Mirantis OpenStack

Glance allows users to download and delete any file in glance-api server

  1. Series 5.1.x
  2. Bug #1403102
Bug #1403102 reported by ruhe
270
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Mirantis OpenStack
Fix Released
Critical
Alexander Tivelkov
Mirantis OpenStack 6.0
4.1.x
Won't Fix
Critical
MOS Glance
Mirantis OpenStack 4.1.1-updates
5.0.x
Won't Fix
Critical
MOS Glance
Mirantis OpenStack 5.0-updates
5.1.x
Fix Released
Critical
Denis Puchkin
Mirantis OpenStack 5.1.1-mu-2
6.0.x
Fix Released
Critical
Alexander Tivelkov
Mirantis OpenStack 6.0
6.1.x
Fix Released
Critical
Alexander Tivelkov
Mirantis OpenStack 6.1

Bug Description

Updating image-location by update images API users can download any file for which glance-api has read permission.
And the file for which glance-api has write permission will be deleted when users delete the image.

For example:
When users specify '/etc/passwd' as locations value of an image user can get the file by image download.

When locations of an image is set with 'file:///path/to/glance-api.conf' the conf will be deleted when users delete the image.

How to reproduce the bug:
download files:
 - set show_multiple_locations True in glance-api.conf
 - create a new image
 - set locations of the image's property a path you want to get such as file:///etc/passwd.
 - download the image

delete files:
 - set show_multiple_locations True in glance-api.conf
 - create a new image
 - set locations of the image's property a path you want to delete such as file:///path/to/glance-api.conf
 - delete the image

upstream bug: https://bugs.launchpad.net/glance/+bug/1400966

See original description

CVE References

ruhe (ruhe)
Changed in mos:
assignee: nobody → MOS Glance (mos-glance)
status: Confirmed → In Progress
Revision history for this message
OSCI Robot (oscirobot) wrote :

RPM package glance has been built for project openstack/glance
Package version == 2014.2, package release == fuel6.0.mira9.git.416c9f6.3babba9

Changeset: https://review.fuel-infra.org/1406
project: openstack/glance
branch: openstack-ci/fuel-6.0/2014.2
author: Alexander Tivelkov
committer: Alexander Tivelkov
subject: To prevent client use v2 patch api to handle file and swift location
status: patchset-created

Files placed on repository:
openstack-glance-2014.2-fuel6.0.mira9.git.416c9f6.3babba9.noarch.rpm
openstack-glance-doc-2014.2-fuel6.0.mira9.git.416c9f6.3babba9.noarch.rpm
python-glance-2014.2-fuel6.0.mira9.git.416c9f6.3babba9.noarch.rpm

NOTE: Changeset is not merged, created temporary package repository.
RPM repository URL: http://osci-obs.vm.mirantis.net:82/centos-fuel-6.0-stable-1406/centos

Revision history for this message
OSCI Robot (oscirobot) wrote :

DEB package glance has been built for project openstack/glance
Package version == 2014.2, package release == fuel6.0~mira9+git.416c9f6.3babba9

Changeset: https://review.fuel-infra.org/1406
project: openstack/glance
branch: openstack-ci/fuel-6.0/2014.2
author: Alexander Tivelkov
committer: Alexander Tivelkov
subject: To prevent client use v2 patch api to handle file and swift location
status: patchset-created

Files placed on repository:
glance-api_2014.2-fuel6.0~mira9+git.416c9f6.3babba9_all.deb
glance-common_2014.2-fuel6.0~mira9+git.416c9f6.3babba9_all.deb
glance-registry_2014.2-fuel6.0~mira9+git.416c9f6.3babba9_all.deb
glance_2014.2-fuel6.0~mira9+git.416c9f6.3babba9_all.deb
python-glance-doc_2014.2-fuel6.0~mira9+git.416c9f6.3babba9_all.deb
python-glance_2014.2-fuel6.0~mira9+git.416c9f6.3babba9_all.deb

NOTE: Changeset is not merged, created temporary package repository.
DEB repository URL: http://osci-obs.vm.mirantis.net:82/ubuntu-fuel-6.0-stable-1406/ubuntu

Revision history for this message
OSCI Robot (oscirobot) wrote :

RPM package glance has been built for project openstack/glance
Package version == 2014.2, package release == fuel6.1.mira9.git.bdb3760.3babba9

