| 2013-01-12 20:19:55 |
Dan Prince |
bug |
|
|
added bug |
| 2013-01-12 20:21:32 |
Dan Prince |
description |
Using the latest release of Glance Grizzly (git 2d9b3f1) on Fedora 17.
It appears that Glance can return a 404 message which contains the backend Swift store password *when* there are errors obtaining the image from Swift.
Example:
[root@nova1 image]# glance image-download foo
Request returned failure status.
404 Not Found
Swift could not find image at uri swift+http://admin%3Aadmin:AABBCC112233@127.0.0.1:5000/v2.0/glance/b0bd4daf-0cef-448e-b5f2-3033d0f5a73a
(HTTP 404)
----
The above could happen for *any* user that can run Glance commands.
A simple way to replicate this is to do something like this:
1) Setup Glance using Swift as a backend (single tenant mode).
2) Remove or block an image from the swift account where images are stored.
3) Attempt to download the same image (which you removed from Swift) from Glance.
---
The root cause of the issue appears to be that the Swift store raises exception with the backend location in them. |
Using the latest release of Glance Grizzly (git 2d9b3f1) on Fedora 17.
It appears that Glance can return a 404 message which contains the backend Swift store password when there are errors obtaining the image from Swift.
Example:
[root@nova1 image]# glance image-download foo
Request returned failure status.
404 Not Found
Swift could not find image at uri swift+http://admin%3Aadmin:AABBCC112233@127.0.0.1:5000/v2.0/glance/b0bd4daf-0cef-448e-b5f2-3033d0f5a73a
(HTTP 404)
----
The above could happen for any user that can access the Glance server.
A simple way to replicate this is to do something like this:
1) Setup Glance using Swift as a backend (single tenant mode).
2) Remove or block an image from the swift account where images are stored.
3) Attempt to download the same image (which you removed from Swift) from Glance.
---
The root cause of the issue appears to be that the Swift store raises exception with the backend location in them. |
|
| 2013-01-12 20:29:01 |
Dan Prince |
attachment added |
|
Patch for Grizzly https://bugs.launchpad.net/glance/+bug/1098962/+attachment/3481356/+files/grizzly.patch |
|
| 2013-01-12 20:39:13 |
Dan Prince |
attachment added |
|
Patch for Folsom https://bugs.launchpad.net/glance/+bug/1098962/+attachment/3481366/+files/folsom.patch |
|
| 2013-01-12 20:41:36 |
Dan Prince |
attachment added |
|
Patch for Essex https://bugs.launchpad.net/glance/+bug/1098962/+attachment/3481391/+files/essex.patch |
|
| 2013-01-12 20:42:57 |
Dan Prince |
description |
Using the latest release of Glance Grizzly (git 2d9b3f1) on Fedora 17.
It appears that Glance can return a 404 message which contains the backend Swift store password when there are errors obtaining the image from Swift.
Example:
[root@nova1 image]# glance image-download foo
Request returned failure status.
404 Not Found
Swift could not find image at uri swift+http://admin%3Aadmin:AABBCC112233@127.0.0.1:5000/v2.0/glance/b0bd4daf-0cef-448e-b5f2-3033d0f5a73a
(HTTP 404)
----
The above could happen for any user that can access the Glance server.
A simple way to replicate this is to do something like this:
1) Setup Glance using Swift as a backend (single tenant mode).
2) Remove or block an image from the swift account where images are stored.
3) Attempt to download the same image (which you removed from Swift) from Glance.
---
The root cause of the issue appears to be that the Swift store raises exception with the backend location in them. |
Using the latest release of Glance Grizzly (git 2d9b3f1) on Fedora 17.
It appears that Glance can return a 404 message which contains the backend Swift store password when there are errors obtaining the image from Swift.
Example:
[root@nova1 image]# glance image-download foo
Request returned failure status.
404 Not Found
Swift could not find image at uri swift+http://admin%3Aadmin:AABBCC112233@127.0.0.1:5000/v2.0/glance/b0bd4daf-0cef-448e-b5f2-3033d0f5a73a
(HTTP 404)
----
The above could happen for any user that can access the Glance server.
A simple way to replicate this is to do something like this:
1) Setup Glance using Swift as a backend (single tenant mode).
2) Remove or block an image from the swift account where images are stored.
3) Attempt to download the same image (which you removed from Swift) from Glance.
