[OSSA 2015-004] Image file stays in store if image has been deleted during upload (CVE-2014-9684)

Bug #1371118 reported by Mike Fedosin on 2014-09-18
24
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Glance
Medium
Mike Fedosin
Icehouse
Undecided
Unassigned
Juno
Medium
Abhishek Kekane
OpenStack Security Advisory
Medium
Unassigned

Bug Description

When I create a new task in v2 to upload an image, it creates the image record in db, sets status to "saving" and then begins the uploading.

If the image is deleted by appropriate API call while its content is still being uploaded, an exception is raised and it is not handled in the API code. This leads to the fact that the uploaded image file stays in a storage and clogs it.

File "/opt/stack/glance/glance/common/scripts/image_import/main.py", line 62, in _execute
uri)
File "/opt/stack/glance/glance/common/scripts/image_import/main.py", line 95, in import_image
new_image = image_repo.get(image_id)
File "/opt/stack/glance/glance/api/authorization.py", line 106, in get
image = self.image_repo.get(image_id)
File "/opt/stack/glance/glance/domain/proxy.py", line 86, in get
return self.helper.proxy(self.base.get(item_id))
File "/opt/stack/glance/glance/api/policy.py", line 179, in get
return super(ImageRepoProxy, self).get(image_id)
File "/opt/stack/glance/glance/domain/proxy.py", line 86, in get
return self.helper.proxy(self.base.get(item_id))
File "/opt/stack/glance/glance/domain/proxy.py", line 86, in get
return self.helper.proxy(self.base.get(item_id))
File "/opt/stack/glance/glance/domain/proxy.py", line 86, in get
return self.helper.proxy(self.base.get(item_id))
File "/opt/stack/glance/glance/db/__init__.py", line 72, in get raise exception.NotFound(msg)
NotFound: No image found with ID e2285448-a56f-45b1-9e6e-216d2b304967

This bug is very similar to https://bugs.launchpad.net/glance/+bug/1188532, but it relates to task mechanism in v2.

Mike Fedosin (mfedosin) on 2014-09-18
Changed in glance:
assignee: nobody → Mike Fedosin (mfedosin)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to glance (master)

Fix proposed to branch: master
Review: https://review.openstack.org/122427

Changed in glance:
status: New → In Progress
Dolph Mathews (dolph) on 2014-10-03
Changed in glance:
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to glance (master)

Reviewed: https://review.openstack.org/122427
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=7858d4d95154c8596720365e465cca7858cfec5c
Submitter: Jenkins
Branch: master

commit 7858d4d95154c8596720365e465cca7858cfec5c
Author: Mike Fedosin <email address hidden>
Date: Thu Sep 18 18:07:42 2014 +0400

    Initiate deletion of image files if the import was interrupted

    If the image is deleted by appropriate API call while its content
    is still being uploaded in import task in v2, an exception is raised
    and it is not handled in the API code. This leads to the fact that
    the uploaded image file stays in a storage and clogs it.

    There existed code that safely removes image files if the exception
    occurs.

    Change-Id: I4f7d1aa103f4ce7abf4026e7097b9e76c24135fa
    Closes-Bug: 1371118

Changed in glance:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2014-12-19
Changed in glance:
milestone: none → kilo-1
status: Fix Committed → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to glance (stable/juno)

Fix proposed to branch: stable/juno
Review: https://review.openstack.org/157067

summary: Image file stays in store if image has been deleted during upload
+ (CVE-2014-9684)
Revision history for this message
Nikhil Komawar (nikhil-komawar) wrote : Re: Image file stays in store if image has been deleted during upload (CVE-2014-9684)

Thanks for marking Icehouse as Incomplete, Ian. You're right there, the feature did not exist until Juno so it does not affect Icehouse. We can leave it Incomplete so that someone else does not open it up by mistake rather than deleting it.

Thierry Carrez (ttx) on 2015-02-23
Changed in ossa:
status: New → In Progress
importance: Undecided → Medium
summary: - Image file stays in store if image has been deleted during upload
- (CVE-2014-9684)
+ [OSSA 2015-004] Image file stays in store if image has been deleted
+ during upload (CVE-2014-9684)
Revision history for this message
Nikhil Komawar (nikhil-komawar) wrote :
Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :

Waiting for https://review.openstack.org/#/c/157067/ to be merged before switching OSSA task to fix released.

Changed in ossa:
status: In Progress → Fix Committed
no longer affects: glance/kilo
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to glance (stable/juno)

Reviewed: https://review.openstack.org/157067
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=a880c8e762e94b70c1e5d5692a3defcde734a601
Submitter: Jenkins
Branch: stable/juno

commit a880c8e762e94b70c1e5d5692a3defcde734a601
Author: Mike Fedosin <email address hidden>
Date: Thu Sep 18 18:07:42 2014 +0400

    Initiate deletion of image files if the import was interrupted

    If the image is deleted by appropriate API call while its content
    is still being uploaded in import task in v2, an exception is raised
    and it is not handled in the API code. This leads to the fact that
    the uploaded image file stays in a storage and clogs it.

    There existed code that safely removes image files if the exception
    occurs.

    SecurityImpact

    Conflicts:
     glance/common/scripts/image_import/main.py

    Closes-Bug: 1371118
    Change-Id: I4f7d1aa103f4ce7abf4026e7097b9e76c24135fa
    (cherry picked from commit 7858d4d95154c8596720365e465cca7858cfec5c)

Changed in ossa:
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2015-04-30
Changed in glance:
milestone: kilo-1 → 2015.1.0
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers