
Tony Breeds |
nova: assignee |
|
Tony Breeds (o-tony) |
|
| 2015-02-24 14:17:34 |
Andrew Laski |
bug |
|
|
added subscriber Daniel Berrange |
| 2015-02-24 15:37:01 |
Mike Perez |
cinder: assignee |
|
Mike Perez (thingee) |
|
| 2015-02-26 14:53:12 |
Thierry Carrez |
nova: status |
Confirmed |
Triaged |
|
| 2015-02-26 14:53:15 |
Thierry Carrez |
cinder: status |
Confirmed |
Triaged |
|
| 2015-02-26 16:35:20 |
Tristan Cacqueray |
ossa: status |
Confirmed |
Triaged |
|
| 2015-02-26 16:35:23 |
Tristan Cacqueray |
ossa: assignee |
|
Tristan Cacqueray (tristan-cacqueray) |
|
| 2015-03-02 15:08:22 |
Thierry Carrez |
nova: importance |
Medium |
High |
|
| 2015-03-02 23:24:02 |
Grant Murphy |
attachment added |
|
0001-Require-source-image-format-for-convert_image-calls.patch https://bugs.launchpad.net/cinder/+bug/1415087/+attachment/4332707/+files/0001-Require-source-image-format-for-convert_image-calls.patch |
|
| 2015-03-10 21:18:41 |
Grant Murphy |
attachment removed |
0001-Require-source-image-format-for-convert_image-calls.patch https://bugs.launchpad.net/cinder/+bug/1415087/+attachment/4332707/+files/0001-Require-source-image-format-for-convert_image-calls.patch |
|
|
| 2015-03-10 21:28:29 |
Grant Murphy |
attachment added |
|
0001-Require-source-image-format-for-convert_image-calls.patch https://bugs.launchpad.net/cinder/+bug/1415087/+attachment/4340460/+files/0001-Require-source-image-format-for-convert_image-calls.patch |
|
| 2015-03-31 15:09:33 |
Duncan Thomas |
bug |
|
|
added subscriber Duncan Thomas |
| 2015-03-31 18:32:27 |
Mike Perez |
cinder: assignee |
Mike Perez (thingee) |
Eric Harney (eharney) |
|
| 2015-03-31 23:53:43 |
Eric Harney |
attachment added |
|
0001-Disallow-backing-files-when-uploading-volumes-to-ima.patch https://bugs.launchpad.net/cinder/+bug/1415087/+attachment/4362440/+files/0001-Disallow-backing-files-when-uploading-volumes-to-ima.patch |
|
| 2015-04-02 16:23:01 |
Tristan Cacqueray |
cve linked |
|
2015-1850 |
|
| 2015-04-02 16:23:33 |
Tristan Cacqueray |
summary |
Format-guessing and file disclosure in image convert |
Format-guessing and file disclosure in image convert (CVE-2015-1850) |
|
| 2015-06-13 14:30:17 |
Jeremy Stanley |
information type |
Private Security |
Public Security |
|
| 2015-06-13 14:37:42 |
Jeremy Stanley |
description |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added as to the bug as attachments.
Cinder does not provide input format to several calls of "qemu-img convert". This allows the attacker to play the format guessing by providing a volume with a qcow2 signature. If this signature contains a base file, this file will be read by a process running as root and embedded in the output. This bug is similar to CVE-2013-1922.
Tested with: lvm backed volume storage, it may apply to others as well
Steps to reproduce:
- create volume and attach to vm,
- create a qcow2 signature with base-file[1] from within the vm and
- trigger upload to glance with "cinder upload-to-image --disk-type qcow2"[2].
The image uploaded to glance will have /etc/passwd from the cinder-volume host embedded.
Affected versions: tested on 2014.1.3, found while reading 2014.2.1
Fix: Always specify both input "-f" and output format "-O" to "qemu-img convert". The code is in module cinder.image.image_utils.
Bastian Blank
[1]: qemu-img create -f qcow2 -b /etc/passwd /dev/vdb
[2]: The disk-type != raw triggers the use of "qemu-img convert" |
Cinder does not provide input format to several calls of "qemu-img convert". This allows the attacker to play the format guessing by providing a volume with a qcow2 signature. If this signature contains a base file, this file will be read by a process running as root and embedded in the output. This bug is similar to CVE-2013-1922.
Tested with: lvm backed volume storage, it may apply to others as well
Steps to reproduce:
- create volume and attach to vm,
- create a qcow2 signature with base-file[1] from within the vm and
- trigger upload to glance with "cinder upload-to-image --disk-type qcow2"[2].
The image uploaded to glance will have /etc/passwd from the cinder-volume host embedded.
Affected versions: tested on 2014.1.3, found while reading 2014.2.1
Fix: Always specify both input "-f" and output format "-O" to "qemu-img convert". The code is in module cinder.image.image_utils.