Changeset: https://review.fuel-infra.org/1407
project: openstack/glance
branch: openstack-ci/fuel-6.1/2014.2
author: Alexander Tivelkov
committer: Alexander Tivelkov
subject: To prevent client use v2 patch api to handle file and swift location
status: patchset-created

Files placed on repository:
openstack-glance-2014.2-fuel6.1.mira9.git.bdb3760.3babba9.noarch.rpm
openstack-glance-doc-2014.2-fuel6.1.mira9.git.bdb3760.3babba9.noarch.rpm
python-glance-2014.2-fuel6.1.mira9.git.bdb3760.3babba9.noarch.rpm

NOTE: Changeset is not merged, created temporary package repository.
RPM repository URL: http://osci-obs.vm.mirantis.net:82/centos-fuel-6.1-stable-1407/centos

Revision history for this message
Alexander Tivelkov (ativelkov) wrote :

A fix has been backported from upstream to both 6.0 and 6.1 branches:
https://review.fuel-infra.org/#/q/status:open+project:openstack/glance+topic:bug/1403102

Note that upstream fix is still being reviewed, so changes are possible.

Revision history for this message
OSCI Robot (oscirobot) wrote :

DEB package glance has been built for project openstack/glance
Package version == 2014.2, package release == fuel6.1~mira9+git.bdb3760.3babba9

Changeset: https://review.fuel-infra.org/1407
project: openstack/glance
branch: openstack-ci/fuel-6.1/2014.2
author: Alexander Tivelkov
committer: Alexander Tivelkov
subject: To prevent client use v2 patch api to handle file and swift location
status: patchset-created

Files placed on repository:
glance-api_2014.2-fuel6.1~mira9+git.bdb3760.3babba9_all.deb
glance-common_2014.2-fuel6.1~mira9+git.bdb3760.3babba9_all.deb
glance-registry_2014.2-fuel6.1~mira9+git.bdb3760.3babba9_all.deb
glance_2014.2-fuel6.1~mira9+git.bdb3760.3babba9_all.deb
python-glance-doc_2014.2-fuel6.1~mira9+git.bdb3760.3babba9_all.deb
python-glance_2014.2-fuel6.1~mira9+git.bdb3760.3babba9_all.deb

NOTE: Changeset is not merged, created temporary package repository.
DEB repository URL: http://osci-obs.vm.mirantis.net:82/ubuntu-fuel-6.1-stable-1407/ubuntu

Revision history for this message
OSCI Robot (oscirobot) wrote :

RPM package glance has been built for project openstack/glance
Package version == 2014.2, package release == fuel6.1.mira9.git.7ade815.3babba9

Changeset: https://review.fuel-infra.org/1407
project: openstack/glance
branch: openstack-ci/fuel-6.1/2014.2
author: Alexander Tivelkov
committer: Alexander Tivelkov
subject: To prevent client use v2 patch api to handle file and swift location
status: patchset-created

Files placed on repository:
openstack-glance-2014.2-fuel6.1.mira9.git.7ade815.3babba9.noarch.rpm
openstack-glance-doc-2014.2-fuel6.1.mira9.git.7ade815.3babba9.noarch.rpm
python-glance-2014.2-fuel6.1.mira9.git.7ade815.3babba9.noarch.rpm

NOTE: Changeset is not merged, created temporary package repository.
RPM repository URL: http://osci-obs.vm.mirantis.net:82/centos-fuel-6.1-stable-1407/centos

Revision history for this message
OSCI Robot (oscirobot) wrote :

RPM package glance has been built for project openstack/glance
Package version == 2014.2, package release == fuel6.0.mira9.git.83ba12a.3babba9

Changeset: https://review.fuel-infra.org/1406
project: openstack/glance
branch: openstack-ci/fuel-6.0/2014.2
author: Alexander Tivelkov
committer: Alexander Tivelkov
subject: To prevent client use v2 patch api to handle file and swift location
status: patchset-created

Files placed on repository:
openstack-glance-2014.2-fuel6.0.mira9.git.83ba12a.3babba9.noarch.rpm
openstack-glance-doc-2014.2-fuel6.0.mira9.git.83ba12a.3babba9.noarch.rpm
python-glance-2014.2-fuel6.0.mira9.git.83ba12a.3babba9.noarch.rpm

NOTE: Changeset is not merged, created temporary package repository.
RPM repository URL: http://osci-obs.vm.mirantis.net:82/centos-fuel-6.0-stable-1406/centos

Revision history for this message
OSCI Robot (oscirobot) wrote :

DEB package glance has been built for project openstack/glance
Package version == 2014.2, package release == fuel6.1~mira9+git.7ade815.3babba9

Changeset: https://review.fuel-infra.org/1407
project: openstack/glance
branch: openstack-ci/fuel-6.1/2014.2
author: Alexander Tivelkov
committer: Alexander Tivelkov
subject: To prevent client use v2 patch api to handle file and swift location
status: patchset-created

Files placed on repository:
glance-api_2014.2-fuel6.1~mira9+git.7ade815.3babba9_all.deb
glance-common_2014.2-fuel6.1~mira9+git.7ade815.3babba9_all.deb
glance-registry_2014.2-fuel6.1~mira9+git.7ade815.3babba9_all.deb
glance_2014.2-fuel6.1~mira9+git.7ade815.3babba9_all.deb
python-glance-doc_2014.2-fuel6.1~mira9+git.7ade815.3babba9_all.deb
python-glance_2014.2-fuel6.1~mira9+git.7ade815.3babba9_all.deb

NOTE: Changeset is not merged, created temporary package repository.
DEB repository URL: http://osci-obs.vm.mirantis.net:82/ubuntu-fuel-6.1-stable-1407/ubuntu

Revision history for this message
OSCI Robot (oscirobot) wrote :

DEB package glance has been built for project openstack/glance
Package version == 2014.2, package release == fuel6.0~mira9+git.83ba12a.3babba9

Changeset: https://review.fuel-infra.org/1406
project: openstack/glance
branch: openstack-ci/fuel-6.0/2014.2
author: Alexander Tivelkov
committer: Alexander Tivelkov
subject: To prevent client use v2 patch api to handle file and swift location
status: patchset-created

Files placed on repository:
glance-api_2014.2-fuel6.0~mira9+git.83ba12a.3babba9_all.deb
glance-common_2014.2-fuel6.0~mira9+git.83ba12a.3babba9_all.deb
glance-registry_2014.2-fuel6.0~mira9+git.83ba12a.3babba9_all.deb
glance_2014.2-fuel6.0~mira9+git.83ba12a.3babba9_all.deb
python-glance-doc_2014.2-fuel6.0~mira9+git.83ba12a.3babba9_all.deb
python-glance_2014.2-fuel6.0~mira9+git.83ba12a.3babba9_all.deb

NOTE: Changeset is not merged, created temporary package repository.
DEB repository URL: http://osci-obs.vm.mirantis.net:82/ubuntu-fuel-6.0-stable-1406/ubuntu

Revision history for this message
OSCI Robot (oscirobot) wrote :

RPM package glance has been built for project openstack/glance
Package version == 2014.2, package release == fuel6.0.mira9

Changeset: https://review.fuel-infra.org/1406
project: openstack/glance
branch: openstack-ci/fuel-6.0/2014.2
author: Alexander Tivelkov
committer: Alexander Tivelkov
subject: To prevent client use v2 patch api to handle file and swift location
status: change-merged

Files placed on repository:
openstack-glance-2014.2-fuel6.0.mira9.noarch.rpm
openstack-glance-doc-2014.2-fuel6.0.mira9.noarch.rpm
python-glance-2014.2-fuel6.0.mira9.noarch.rpm

Changeset merged. Package placed on primary repository
RPM repository URL: http://osci-obs.vm.mirantis.net:82/centos-fuel-6.0-stable/centos

Revision history for this message
OSCI Robot (oscirobot) wrote :

RPM package glance has been built for project openstack/glance
Package version == 2014.2, package release == fuel6.1.mira9

Changeset: https://review.fuel-infra.org/1407
project: openstack/glance
branch: openstack-ci/fuel-6.1/2014.2
author: Alexander Tivelkov
committer: Alexander Tivelkov
subject: To prevent client use v2 patch api to handle file and swift location
status: change-merged

Files placed on repository:
openstack-glance-2014.2-fuel6.1.mira9.noarch.rpm
openstack-glance-doc-2014.2-fuel6.1.mira9.noarch.rpm
python-glance-2014.2-fuel6.1.mira9.noarch.rpm

Changeset merged. Package placed on primary repository
RPM repository URL: http://osci-obs.vm.mirantis.net:82/centos-fuel-6.1-stable/centos

Revision history for this message
OSCI Robot (oscirobot) wrote :

DEB package glance has been built for project openstack/glance
Package version == 2014.2, package release == fuel6.0~mira9

Changeset: https://review.fuel-infra.org/1406
project: openstack/glance
branch: openstack-ci/fuel-6.0/2014.2
author: Alexander Tivelkov
committer: Alexander Tivelkov
subject: To prevent client use v2 patch api to handle file and swift location
status: change-merged

Files placed on repository:
glance-api_2014.2-fuel6.0~mira9_all.deb
glance-common_2014.2-fuel6.0~mira9_all.deb
glance-registry_2014.2-fuel6.0~mira9_all.deb
glance_2014.2-fuel6.0~mira9_all.deb
python-glance-doc_2014.2-fuel6.0~mira9_all.deb
python-glance_2014.2-fuel6.0~mira9_all.deb

Changeset merged. Package placed on primary repository
DEB repository URL: http://osci-obs.vm.mirantis.net:82/ubuntu-fuel-6.0-stable/ubuntu

Revision history for this message
OSCI Robot (oscirobot) wrote :

DEB package glance has been built for project openstack/glance
Package version == 2014.2, package release == fuel6.1~mira9

Changeset: https://review.fuel-infra.org/1407
project: openstack/glance
branch: openstack-ci/fuel-6.1/2014.2
author: Alexander Tivelkov
committer: Alexander Tivelkov
subject: To prevent client use v2 patch api to handle file and swift location
status: change-merged

Files placed on repository:
glance-api_2014.2-fuel6.1~mira9_all.deb
glance-common_2014.2-fuel6.1~mira9_all.deb
glance-registry_2014.2-fuel6.1~mira9_all.deb
glance_2014.2-fuel6.1~mira9_all.deb
python-glance-doc_2014.2-fuel6.1~mira9_all.deb
python-glance_2014.2-fuel6.1~mira9_all.deb

Changeset merged. Package placed on primary repository
DEB repository URL: http://osci-obs.vm.mirantis.net:82/ubuntu-fuel-6.1-stable/ubuntu

Revision history for this message
OSCI Robot (oscirobot) wrote :

RPM package glance has been built for project openstack/glance
Package version == 2014.2, package release == fuel6.0.mira10.git.c82dc8b.3babba9

Changeset: https://review.fuel-infra.org/1408
project: openstack/glance
branch: openstack-ci/fuel-6.0/2014.2
author: Serg Melikyan
committer: Serg Melikyan
subject: Fix PEP8 issues introduced by fix for bug/1403102
status: patchset-created

Files placed on repository:
openstack-glance-2014.2-fuel6.0.mira10.git.c82dc8b.3babba9.noarch.rpm
openstack-glance-doc-2014.2-fuel6.0.mira10.git.c82dc8b.3babba9.noarch.rpm
python-glance-2014.2-fuel6.0.mira10.git.c82dc8b.3babba9.noarch.rpm

NOTE: Changeset is not merged, created temporary package repository.
RPM repository URL: http://osci-obs.vm.mirantis.net:82/centos-fuel-6.0-stable-1408/centos

Revision history for this message
OSCI Robot (oscirobot) wrote :

DEB package glance has been built for project openstack/glance
Package version == 2014.2, package release == fuel6.0~mira10+git.c82dc8b.3babba9

Changeset: https://review.fuel-infra.org/1408
project: openstack/glance
branch: openstack-ci/fuel-6.0/2014.2
author: Serg Melikyan
committer: Serg Melikyan
subject: Fix PEP8 issues introduced by fix for bug/1403102
status: patchset-created

Files placed on repository:
glance-api_2014.2-fuel6.0~mira10+git.c82dc8b.3babba9_all.deb
glance-common_2014.2-fuel6.0~mira10+git.c82dc8b.3babba9_all.deb
glance-registry_2014.2-fuel6.0~mira10+git.c82dc8b.3babba9_all.deb
glance_2014.2-fuel6.0~mira10+git.c82dc8b.3babba9_all.deb
python-glance-doc_2014.2-fuel6.0~mira10+git.c82dc8b.3babba9_all.deb
python-glance_2014.2-fuel6.0~mira10+git.c82dc8b.3babba9_all.deb

