Mirantis OpenStack

Format-guessing and file disclosure in image convert (CVE-2015-1850)

Series 6.0.x
Bug #1465333

Bug #1465333 reported by Ivan Kolodyazhny on 2015-06-15

258

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Mirantis OpenStack	Fix Released	Critical	Timur Nurlygayanov	Mirantis OpenStack 6.1
5.1.x	Fix Released	Critical	Denis Puchkin	Mirantis OpenStack 5.1.1-mu-2
6.0.x	Fix Released	Critical	Denis Meltsaykin	Mirantis OpenStack 6.0-mu-4

Bug Description

Cinder does not provide input format to several calls of "qemu-img convert". This allows the attacker to play the format guessing by providing a volume with a qcow2 signature. If this signature contains a base file, this file will be read by a process running as root and embedded in the output. This bug is similar to CVE-2013-1922.

Upstream bug: https://bugs.launchpad.net/cinder/+bug/1415087

Tags:

CVE References

Ivan Kolodyazhny (e0ne) on 2015-06-15

tags:

added: cinder

Ivan Kolodyazhny (e0ne) on 2015-06-15

Changed in mos:
milestone:	none → 6.1

Revision history for this message

Vitaly Sedelnik (vsedelnik) wrote on 2015-06-16:

The fix for stable/juno is merged in upstream so I am nominating it for 6.0-updates and including into MU4.

Ivan Kolodyazhny (e0ne) on 2015-06-16

Changed in mos:
status:	New → Fix Committed
importance:	Undecided → High

Dmitry Mescheryakov (dmitrymex) on 2015-06-16

Changed in mos:
importance:	High → Critical

Vitaly Sedelnik (vsedelnik) on 2015-06-24

information type:

Private Security → Public Security

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2015-07-03: Change abandoned on openstack/cinder (openstack-ci/fuel-7.0/2015.1.0)

Change abandoned by Ivan Kolodyazhny <email address hidden> on branch: openstack-ci/fuel-7.0/2015.1.0
Review: https://review.fuel-infra.org/8096

Revision history for this message

Timur Nurlygayanov (tnurlygayanov) wrote on 2015-08-05:

Status of the issue for 6.1 is not clear, we have no any commits on review with this fix. Need to update the status of this bug and add some comments which will confirm that we have this fix in MOS 6.1

Changed in mos:
status:	Fix Committed → Incomplete

Timur Nurlygayanov (tnurlygayanov) on 2015-09-07

Changed in mos:
assignee:	Ivan Kolodyazhny (e0ne) → Timur Nurlygayanov (tnurlygayanov)

Revision history for this message

Timur Nurlygayanov (tnurlygayanov) wrote on 2015-09-07:

THis issue is not actual for MOS 7.0, because it was fixed in OpenStack upstream.

And this issue is already fixed in MOS 6.1 because we updated code from upstream too.

Changed in mos:
status:	Incomplete → Fix Released

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2015-10-23: Fix proposed to openstack/cinder (openstack-ci/fuel-5.1.1-updates/2014.1.1)

Fix proposed to branch: openstack-ci/fuel-5.1.1-updates/2014.1.1
Change author: Eric Harney <email address hidden>
Review: https://review.fuel-infra.org/13124

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2015-11-04: Fix merged to openstack/cinder (openstack-ci/fuel-5.1.1-updates/2014.1.1)

Reviewed: https://review.fuel-infra.org/13124
Submitter: Vitaly Sedelnik <email address hidden>
Branch: openstack-ci/fuel-5.1.1-updates/2014.1.1

Commit: f82390b5244137f82dd64a1f2a68448c293b391e
Author: Eric Harney <email address hidden>
Date: Fri Oct 23 13:20:08 2015

Disallow backing files when uploading volumes to image

Volumes with a header referencing a backing file can leak
file data into the destination image when uploading a
volume to an image.

Halt the upload process if the volume data references a
backing file to prevent this.

Closes-Bug: #1465333
Change-Id: Iab9718794e7f7e8444015712cfa08c46848ebf78
(cherry picked from commit 9634b76ba5886d6c2f2128d550cb005dabf48213)
Conflicts:
cinder/tests/test_image_utils.py (backport to old tests)
(cherry picked from commit d31c937c566005dedf41a60c6b5bd5e7b26f221b)
Conflicts:
cinder/tests/test_image_utils.py

Revision history for this message

Vadim Rovachev (vrovachev) wrote on 2015-11-11:

Steps to reproduce:
1. Create volume
2. Create VM(recomennted to use ubuntu/centos images, because for reproduce need package: qemu-utils)
3. Attach volume to vm
4. ssh to vm and run command: qemu-img create -f qcow2 -b /etc/passwd /dev/vdb
5. Deattach volume
6. ssh to one of controllers and run command: cinder upload-to-image --disk-format qcow2 --container-format bare <vol-id> <name>
7. run command: glance image-download <image-id> > file
8. Open and look into the file.
If bug is reproduced, file should contain info form file /etc/passwd

Revision history for this message

Vadim Rovachev (vrovachev) wrote on 2015-11-13:

Verified on 5.1.1

Adam Heczko (aheczko-mirantis) on 2016-06-21

tags:

added: feature-security

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.