Mirantis OpenStack

[OSSA-2015-002] Glance still allows users to download and delete any file in glance-api server (CVE-2015-1195)

  1. Series 6.0.x
  2. Bug #1514467
Bug #1514467 reported by Denis Puchkin
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mirantis OpenStack
Invalid
Undecided
Unassigned
Mirantis OpenStack 8.0
5.1.x
Fix Released
Critical
Denis Puchkin
Mirantis OpenStack 5.1.1-mu-2
6.0.x
Fix Released
Critical
Denis Puchkin
Mirantis OpenStack 6.0-mu-7

Bug Description

Jin Liu reported that OSSA-2014-041 (CVE-2014-9493) only fixed the vulnerability for swift: and file: URI, but overlooked filesystem: URIs.

Please see bug 1400966 for historical reference.

Upstream bug: https://bugs.launchpad.net/ossa/+bug/1408663

CVE References

Denis Puchkin (dpuchkin)
Changed in mos:
milestone: none → 8.0
status: New → Invalid
Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Change abandoned on openstack/glance (openstack-ci/fuel-6.0-updates/2014.2)

Change abandoned by Denis Puchkin <email address hidden> on branch: openstack-ci/fuel-6.0-updates/2014.2
Review: https://review.fuel-infra.org/13090

Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Fix proposed to openstack/glance (openstack-ci/fuel-6.0-updates/2014.2)

Fix proposed to branch: openstack-ci/fuel-6.0-updates/2014.2
Change author: Grant Murphy <email address hidden>
Review: https://review.fuel-infra.org/13746

Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Fix merged to openstack/glance (openstack-ci/fuel-5.1.1-updates/2014.1.1)

Reviewed: https://review.fuel-infra.org/13086
Submitter: Vitaly Sedelnik <email address hidden>
Branch: openstack-ci/fuel-5.1.1-updates/2014.1.1

Commit: 79f98e915500717025959423f536442819ccd64c
Author: Grant Murphy <email address hidden>
Date: Tue Nov 10 10:41:16 2015

Prevent file, swift+config and filesystem schemes

This change ensures that 'file', 'filesystem', and 'swift+config' URI
schemes are not allowed when setting the location field. A previous
fix to CVE-2014-9493 attempted to address this issue but did not
include 'filesystem', a URI scheme allowed by the glance_store.

Without this fix in place it is possible for a client to access any file
the glance-api server has read permissions for.

(cherry picked from commit 5191ed1879c5fd5b2694f922bcedec232f461088)

Conflicts:
 glance/common/store_utils.py

Change-Id: I02cd099a8634b9c7e3cf8f172bcbd33f8edcbc83
Closes-Bug: #1514467

Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Fix merged to openstack/glance (openstack-ci/fuel-6.0-updates/2014.2)

Reviewed: https://review.fuel-infra.org/13746
Submitter: Vitaly Sedelnik <email address hidden>
Branch: openstack-ci/fuel-6.0-updates/2014.2

Commit: 40e1bb2369e3ac1b7ce358bdcd9387fc44955af9
Author: Grant Murphy <email address hidden>
Date: Mon Nov 9 15:39:17 2015

Prevent file, swift+config and filesystem schemes

This change ensures that 'file', 'filesystem', and 'swift+config' URI
schemes are not allowed when setting the location field. A previous
fix to CVE-2014-9493 attempted to address this issue but did not
include 'filesystem', a URI scheme allowed by the glance_store.

Without this fix in place it is possible for a client to access any file
the glance-api server has read permissions for.

Closes-Bug: #1514467
(cherry picked from commit a2d986b976e9325a272e2d422465165315d19fe6)
Change-Id: I5fcf1d3e519e9d0dba9d00e65c8818292c206503

Revision history for this message
Vadim Rovachev (vrovachev) wrote :

Verified on 5.1.1

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.