OpenStack Image Registry and Delivery Service (Glance)

[OSSA-2012-017.1] Non-admin users can cause public glance images to be deleted in the v2 api

Reported by Mark Washenberger on 2012-11-08
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Glance
Critical
Mark Washenberger
Declined for Grizzly by Thierry Carrez
Folsom
Critical
Mark Washenberger
Grizzly
Critical
Mark Washenberger
OpenStack Security Advisory
Undecided
Russell Bryant
glance (Ubuntu)
Undecided
Unassigned
Quantal
Undecided
Unassigned

Bug Description

It appears that bug #1065187 also affects the v2 api. From the previous description:

Given a public, non-protected image, a non-admin user can issue a delete against that image which may delete the image from the backend storage repository. The client will get a 403 unauthorized response, but the backend delete method is called prior to checking for those permissions on the glance registry.

Russell Bryant (russellb) wrote :

Since this is effectively the same bug as bug 1065187, let's just get these patches in now and I'll post an update to the security advisory.

information type: Private Security → Public Security

Fix proposed to branch: master
Review: https://review.openstack.org/15658

Changed in glance:
assignee: nobody → Mark Washenberger (markwash)
status: New → In Progress

Reviewed: https://review.openstack.org/15658
Committed: http://github.com/openstack/glance/commit/b591304b8980d8aca8fa6cda9ea1621aca000c88
Submitter: Jenkins
Branch: master

commit b591304b8980d8aca8fa6cda9ea1621aca000c88
Author: Mark J. Washenberger <email address hidden>
Date: Thu Nov 8 10:56:07 2012 -0800

    Ensure authorization before deleting from store

    This fixes bug 1076506.

    Change-Id: I3794c14fe523a9a27e943d73dd0248489d2b91f6

Changed in glance:
status: In Progress → Fix Committed
tags: added: in-stable-folsom

Reviewed: https://review.openstack.org/15659
Committed: http://github.com/openstack/glance/commit/fc0ee7623ec59c87ac6fc671e95a9798d6f2e2c3
Submitter: Jenkins
Branch: stable/folsom

commit fc0ee7623ec59c87ac6fc671e95a9798d6f2e2c3
Author: Mark J. Washenberger <email address hidden>
Date: Thu Nov 8 10:56:07 2012 -0800

    Ensure authorization before deleting from store

    This fixes bug 1076506.

    Change-Id: I3794c14fe523a9a27e943d73dd0248489d2b91f6

Brian Waldon (bcwaldon) on 2012-11-08
Changed in glance:
milestone: none → grizzly-1
importance: Undecided → Critical
Thierry Carrez (ttx) wrote :
no longer affects: glance/essex
Thierry Carrez (ttx) on 2012-11-21
Changed in glance:
status: Fix Committed → Fix Released
Changed in glance (Ubuntu):
status: New → Fix Released
Changed in glance (Ubuntu Quantal):
status: New → Confirmed

Hello Mark, or anyone else affected,

Accepted glance into quantal-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/glance/2012.2.1-0ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in glance (Ubuntu Quantal):
status: Confirmed → Fix Committed
tags: added: verification-needed
Mark McLoughlin (markmc) on 2013-01-22
tags: removed: in-stable-folsom

This bug was fixed in the package glance - 2012.2.1-0ubuntu1

---------------
glance (2012.2.1-0ubuntu1) quantal-proposed; urgency=low

  * Dropped patches, applied upstream:
    - debian/patches/CVE-2012-4573.patch
    - debian/patches/CVE-2012-4573b.patch
  * Resynchronize with stable/folsom (199783ce) (LP: #1085255):
    - [49408e9] Glance image-delete HTTPInternalServerError HTTP 500
      (LP: #1075580)
    - [91aaa48] Image fails to upload to swift: TypeError: object of type
      'CooperativeReader' has no len( (LP: #1057322)
    - [a296a5b] Return 403 when admin deletes a deleted image (LP: #1060944)
    - [3e58a6a] Disallow updating deleted images. (LP: #1060930)
    - [26c8085] admins can see deleted images in v2 api (LP: #1071446)
    - [8321ca6] No exclude option to skip tests in run_tests.sh (LP: #1065758)
    - [c3bea11] Badly named stable/folsom Glance tarballs (LP: #1059634)
    - [fc0ee76] Non-admin users can cause public glance images to be deleted
      from the backend storage repository in the v2 api (LP: #1076506)
    - [90bcdc5] Non-admin users can cause public glance images to be deleted
      from the backend storage repository (LP: #1065187)
    - [7841cc9] FakeAuth not always admin
    - [ddad275] Jenkins jobs fail because of incompatibility between sqlalchemy-
      migrate and the newest sqlalchemy-0.8.0b1 (LP: #1073569)
    - [1d5c651] nosetest options cause no such option errors (LP: #1056420)
    - [ac223e2] Set defaultbranch in .gitreview to stable/folsom
 -- Adam Gandelman <email address hidden> Tue, 04 Dec 2012 09:19:35 -0800

Changed in glance (Ubuntu Quantal):
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2013-06-07
summary: - Non-admin users can cause public glance images to be deleted from the
- backend storage repository in the v2 api
+ [OSSA-2012-017] Non-admin users can cause public glance images to be
+ deleted from the backend storage repository in the v2 api
Changed in ossa:
assignee: nobody → Russell Bryant (russellb)
status: New → Fix Released
summary: - [OSSA-2012-017] Non-admin users can cause public glance images to be
+ [OSSA-2012-017.1] Non-admin users can cause public glance images to be
deleted from the backend storage repository in the v2 api
Thierry Carrez (ttx) on 2013-06-07
summary: [OSSA-2012-017.1] Non-admin users can cause public glance images to be
- deleted from the backend storage repository in the v2 api
+ deleted in the v2 api
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers