Your message dated Tue, 24 Jan 2023 17:05:54 +0000
with message-id <e1pkmk6-0092a6...@fasolo.debian.org>
and subject line Bug#1029562: fixed in cinder 2:21.0.0-3
has caused the Debian Bug report #1029562,
regarding CVE-2022-47951: vulnerability in VMDK image processing
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1029562: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029562
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: python3-cinder
Version: 2:21.0.0-2
Severity: grave
Tags: patch
This is an advance warning of a vulnerability discovered in
OpenStack, to give you, as downstream stakeholders, a chance to
coordinate the release of fixes and reduce the vulnerability window.
Please treat the following information as confidential until the
proposed public disclosure date.
Title: Arbitrary file access through custom VMDK flat descriptor
Reporter: Guillaume Espanel, Pierre Libeau, Arnaud Morin and Damien
Rannou (OVH)
Products: Cinder, Glance, Nova
Affects: Cinder <19.1.2, >=20.0.0 <20.0.2, ==21.0.0;
Glance <23.0.1, >=24.0.0 <24.1.1, ==25.0.0;
Nova <24.1.2, >=25.0.0 <25.0.2, ==26.0.0
Description:
Guillaume Espanel, Pierre Libeau, Arnaud Morin and Damien Rannou
(OVH) reported a vulnerability in VMDK image processing for Cinder,
Glance and Nova. By supplying a specially created VMDK flat image
which references a specific backing file path, an authenticated user
may convince systems to return a copy of that file's contents from
the server resulting in unauthorized access to potentially sensitive
data. All Cinder deployments are affected; only Glance deployments
with image conversion enabled are affected; all Nova deployments are
affected.
Proposed patch:
See attached patches. Unless a flaw is discovered in them, these
patches will be merged to their corresponding branches on the public
disclosure date. Note that stable/wallaby and older branches are
under extended maintenance and will receive no new point releases,
but patches for some of them are provided as a courtesy.
CVE: CVE-2022-47951
Proposed public disclosure date/time:
2023-01-24, 1500UTC
Please do not make the issue public (or release public patches)
before this coordinated embargo date.
Original private report:
https://launchpad.net/bugs/1996188
For access to read and comment on this report, please reply to me
with your Launchpad username and I will subscribe you.
--
Jeremy Stanley
OpenStack Vulnerability Management Team
--- End Message ---
--- Begin Message ---
Source: cinder
Source-Version: 2:21.0.0-3
Done: Thomas Goirand <z...@debian.org>
We believe that the bug you reported is fixed in the latest version of
cinder, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1029...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <z...@debian.org> (supplier of updated cinder package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 24 Jan 2023 17:19:39 +0100
Source: cinder
Architecture: source
Version: 2:21.0.0-3
Distribution: unstable
Urgency: high
Maintainer: Debian OpenStack <team+openst...@tracker.debian.org>
Changed-By: Thomas Goirand <z...@debian.org>
Closes: 1029562
Changes:
cinder (2:21.0.0-3) unstable; urgency=high
.
* CVE-2022-47951: By supplying a specially created VMDK flat image which
references a specific backing file path, an authenticated user may convince
systems to return a copy of that file's contents from the server resulting
in unauthorized access to potentially sensitive data. Add upstream patch
CVE-2022-47951_Check_VMDK_subformat_against_an_allowed_list.patch
(Closes: #1029562).
Checksums-Sha1:
ff9fae0e04f0f99aa8d88f627b2022b4fb3ddf32 4396 cinder_21.0.0-3.dsc
d9db718bc3602928f27dcb8c834476547914b876 55472 cinder_21.0.0-3.debian.tar.xz
2a9de52658f4bd89432024a6ac6cb61b170c12d9 19923 cinder_21.0.0-3_amd64.buildinfo
Checksums-Sha256:
ce11d02c81c3c4b719516709e726c52a30eb97e30fb9b39a0f9614a1b67a54c3 4396
cinder_21.0.0-3.dsc
bb8effedcaddb3a9dc041800e8ac50da9332a49212996d51a4c0ec24bbffbe92 55472
cinder_21.0.0-3.debian.tar.xz
340b8ebdcdece6fb23e2a86ff91d7fa1b4dbace8c0b043a082754f6ab7f73cea 19923
cinder_21.0.0-3_amd64.buildinfo
Files:
bab02674d7045d2422acdc8ed57d8b12 4396 net optional cinder_21.0.0-3.dsc
9bc3fcf59e4a74524344791e6a2e1014 55472 net optional
cinder_21.0.0-3.debian.tar.xz
0b3daad95a7e2056b16e43050ea5704f 19923 net optional
cinder_21.0.0-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmPQCQQACgkQ1BatFaxr
Q/52XQ/9ENsx/BfAxqJtwD2xeHPSNN41D7XziZTlw2Mu53z9Ml5G+RhY0tJxfMIS
wlmxVcg47vqLUV3gRjKmG9p61ML1XylLZABmP1O/a1d3PDWZW4MlQvXhhchSkaAJ
2w7XN0GLWjpK/brCjUuHQU06/asso7hL1YNow/6x2XASl0OupVHHC2EJBBlIOPtm
tC8H/w6ACTohLDUPkCTVrTW7aj1zKXz4Hhoel5McjohVwIeaT15Nu7iIIGoeFgSG
ysiKH8oBjDsKUPj81KLOW8JLhv+PcTyuiAonxSaafPEmS8bysGtQue9tEOVb7Y2T
0koJ4aAEm8zqt95ugoZ/DAt8QqR0k39X1eSSxfOkG/ZN1kwb/hgDrj5DkG72LbjM
HVKuJpilfyC+0dDNU3H1GeQqs/4/t99gHzE9EAPaatlM5k2atAmovHp2o4DOdrwy
Cd6FyUxY1Gv2ZrTNKJkp5f5cyhaabGc02yke5oT/eDFqaOB3uAV+gJedlTWtcQTE
SXE3qzli0trYQJcNyEDAqyu/dmkdwGhrcBZ3B3TdIsTpc1uLDeP3qEDUdl+fGbWT
YQfYtbDb5vWIxSdNXXFHG34QW9UAg41QyVQB/9giRgK/5yS+JUx/m1/M3Se51NiI
rQh5pzeJOOI+kjiE2IwPrNtdpuwzC6eNkrvs8euF6KdHFrlZ958=
=rdSP
-----END PGP SIGNATURE-----
--- End Message ---