NOTE: Changeset is not merged, created temporary package repository.
DEB repository URL: http://osci-obs.vm.mirantis.net:82/ubuntu-fuel-6.0-stable-1408/ubuntu

Revision history for this message
OSCI Robot (oscirobot) wrote :

RPM package glance has been built for project openstack/glance
Package version == 2014.2, package release == fuel6.0.mira10.git.7220eb4.3babba9

Changeset: https://review.fuel-infra.org/1408
project: openstack/glance
branch: openstack-ci/fuel-6.0/2014.2
author: Serg Melikyan
committer: Serg Melikyan
subject: Fix PEP8 issues introduced by fix for bug/1403102
status: patchset-created

Files placed on repository:
openstack-glance-2014.2-fuel6.0.mira10.git.7220eb4.3babba9.noarch.rpm
openstack-glance-doc-2014.2-fuel6.0.mira10.git.7220eb4.3babba9.noarch.rpm
python-glance-2014.2-fuel6.0.mira10.git.7220eb4.3babba9.noarch.rpm

NOTE: Changeset is not merged, created temporary package repository.
RPM repository URL: http://osci-obs.vm.mirantis.net:82/centos-fuel-6.0-stable-1408/centos

Revision history for this message
OSCI Robot (oscirobot) wrote :

DEB package glance has been built for project openstack/glance
Package version == 2014.2, package release == fuel6.0~mira10+git.7220eb4.3babba9

Changeset: https://review.fuel-infra.org/1408
project: openstack/glance
branch: openstack-ci/fuel-6.0/2014.2
author: Serg Melikyan
committer: Serg Melikyan
subject: Fix PEP8 issues introduced by fix for bug/1403102
status: patchset-created

Files placed on repository:
glance-api_2014.2-fuel6.0~mira10+git.7220eb4.3babba9_all.deb
glance-common_2014.2-fuel6.0~mira10+git.7220eb4.3babba9_all.deb
glance-registry_2014.2-fuel6.0~mira10+git.7220eb4.3babba9_all.deb
glance_2014.2-fuel6.0~mira10+git.7220eb4.3babba9_all.deb
python-glance-doc_2014.2-fuel6.0~mira10+git.7220eb4.3babba9_all.deb
python-glance_2014.2-fuel6.0~mira10+git.7220eb4.3babba9_all.deb

NOTE: Changeset is not merged, created temporary package repository.
DEB repository URL: http://osci-obs.vm.mirantis.net:82/ubuntu-fuel-6.0-stable-1408/ubuntu

Revision history for this message
OSCI Robot (oscirobot) wrote :

RPM package glance has been built for project openstack/glance
Package version == 2014.2, package release == fuel6.1.mira10.git.cd9d4a2.3babba9

Changeset: https://review.fuel-infra.org/1409
project: openstack/glance
branch: openstack-ci/fuel-6.1/2014.2
author: Serg Melikyan
committer: Serg Melikyan
subject: Fix PEP8 issues introduced by fix for bug/1403102
status: patchset-created

Files placed on repository:
openstack-glance-2014.2-fuel6.1.mira10.git.cd9d4a2.3babba9.noarch.rpm
openstack-glance-doc-2014.2-fuel6.1.mira10.git.cd9d4a2.3babba9.noarch.rpm
python-glance-2014.2-fuel6.1.mira10.git.cd9d4a2.3babba9.noarch.rpm

NOTE: Changeset is not merged, created temporary package repository.
RPM repository URL: http://osci-obs.vm.mirantis.net:82/centos-fuel-6.1-stable-1409/centos

Revision history for this message
OSCI Robot (oscirobot) wrote :

DEB package glance has been built for project openstack/glance
Package version == 2014.2, package release == fuel6.1~mira10+git.cd9d4a2.3babba9

Changeset: https://review.fuel-infra.org/1409
project: openstack/glance
branch: openstack-ci/fuel-6.1/2014.2
author: Serg Melikyan
committer: Serg Melikyan
subject: Fix PEP8 issues introduced by fix for bug/1403102
status: patchset-created

Files placed on repository:
glance-api_2014.2-fuel6.1~mira10+git.cd9d4a2.3babba9_all.deb
glance-common_2014.2-fuel6.1~mira10+git.cd9d4a2.3babba9_all.deb
glance-registry_2014.2-fuel6.1~mira10+git.cd9d4a2.3babba9_all.deb
glance_2014.2-fuel6.1~mira10+git.cd9d4a2.3babba9_all.deb
python-glance-doc_2014.2-fuel6.1~mira10+git.cd9d4a2.3babba9_all.deb
python-glance_2014.2-fuel6.1~mira10+git.cd9d4a2.3babba9_all.deb

NOTE: Changeset is not merged, created temporary package repository.
DEB repository URL: http://osci-obs.vm.mirantis.net:82/ubuntu-fuel-6.1-stable-1409/ubuntu

Revision history for this message
OSCI Robot (oscirobot) wrote :

RPM package glance has been built for project openstack/glance
Package version == 2014.2, package release == fuel6.0.mira10.git.0103da0.3babba9

Changeset: https://review.fuel-infra.org/1408
project: openstack/glance
branch: openstack-ci/fuel-6.0/2014.2
author: Serg Melikyan
committer: Alexander Tivelkov
subject: Fix PEP8 issues introduced by fix for bug/1403102
status: patchset-created

Files placed on repository:
openstack-glance-2014.2-fuel6.0.mira10.git.0103da0.3babba9.noarch.rpm
openstack-glance-doc-2014.2-fuel6.0.mira10.git.0103da0.3babba9.noarch.rpm
python-glance-2014.2-fuel6.0.mira10.git.0103da0.3babba9.noarch.rpm

NOTE: Changeset is not merged, created temporary package repository.
RPM repository URL: http://osci-obs.vm.mirantis.net:82/centos-fuel-6.0-stable-1408/centos

Revision history for this message
OSCI Robot (oscirobot) wrote :

DEB package glance has been built for project openstack/glance
Package version == 2014.2, package release == fuel6.0~mira10+git.0103da0.3babba9

Changeset: https://review.fuel-infra.org/1408
project: openstack/glance
branch: openstack-ci/fuel-6.0/2014.2
author: Serg Melikyan
committer: Alexander Tivelkov
subject: Fix PEP8 issues introduced by fix for bug/1403102
status: patchset-created

Files placed on repository:
glance-api_2014.2-fuel6.0~mira10+git.0103da0.3babba9_all.deb
glance-common_2014.2-fuel6.0~mira10+git.0103da0.3babba9_all.deb
glance-registry_2014.2-fuel6.0~mira10+git.0103da0.3babba9_all.deb
glance_2014.2-fuel6.0~mira10+git.0103da0.3babba9_all.deb
python-glance-doc_2014.2-fuel6.0~mira10+git.0103da0.3babba9_all.deb
python-glance_2014.2-fuel6.0~mira10+git.0103da0.3babba9_all.deb

NOTE: Changeset is not merged, created temporary package repository.
DEB repository URL: http://osci-obs.vm.mirantis.net:82/ubuntu-fuel-6.0-stable-1408/ubuntu

Revision history for this message
ruhe (ruhe) wrote :

Patch to 6.1 (master):
https://review.fuel-infra.org/#/c/1407/

Patch to 6.0:
https://review.fuel-infra.org/#/c/1406/

Changed in mos:
status: In Progress → Fix Committed
Timur Nurlygayanov (tnurlygayanov)
description: updated
Revision history for this message
Kyrylo Romanenko (kromanenko) wrote :

I have treied with several sequences of actions.
First i set show_multiple_locations = True
in /etc/glance/glance-api.conf
and restarted glance by: glance-control all restart

Flow 1

1) Created small image via Horizon GUI.

2) glance --os-image-api-version 2 location-add --url file:///etc/fstab f44eb9f7-2045-4118-b09b-fdfb71d58b2a
The administrator has disabled API access to image locations (HTTP 400)

OK

Flow 2

1) Created small image via GUI.

2) Added Metadata via Horizon url=file:///etc/fstab

3) glance image-download --file ~/small.iso f44eb9f7-2045-4118-b09b-fdfb71d58b2a

4) Checked contents of file - OK.

Flow 3

1) glance image-create --disk-format raw --container-format bare
2) glance --os-image-api-version 2 location-add --url file:///etc/mtab 22f3e03e-1431-4f31-a1c6-0cfe52ae3c43
The administrator has disabled API access to image locations (HTTP 400)

OK

Flow 4
1) glance image-create --disk-format raw --container-format bare

2) glance image-update --location filesystem:///etc/passwd 3b3a5f9d-690b-42d7-bfbf-aef5d82d73d2
<html>
 <head>
  <title>400 Bad Request</title>
 </head>
 <body>
  <h1>400 Bad Request</h1>
  External source are not supported: 'filesystem:///etc/passwd'<br /><br />

 </body>

Almost good, but CLI output could be like in Flow 1 and 3.

