[OSSA-2015-002] Glance still allows users to download and delete any file in glance-api server (CVE-2015-1195)

Master fix proposed at https://review.openstack.org/#/c/145640/

Juno fix proposed at https://review.openstack.org/#/c/145916/

Impact description draft #1:

Title: Glance v2 API unrestricted path traversal through filesystem:// scheme
Reporter: Jin Liu (IBM)
Products: Glance
Versions: up to 2014.1.3 and 2014.2 version up to 2014.2.1

Description:
Jin Liu from IBM reported that path traversal vulnerability in Glance were not fully patched in OSSA 2014-041. By setting a malicious image location to a filesystem:// scheme an authenticated user can still download or delete any file on the Glance server for which the Glance process user has access to. Only setups using the Glance V2 API are affected by this flaw.

"2014.2 versions up to 2014.2.1" and "path traversal vulnerabilities in Glance were" but otherwise the proposed impact description looks good to me.

Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/145974

Jin Liu seems to be from EMC. Otherwise looks good. Could use a Glance coresec check though, adding them to the bug.

Reviewed: https://review.openstack.org/145640
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=a2d986b976e9325a272e2d422465165315d19fe6
Submitter: Jenkins
Branch: master

commit a2d986b976e9325a272e2d422465165315d19fe6
Author: Grant Murphy <email address hidden>
Date: Wed Jan 7 16:09:38 2015 -0800

    Prevent file, swift+config and filesystem schemes

    This change ensures that 'file', 'filesystem', and 'swift+config' URI
    schemes are not allowed when setting the location field. A previous
    fix to CVE-2014-9493 attempted to address this issue but did not
    include 'filesystem', a URI scheme allowed by the glance_store.

    Without this fix in place it is possible for a client to access any file
    the glance-api server has read permissions for.

    Change-Id: I02cd099a8634b9c7e3cf8f172bcbd33f8edcbc83
    Closes-Bug: #1408663

@Jin Liu: we will credit EMC as your company, if it's ok for you, you might want to update your openstack community profile... see: http://www.openstack.org/community/members/profile/17173

Thanks for the review, here is the impact description draft #2:

Title: Glance v2 API unrestricted path traversal through filesystem:// scheme
Reporter: Jin Liu (EMC)
Products: Glance
Versions: up to 2014.1.3 and 2014.2 versions up to 2014.2.1

Description:
Jin Liu from EMC reported that path traversal vulnerabilities in Glance were not fully patched in OSSA 2014-041. By setting a malicious image location to a filesystem:// scheme an authenticated user can still download or delete any file on the Glance server for which the Glance process user has access to. Only setups using the Glance V2 API are affected by this flaw.

Reviewed: https://review.openstack.org/145916
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=5191ed1879c5fd5b2694f922bcedec232f461088
Submitter: Jenkins
Branch: stable/juno

commit 5191ed1879c5fd5b2694f922bcedec232f461088
Author: Grant Murphy <email address hidden>
Date: Wed Jan 7 16:09:38 2015 -0800

    Prevent file, swift+config and filesystem schemes

    This change ensures that 'file', 'filesystem', and 'swift+config' URI
    schemes are not allowed when setting the location field. A previous
    fix to CVE-2014-9493 attempted to address this issue but did not
    include 'filesystem', a URI scheme allowed by the glance_store.

    Without this fix in place it is possible for a client to access any file
    the glance-api server has read permissions for.

    Change-Id: I02cd099a8634b9c7e3cf8f172bcbd33f8edcbc83
    Closes-Bug: #1408663
    (cherry picked from commit a2d986b976e9325a272e2d422465165315d19fe6)

Reviewed: https://review.openstack.org/145974
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=7d3a1db33ccbd25b9fc7326ce3468eabd2a41a99
Submitter: Jenkins
Branch: stable/icehouse

commit 7d3a1db33ccbd25b9fc7326ce3468eabd2a41a99
Author: Grant Murphy <email address hidden>
Date: Wed Jan 7 16:09:38 2015 -0800

    Prevent file, swift+config and filesystem schemes

    This change ensures that 'file', 'filesystem', and 'swift+config' URI
    schemes are not allowed when setting the location field. A previous
    fix to CVE-2014-9493 attempted to address this issue but did not
    include 'filesystem', a URI scheme allowed by the glance_store.

    Without this fix in place it is possible for a client to access any file
    the glance-api server has read permissions for.

    (cherry picked from commit 5191ed1879c5fd5b2694f922bcedec232f461088)

    Conflicts:
     glance/common/store_utils.py

    Change-Id: I02cd099a8634b9c7e3cf8f172bcbd33f8edcbc83
    Closes-Bug: #1408663

Tristan's updated impact description in comment #8 looks good to me.

@Glance-coresec: can someone please confirm if the impact description in comment #8 is correct ?

I'm waiting for your approval before requesting a CVE, thanks in advance!

The impact description in comment #8 from Tristan, looks good to me.

The OSSA have been published without CVE, will switch the OSSA task to "fix released" once one is assigned and the errata is out.

Reviewed: https://review.openstack.org/147556
Committed: https://git.openstack.org/cgit/openstack/ossa/commit/?id=f6b1f51a54c7029f487972e6cbb7c9df98dda01d
Submitter: Jenkins
Branch: master

commit f6b1f51a54c7029f487972e6cbb7c9df98dda01d
Author: Tristan Cacqueray <email address hidden>
Date: Thu Jan 15 15:36:30 2015 +0000

    Adds OSSA-2015-002

    Related-Bug: #1408663
    Change-Id: Id36443b17f18a0f0cbcfd731c4fd50d8f2ffd9d1

Fix proposed to branch: master
Review: https://review.openstack.org/150736

Change abandoned by Ian Cordasco (<email address hidden>) on branch: master
Review: https://review.openstack.org/150736
Reason: There's been no discussion of this since February. Zhi Yan Liu and I agree that this is a dangerous change, so I'm abandoning this for now. If this is something we want later on, we can always restore it.