Also, I think this vulnerability can exist irrespective of the existence of the db-purge utility as a individual operator can choose to hard-delete the soft-deleted old rows on their deployment.
There is a problem with introducing a new table due the growth in the size of the DB over period of time. This was one of the major reason why the db-purge utility was introduced. I think this bug is subject to further discussion on the best possible solution. I, however, find it in the best interest to send a CVE note with a advice on not deleting soft-deleted images. It should be left to the operator to decide which images are safe to be removed from the database once their deployment is assured of non-existence of such -- like no tracking of that image id in Nova, Cinder, Ironic, Heat, etc.
We haven't published the recordings so I agree that having this in a private bug is okay.
Please note that this issue exists at least since Liberty. The commit that introduced this feature and hence a vulnerability along with it is:
commit 9a6823326b43c01 562a736d417f6e5 f7f68e44cf
Author: Martin Mágr <email address hidden>
Date: Mon Aug 24 13:37:54 2015 +0200
Add db purge command
This patch adds "db purge" to glance-manage for deleting soft deleted
images, tasks.
Change-Id: I5b609292aa15f8 133d0d785fcf914 3825bed8073
Implements: blueprint database-purge
I can confirm that this is a real issue.
Also, I think this vulnerability can exist irrespective of the existence of the db-purge utility as a individual operator can choose to hard-delete the soft-deleted old rows on their deployment.
There is a problem with introducing a new table due the growth in the size of the DB over period of time. This was one of the major reason why the db-purge utility was introduced. I think this bug is subject to further discussion on the best possible solution. I, however, find it in the best interest to send a CVE note with a advice on not deleting soft-deleted images. It should be left to the operator to decide which images are safe to be removed from the database once their deployment is assured of non-existence of such -- like no tracking of that image id in Nova, Cinder, Ironic, Heat, etc.