---
The root cause of the issue appears to be that the Swift store can raise NotFound exceptions with the backend location URI in them. |
|
| 2013-01-15 21:35:43 |
Brian Waldon |
bug |
|
|
added subscriber Mark Washenberger |
| 2013-01-15 21:39:02 |
Brian Waldon |
bug |
|
|
added subscriber Gabe Westmaas |
| 2013-01-15 22:02:54 |
Thierry Carrez |
bug |
|
|
added subscriber OpenStack Vulnerability Management team |
| 2013-01-16 11:07:50 |
Thierry Carrez |
nominated for series |
|
glance/essex |
|
| 2013-01-16 11:07:50 |
Thierry Carrez |
bug task added |
|
glance/essex |
|
| 2013-01-16 11:07:50 |
Thierry Carrez |
nominated for series |
|
glance/folsom |
|
| 2013-01-16 11:07:50 |
Thierry Carrez |
bug task added |
|
glance/folsom |
|
| 2013-01-16 11:07:56 |
Thierry Carrez |
glance/essex: status |
New |
In Progress |
|
| 2013-01-16 11:07:59 |
Thierry Carrez |
glance/essex: importance |
Undecided |
High |
|
| 2013-01-16 11:08:02 |
Thierry Carrez |
glance/folsom: status |
New |
In Progress |
|
| 2013-01-16 11:08:05 |
Thierry Carrez |
glance/folsom: importance |
Undecided |
High |
|
| 2013-01-16 11:08:17 |
Thierry Carrez |
glance/folsom: milestone |
|
2012.2.3 |
|
| 2013-01-16 11:08:56 |
Thierry Carrez |
bug |
|
|
added subscriber Brian Waldon |
| 2013-01-16 11:09:05 |
Thierry Carrez |
bug |
|
|
added subscriber Mark McLoughlin |
| 2013-01-18 10:56:02 |
Thierry Carrez |
bug |
|
|
added subscriber Glance Core |
| 2013-01-21 03:13:30 |
Dan Prince |
attachment added |
|
grizzly.patch https://bugs.launchpad.net/glance/+bug/1098962/+attachment/3491544/+files/grizzly.patch |
|
| 2013-01-21 03:13:57 |
Dan Prince |
attachment added |
|
folsom.patch https://bugs.launchpad.net/glance/+bug/1098962/+attachment/3491546/+files/folsom.patch |
|
| 2013-01-21 03:14:17 |
Dan Prince |
attachment added |
|
essex.patch https://bugs.launchpad.net/glance/+bug/1098962/+attachment/3491547/+files/essex.patch |
|
| 2013-01-22 16:20:11 |
Dan Prince |
attachment added |
|
grizzly.patch https://bugs.launchpad.net/glance/+bug/1098962/+attachment/3494840/+files/grizzly.patch |
|
| 2013-01-23 10:58:43 |
Thierry Carrez |
cve linked |
|
2013-0212 |
|
| 2013-01-24 08:10:40 |
Thierry Carrez |
bug |
|
|
added subscriber Canonical Security Team |
| 2013-01-28 23:51:12 |
Jamie Strandboge |
attachment added |
|
diablo-proposed.patch https://bugs.launchpad.net/glance/+bug/1098962/+attachment/3505140/+files/diablo-proposed.patch |
|
| 2013-01-29 15:01:08 |
Thierry Carrez |
information type |
Private Security |
Public Security |
|
| 2013-01-29 15:01:47 |
OpenStack Infra |
glance/folsom: assignee |
|
Dan Prince (dan-prince) |
|
| 2013-01-29 15:02:04 |
OpenStack Infra |
glance/essex: assignee |
|
Dan Prince (dan-prince) |
|
| 2013-01-29 15:58:03 |
OpenStack Infra |
glance/folsom: status |
In Progress |
Fix Committed |
|
| 2013-01-29 20:02:56 |
OpenStack Infra |
glance: status |
In Progress |
Fix Committed |
|
| 2013-01-29 20:03:04 |
OpenStack Infra |
glance/essex: status |
In Progress |
Fix Committed |
|
| 2013-01-30 15:36:16 |
Thierry Carrez |
removed subscriber OpenStack Vulnerability Management team |
|
|
|
| 2013-01-30 15:36:19 |
Thierry Carrez |
bug |
|
|
added subscriber Thierry Carrez |
| 2013-01-31 22:02:51 |
Mark McLoughlin |
glance/folsom: status |
Fix Committed |
Fix Released |
|
| 2013-02-21 08:45:09 |
Thierry Carrez |
glance: status |
Fix Committed |
Fix Released |
|
| 2013-04-04 09:54:54 |
Thierry Carrez |
glance/grizzly: importance |
Undecided |
High |
|
| 2013-04-04 09:54:54 |
Thierry Carrez |
glance/grizzly: status |
New |
Fix Released |
|
| 2013-04-04 09:54:54 |
Thierry Carrez |
glance/grizzly: milestone |
|
2013.1 |
|
| 2013-04-04 09:54:54 |
Thierry Carrez |
glance/grizzly: assignee |
|
Dan Prince (dan-prince) |
|
| 2013-05-24 12:58:05 |
Thierry Carrez |
summary |
glance image-download can display backend Swift password |
[OSSA 2013-002] glance image-download can display backend Swift password |
|
| 2013-05-24 12:58:14 |
Thierry Carrez |
bug task added |
|
ossa |
|
| 2013-05-24 12:58:25 |
Thierry Carrez |
ossa: status |
New |
Fix Released |
|
| 2013-05-24 12:58:25 |
Thierry Carrez |
ossa: assignee |
|
Thierry Carrez (ttx) |
|
| 2018-07-25 18:52:35 |
Jamie Strandboge |
bug |
|
|
added subscriber Ubuntu Security Team |
| 2018-07-25 18:52:38 |
Jamie Strandboge |
removed subscriber Canonical Security Team |
|
|
|
