[Yahoo-eng-team] [Bug 1400966] Re: [OSSA-2014-041] Glance allows users to download and delete any file in glance-api server (CVE-2014-9493)

Wed, 07 Jan 2015 16:16:44 -0800 

Reopening bug as fix was incomplete. Will request a new CVE id when a
fix is ready.

** Changed in: glance
       Status: Fix Released => In Progress

** Changed in: glance
     Assignee: Zhi Yan Liu (lzy-dev) => Grant Murphy (gmurphy)

** Changed in: ossa
     Assignee: (unassigned) => Grant Murphy (gmurphy)

** Changed in: ossa
       Status: Fix Released => In Progress

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1400966

Title:
  [OSSA-2014-041] Glance allows users to download and delete any file in
  glance-api server (CVE-2014-9493)

Status in OpenStack Image Registry and Delivery Service (Glance):
  In Progress
Status in Glance icehouse series:
  Fix Committed
Status in Glance juno series:
  Fix Committed
Status in Ansible playbooks for deploying OpenStack:
  Fix Committed
Status in openstack-ansible icehouse series:
  In Progress
Status in openstack-ansible juno series:
  In Progress
Status in OpenStack Security Advisories:
  In Progress

Bug description:
  Updating image-location by update images API users can download any file for 
which glance-api has read permission. 
  And the file for which glance-api has write permission will be deleted when 
users delete the image.

  
  For example:
  When users specify '/etc/passwd' as locations value of an image user can get 
the file by image download.

  When locations of an image is set with 'file:///path/to/glance-
  api.conf' the conf will be deleted when users delete the image.

  How to recreate the bug:
  download files:
   - set show_multiple_locations True in glance-api.conf
   - create a new image
   - set locations of the image's property a path you want to get such as 
file:///etc/passwd.
   - download the image

  delete files:
   - set show_multiple_locations True in glance-api.conf
   - create a new image
   - set locations of the image's property a path you want to delete such as 
file:///path/to/glance-api.conf
   - delete the image

  I found this bug in 2014.2 (742c898956d655affa7351505c8a3a5c72881eae).

  What a big A RE RE!!

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1400966/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to