Bastian Blank
[1]: qemu-img create -f qcow2 -b /etc/passwd /dev/vdb
[2]: The disk-type != raw triggers the use of "qemu-img convert" |
|
| 2015-06-13 14:55:10 |
Dave Walker |
bug |
|
|
added subscriber Dave Walker |
| 2015-06-15 13:01:12 |
OpenStack Infra |
cinder: status |
Triaged |
In Progress |
|
| 2015-06-15 13:01:12 |
OpenStack Infra |
cinder: assignee |
Eric Harney (eharney) |
Tristan Cacqueray (tristan-cacqueray) |
|
| 2015-06-15 14:41:35 |
Andreas Stieger |
bug |
|
|
added subscriber Andreas Stieger |
| 2015-06-15 15:33:41 |
OpenStack Infra |
cinder: assignee |
Tristan Cacqueray (tristan-cacqueray) |
Eric Harney (eharney) |
|
| 2015-06-15 17:10:09 |
Eric Harney |
nominated for series |
|
cinder/icehouse |
|
| 2015-06-15 17:10:09 |
Eric Harney |
nominated for series |
|
cinder/kilo |
|
| 2015-06-15 17:10:09 |
Eric Harney |
nominated for series |
|
cinder/juno |
|
| 2015-06-15 19:47:49 |
OpenStack Infra |
cinder: status |
In Progress |
Fix Committed |
|
| 2015-06-15 22:38:02 |
OpenStack Infra |
tags |
|
in-stable-kilo |
|
| 2015-06-15 22:42:26 |
OpenStack Infra |
tags |
in-stable-kilo |
in-stable-juno in-stable-kilo |
|
| 2015-06-15 22:45:00 |
OpenStack Infra |
tags |
in-stable-juno in-stable-kilo |
in-stable-icehouse in-stable-juno in-stable-kilo |
|
| 2015-06-16 13:28:48 |
Tristan Cacqueray |
ossa: status |
Triaged |
In Progress |
|
| 2015-06-16 17:40:15 |
Tristan Cacqueray |
summary |
Format-guessing and file disclosure in image convert (CVE-2015-1850) |
[OSSA 2015-011] Format-guessing and file disclosure in image convert (CVE-2015-1850) |
|
| 2015-06-16 17:40:23 |
Tristan Cacqueray |
ossa: status |
In Progress |
Fix Committed |
|
| 2015-06-17 12:54:09 |
Tristan Cacqueray |
summary |
[OSSA 2015-011] Format-guessing and file disclosure in image convert (CVE-2015-1850) |
[OSSA 2015-011] Format-guessing and file disclosure in image convert (CVE-2015-1850, CVE-2015-1851) |
|
| 2015-06-17 12:55:17 |
Tristan Cacqueray |
cve linked |
|
2015-1851 |
|
| 2015-06-17 17:00:16 |
Mike Perez |
bug task added |
|
cinder/icehouse |
|
| 2015-06-17 17:00:30 |
Mike Perez |
bug task added |
|
cinder/juno |
|
| 2015-06-17 17:00:44 |
Mike Perez |
bug task added |
|
cinder/kilo |
|
| 2015-06-17 17:00:53 |
Mike Perez |
cinder: milestone |
|
liberty-1 |
|
| 2015-06-17 17:02:17 |
Mike Perez |
cinder/icehouse: assignee |
|
Eric Harney (eharney) |
|
| 2015-06-17 17:02:24 |
Mike Perez |
cinder/juno: assignee |
|
Eric Harney (eharney) |
|
| 2015-06-17 17:02:31 |
Mike Perez |
cinder/kilo: assignee |
|
Eric Harney (eharney) |
|
| 2015-06-17 17:02:34 |
Mike Perez |
cinder/icehouse: importance |
Undecided |
High |
|
| 2015-06-17 17:02:37 |
Mike Perez |
cinder/juno: importance |
Undecided |
High |
|
| 2015-06-17 17:02:41 |
Mike Perez |
cinder/kilo: status |
New |
Fix Committed |
|
| 2015-06-17 17:02:44 |
Mike Perez |
cinder/kilo: importance |
Undecided |
High |
|
| 2015-06-17 17:02:47 |
Mike Perez |
cinder/icehouse: status |
New |
Fix Committed |
|
| 2015-06-17 17:02:51 |
Mike Perez |
cinder/juno: status |
New |
Fix Committed |
|
| 2015-06-17 18:16:14 |
Alan Pevec |
cinder/icehouse: milestone |
|
2014.1.5 |
|
| 2015-06-19 12:52:12 |
Alan Pevec |
cinder/icehouse: status |
Fix Committed |
Fix Released |
|
| 2015-06-23 14:39:49 |
Thierry Carrez |
cinder: status |
Fix Committed |
Fix Released |
|
| 2015-07-09 14:38:51 |
Matthew Edmonds |
bug |
|
|
added subscriber Matthew Edmonds |
| 2015-07-23 21:53:01 |
Alan Pevec |
cinder/kilo: milestone |
|
2015.1.1 |
|
| 2015-07-29 21:40:59 |
Alan Pevec |
cinder/kilo: status |
Fix Committed |
Fix Released |
|
| 2015-08-10 14:19:48 |
Tristan Cacqueray |
ossa: status |
Fix Committed |
Fix Released |
|
| 2015-10-07 09:40:37 |
Hao Jun Wang |
bug |
|
|
added subscriber Hao Jun Wang |
| 2015-10-15 11:40:20 |
Thierry Carrez |
cinder: milestone |
liberty-1 |
7.0.0 |
|
| 2015-10-28 17:23:13 |
Matt Riedemann |
nova: status |
Triaged |
Incomplete |
|
| 2015-11-14 15:04:01 |
Alan Pevec |
cinder/juno: milestone |
|
2014.2.4 |
|
| 2015-11-19 21:39:49 |
Alan Pevec |
cinder/juno: status |
Fix Committed |
Fix Released |
|
| 2016-02-20 00:40:02 |
Sean Dague |
nova: status |
Incomplete |
Invalid |
|