Environement:
VERSION:
  feature_groups:
    - mirantis
  production: "docker"
  release: "6.1"
  openstack_version: "2014.2.2-6.1"
  api: "1.0"
  build_number: "432"
  build_id: "2015-05-18_03-43-53"
  nailgun_sha: "076566b5df37f681c3fd5b139c966d680d81e0a5"
  python-fuelclient_sha: "38765563e1a7f14f45201fd47cf507393ff5d673"
  astute_sha: "cb655a9a9ad26848bcd9d9ace91857b6f4a0ec15"
  fuel-library_sha: "1621cb350af744f497c35f2b3bb889c2041465d8"
  fuel-ostf_sha: "9ce1800749081780b8b2a4a7eab6586583ffaf33"
  fuelmain_sha: "0e970647a83d9a7d336c4cc253606d4dd0d59a60"

Deployment in VirtualBox. Ubuntu 14.04.1, Neutron VLAN, Cinder and Glance on LVM
1 Controller+Cinder
1 Compute+Cinder
1 Cinder

Revision history for this message
Kyrylo Romanenko (kromanenko) wrote :

Filed a bug related to glance image-update console output: https://bugs.launchpad.net/mos/+bug/1456607

Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Fix proposed to openstack/glance (openstack-ci/fuel-7.0/2015.1.0)

Fix proposed to branch: openstack-ci/fuel-7.0/2015.1.0
Change author: Alexander Tivelkov <email address hidden>
Review: https://review.fuel-infra.org/8103

Dmitry Mescheryakov (dmitrymex)
information type: Public → Public Security
Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Change abandoned on openstack/glance (openstack-ci/fuel-7.0/2015.1.0)

Change abandoned by Mike Fedosin <email address hidden> on branch: openstack-ci/fuel-7.0/2015.1.0
Review: https://review.fuel-infra.org/8103

Revision history for this message
Denis Puchkin (dpuchkin) wrote :

For CVE-2015-1195 upstream bug: https://launchpad.net/bugs/1408663, therefore to fix vulnerability discribed in CVE-2015-1195, also need to backport these patches:
 https://review.openstack.org/145974/ (icehouse)
 https://review.openstack.org/145916/ (juno)

Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Fix merged to openstack/glance (openstack-ci/fuel-5.1.1-updates/2014.1.1)

Reviewed: https://review.fuel-infra.org/13085
Submitter: Vitaly Sedelnik <email address hidden>
Branch: openstack-ci/fuel-5.1.1-updates/2014.1.1

Commit: 4db7c3705bc42a406a8cb2e53f1ea90ab0ae276a
Author: Zhi Yan Liu <email address hidden>
Date: Mon Nov 9 15:08:01 2015

To prevent client use v2 patch api to handle file and swift location

The change will be used to restrict client to download and delete any
file in glance-api server. The same resone and logic as what we did in
v1:
https://github.com/openstack/glance/blob/master/glance/api/v1/images.py#L429

Closes-Bug: #1403102
DocImpact

Conflicts:
 glance/api/v1/images.py
 glance/common/store_utils.py
 glance/location.py
 glance/tests/functional/v1/test_copy_to_file.py
 glance/tests/functional/v2/test_images.py
 glance/tests/unit/test_store_image.py
 glance/tests/unit/test_store_location.py
 glance/tests/unit/utils.py
 glance/tests/unit/v1/test_api.py

(cherry picked from commit 4afdb017aa1ccef01482f117cb8d0736a6da38ed)
Signed-off-by: Zhi Yan Liu <email address hidden>
Change-Id: I72dbead3cb2dcb87f52658ddb880e26880cc229b

Revision history for this message
Vadim Rovachev (vrovachev) wrote :

Verified on 5.1.1.

Revision history for this message
Adam Heczko (aheczko-mirantis) wrote :

Hello, what's the status of this bug for MOS 6.1?

Revision history for this message
Denis Meltsaykin (dmeltsaykin) wrote :

4.x and 5.x are not supported already, closing this as Won't Fix.

Adam Heczko (aheczko-mirantis)
tags: added: feature-security
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.