** Changed in: ossa
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1420696
Title:
[OSSA 2015-004] Image data remains in backend after deleting the image
created using task api (import-from) (CVE-2015-1881)
Status in OpenStack Image Registry and Delivery Service (Glance):
Fix Committed
Status in Glance icehouse series:
Invalid
Status in Glance juno series:
Fix Committed
Status in OpenStack Security Advisories:
Fix Released
Bug description:
--
This issue is being treated as a potential security risk under embargo.
Please do not make any public mention of embargoed (private) security
vulnerabilities before their coordinated publication by the OpenStack
Vulnerability Management Team in the form of an official OpenStack Security
Advisory. This includes discussion of the bug or associated fixes in public
forums such as mailing lists, code review systems and bug trackers. Please also
avoid private disclosure to other individuals not already approved for access
to this information, and provide this same reminder to those who are made aware
of the issue prior to publication. All discussion should remain confined to
this private bug report, and any proposed fixes should be added as to the bug
as attachments.
--
Trying to delete image created using task api (import-from) image gets
deleted from the database, but image data remains in the backend.
Steps to reproduce:
1. Create image using task api
$ curl -i -X POST -H 'User-Agent: python-glanceclient' -H 'Content-
Type: application/json' -H 'Accept-Encoding: gzip, deflate, compress'
-H 'Accept: */*' -H 'X-Auth-Token: 35a9e49237b74eddbe5057eb434b3f9e'
-d '{"type": "import", "input": {"import_from":
"http://releases.ubuntu.com/14.10/ubuntu-14.10-server-i386.iso";,
"import_from_format": "raw", "image_properties": {"disk_format":
"raw", "container_format": "bare", "name": "task_image"}}}'
http://10.69.4.176:9292/v2/tasks
2. wait until image becomes active.
3. Confirm image is in active state.
$ glance image-list
4. Delete the image
$ glance image-delete <image-id>
5. Verify image-list does not show deleted image
$ glance image-list
Image gets deleted from the database but image data presents in the
backend.
Problem:
Import task does not update the location of the image and it remains None
even image becomes active.
Location entry is not added in the database in image_locations table.
While deleting the image it checks if location is present for image
[1][2] then only it deletes that image data from that location.
[1] v1:
https://github.com/openstack/glance/blob/master/glance/api/v1/images.py#L1066
[2] v2:
https://github.com/openstack/glance/blob/master/glance/location.py#L361
This issue is reproducible in stable/juno as well as in current
master.
Note: You need to replace auth_token in above curl command, otherwise it will
raise error for authentication failure.
(Use 'keystone token-get' command to generate the new token)
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1420696/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
