[OSSA 2015-014] Format-guessing and file disclosure via image conversion (CVE-2015-5163)

Oops... clearly meant to report this to the Glance project.

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

Change this was added in: https://review.openstack.org/#/c/156249/

Looks like the timing of that addition makes it kilo-only. Still we need a kilo series task added to this bug to track the backport change for the stable/kilo branch.

This is indeed an issue. I'll work on a patch for it asap and come report it back to the issue.

Also, the change that introduced this issue is: https://review.openstack.org/#/c/159129/

Well, that commit too is kilo-only, so we at least won't need any fix backported to juno.

Impact description draft:

Title: Glance v2 API host file disclosure through qcow2 backing file
Reporter: Eric Harney (Red Hat)
Products: Glance
Affects: 2015.1.0

Description:
Eric Harney from Red Hat reported a vulnerability in Glance. By importing a qcow2 image with a malicious backing file, an authenticated user may mislead Glance import task action, resulting in the disclosure of any file on the Glance server for which the Glance process user has access to. Only setups using the Glance V2 API are affected by this flaw.

The impact description looks good to me, but note that we've got 2015.1.1 sneaking up on us RSN so even if it doesn't take long to fix we'll likely need to change the affects line.

Please, find the patch attached. The patch forbids importing images with backed files entirely.

Beside some pep8 errors, the patch succeed run_tests.sh here...

./glance/tests/unit/async/flows/test_import.py:22:1: H306 imports not in alphabetical order (oslo_config.cfg, oslo_concurrency.processutils)
./glance/async/flows/base_import.py:23:1: H306 imports not in alphabetical order (oslo_config.cfg, oslo_concurrency.processutils)
./glance/async/flows/base_import.py:168:9: E303 too many blank lines (2)

The patch seems reasonable to me. (Not a Glance expert.) Should remove the change to introspect.py.

ops, sorry for the pep8 issues and the unwanted change in introspect.py

New patch LGTM. Can we get a cores approval to progress this?

CVE requested.

@glance-coresec, can we please get an approval before setting a disclosure date ?

second proposal for 0001-Don-t-import-files-with-backed-files.patch lgtm.

Thanks Flavio. Please ping me as soon as you have a proposed solution and I will +2/A it.

I see Stuart on subscribed here. Can we get his opinion prior to opening this bug?

The proposed patch does not apply cleanly anymore, import causes issues. Here are fixed versions.

If these two last patchs are correct and if we can send the pre-OSSA by early Monday, the disclosure date could be:
2015-08-13, 1500UTC

Does that sounds good ?

I'm cool with the advisory going out on Thursday, August 13.

The affect line in the impact description is: "2015.1.0 versions through 2015.1.1"

This update fixes:
./glance/async/flows/base_import.py:25:1: H306 imports not in alphabetical order (oslo_utils.excutils, oslo_utils.encodeutils)

This update fixes:

testtools.testresult.real._StringException: Traceback (most recent call last):
  File "glance/tests/unit/async/flows/test_import.py", line 191, in test_import_flow_backed_file_import_to_fs
    failure.Failure)
NameError: global name 'failure' is not defined

tested both patches - master and stable - and they both passed. Approved from my side!

Fix proposed to branch: master
Review: https://review.openstack.org/212567

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/212568

Reviewed: https://review.openstack.org/212568
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=eb99e45829a1b4c93db5692bdbf636a86faa56c4
Submitter: Jenkins
Branch: stable/kilo

commit eb99e45829a1b4c93db5692bdbf636a86faa56c4
Author: Flavio Percoco <email address hidden>
Date: Thu Jul 9 14:44:04 2015 +0200

    Don't import files with backed files

    There's a security issue where it'd be possible to import images with
    backed files using the task engine and then use/convert those to access
    system files or any other file in the system. An example of an attack
    would be to import an image with a backing file pointing to
    `/etc/passwd`, then convert it to raw and download the generated image.

    This patch forbids importing files with baking files entirely. It does
    that in the `_ImportToFS` task, which is the one that imports the image
    locally to then execute other tasks on it. It's not necessary for the
    `_ImportToStore` task because other tasks won't be executed when the
    image is imported in the final store.

    Change-Id: I35f43c3b3f326942fb53b7dadb94700ac4513494
    Closes-bug: #1471912
    (cherry picked from commit d529863a1e8d2307526bdb395b4aebe97f81603d)

Reviewed: https://review.openstack.org/212567
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=d529863a1e8d2307526bdb395b4aebe97f81603d
Submitter: Jenkins
Branch: master

commit d529863a1e8d2307526bdb395b4aebe97f81603d
Author: Flavio Percoco <email address hidden>
Date: Thu Jul 9 14:44:04 2015 +0200

    Don't import files with backed files

    There's a security issue where it'd be possible to import images with
    backed files using the task engine and then use/convert those to access
    system files or any other file in the system. An example of an attack
    would be to import an image with a backing file pointing to
    `/etc/passwd`, then convert it to raw and download the generated image.

    This patch forbids importing files with baking files entirely. It does
    that in the `_ImportToFS` task, which is the one that imports the image
    locally to then execute other tasks on it. It's not necessary for the
    `_ImportToStore` task because other tasks won't be executed when the
    image is imported in the final store.

    Change-Id: I35f43c3b3f326942fb53b7dadb94700ac4513494
    Closes-bug: #1471912

Are there some backported patches for at least 2015.1.1? The kilo patch doesn't apply to 2015.1.1 or 2015.1.0 :(

ah, it was the patch that was sent out that was malformed just get it here instead :D