Image data stays in store (filesystem store) if image is deleted after staging call

Bug #1733289 reported by Abhishek Kekane on 2017-11-20
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Abhishek Kekane
OpenStack Security Advisory

Bug Description

Trying to delete image after staging call image gets deleted from the database, but image data remains in the backend ('/tmp/staging' directory).

NOTE: This issue will occur only if image-import is enabled in the deployment i.e. 'enable_image_import' is set to True in glance-api.conf

Steps to reproduce:
1. Create image
   $ glance image-create --container-format ami --disk-format ami --name test_image
2. Add image to staging area using stage call
   $ glance image-stage <IMAGE_ID>
3. Verify that image is uploaded to staging area i.e. in '/tmp/staging' area
   $ ls -la /tmp/staging/<IMAGE_ID>
   Output: -rw-r--r--. 1 centos centos 313 Nov 20 09:05 /tmp/staging/<IMAGE_ID>
4. Delete the image
   $ glance image-delete <IMAGE_ID>
5. Verify image-list does not show deleted image
   $ glance image-list
6. Verify that image is still present in staging area i.e. in '/tmp/staging' area
   $ ls -la /tmp/staging/<IMAGE_ID>
   Output: -rw-r--r--. 1 centos centos 313 Nov 20 09:05 /tmp/staging/<IMAGE_ID>

Image gets deleted from the database but image data presents in the staging area i.e. in '/tmp/staging' directory.

Actually after deleting the image after staging call it should be cleared from staging area as well.

Attack scenario here is to create/stage/delete a lot of large size images using DoS the temporary image backend by filling it up.

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

description: updated
Changed in ossa:
status: New → Incomplete
Brian Rosmaita (brian-rosmaita) wrote :

Since this is part of the EXPERIMENTAL 2.6 API and the MVP of interoperable image import, which are not enabled by default, I don't think it requires a security advisory. It's definitely something that needs to be fixed, though.

Jeremy Stanley (fungi) wrote :

Thanks, sounds like report class B3 (A vulnerability in experimental or debugging features not intended for production use) so setting our advisory task to won't fix. I suppose it should also be safe to switch this bug to public?

Changed in ossa:
status: Incomplete → Won't Fix
description: updated
Brian Rosmaita (brian-rosmaita) wrote :

I think it's OK to make this public.

Jeremy Stanley (fungi) wrote :

Thanks. In that case, treating as a normal Public bug tagged as a potential security hardening opportunity.

information type: Private Security → Public
tags: added: security
Changed in glance:
assignee: nobody → Abhishek Kekane (abhishek-kekane)

Fix proposed to branch: master

Changed in glance:
status: New → In Progress
Changed in glance:
milestone: none → queens-2
importance: Undecided → High
Brian Rosmaita (brian-rosmaita) wrote :

Postponed to Q-3 but raised Importance to indicate we're serious about fixing this.

Changed in glance:
importance: High → Critical
milestone: queens-2 → queens-3
Changed in glance:
milestone: queens-3 → queens-rc1

Submitter: Zuul
Branch: master

commit 7eb2fcc865e56cc81f287beb71d6c320dc2f336d
Author: Abhishek Kekane <email address hidden>
Date: Mon Nov 27 06:36:09 2017 +0000

    Delete data if image is deleted after staging call

    Trying to delete image after staging call image gets deleted
    from the database, but image data remains in the
    staging area.

    Deleted image data from the staging area if image_import is
    enabled and image is in uploading state while deleting.

    Closes-Bug: #1733289
    Change-Id: I6ef1c05760a27a0b3620024003b49328c55f19a6

Changed in glance:
status: In Progress → Fix Released

This issue was fixed in the openstack/glance release candidate.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers