using glance v2 api does not remove temporary files

Bug #1674846 reported by Erik Olof Gunnar Andersson on 2017-03-21
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
Undecided
Unassigned
OpenStack Security Advisory
Undecided
Unassigned

Bug Description

Currently if you are using Glance v2 with TemporaryUploadedFile (legacy mode?) the temporary file created on disk is never removed. This will eventually cause the machine to run out of tmp disk space.

The issue is that if Glance v2 is used, the code never calls image_update which is responsible for deleting the temporary file.
https://github.com/openstack/horizon/blob/446e5aefb4354c9092d1cbc5ff258ee74558e769/openstack_dashboard/api/glance.py#L439
https://github.com/openstack/horizon/blob/446e5aefb4354c9092d1cbc5ff258ee74558e769/openstack_dashboard/api/glance.py#L349

Either the function image_update should always be called, or if data is a TemporaryUploadedFile object, the call should always try to delete the temporary file once done.

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

Changed in ossa:
status: New → Incomplete
description: updated

@horizon-coresec, can you check this report please?
Is the TemporaryUploadedFile the default behavior for Horizon deployment?

Jeremy Stanley (fungi) wrote :

In keeping with recent OpenStack vulnerability management policy changes, no report should remain under private embargo for more than 90 days. Because this report predates the change in policy, the deadline for public disclosure is being set to 90 days from today. If the report is not resolved within the next 90 days, it will revert to our public workflow as of 2020-05-27. Please see http://lists.openstack.org/pipermail/openstack-discuss/2020-February/012721.html for further details.

description: updated
Jeremy Stanley (fungi) wrote :

It doesn't look like this report has seen any activity since my update two months ago, so consider this a friendly reminder:

The embargo for this report is due to expire one month from today, on May 27, and will be switched public on or shortly after that day if it is not already resolved sooner.

Thanks!

Jeremy Stanley (fungi) on 2020-05-19
description: updated
Jeremy Stanley (fungi) wrote :

The embargo for this report has expired and is now lifted, so it's acceptable to discuss further in public.

description: updated
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers