Bug 1252378 (CVE-2015-5163)

Summary: CVE-2015-5163 openstack-glance: Glance v2 API host file disclosure through qcow2 backing file
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abaron, aortega, apevec, ayoung, chrisw, dallan, eglynn, fpercoco, gkotton, gmollett, lhh, lpeer, markmc, rbryant, sclewis, security-response-team, tdecacqu, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,public=20150813,reported=20150811,source=upstream,cvss2=4.0/AV:N/AC:L/Au:S/C:P/I:N/A:N,cwe=CWE-454,fedora-all/openstack-glance=notaffected,openstack-5/openstack-glance=notaffected,openstack-6/openstack-glance=notaffected,openstack-7/openstack-glance=affected,openstack-rdo/openstack-glance=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A flaw was found in the OpenStack Image Service (glance) import task action. When processing a malicious qcow2 header, glance could be tricked into reading an arbitrary file from the glance host. Only setups using the glance V2 API are affected by this flaw.
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-18 01:47:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1253101, 1254397    
Bug Blocks: 1252380    
Attachments:
Description Flags
cve-2015-5163-master-liberty.patch
none
cve-2015-5163-stable-kilo.patch none

Description Vasyl Kaigorodov 2015-08-11 09:36:18 UTC
Title: Glance v2 API host file disclosure through qcow2 backing file
Reporter: Eric Harney (Red Hat)
Products: Glance
Affects: 2015.1.0 versions through 2015.1.1

Description:
Eric Harney from Red Hat reported a vulnerability in Glance. By
importing a qcow2 image with a malicious backing file, an authenticated
user may mislead Glance import task action, resulting in the disclosure
of any file on the Glance server for which the Glance process user has
access to. Only setups using the Glance V2 API are affected by this flaw.

Proposed patch:
See attached patches. Unless a flaw is discovered in them, these patches
will be merged to stable/kilo and master on the public disclosure date.

Comment 1 Vasyl Kaigorodov 2015-08-11 09:37:16 UTC
Created attachment 1061407 [details]
cve-2015-5163-master-liberty.patch

Comment 2 Vasyl Kaigorodov 2015-08-11 09:37:19 UTC
Created attachment 1061408 [details]
cve-2015-5163-stable-kilo.patch

Comment 3 Vasyl Kaigorodov 2015-08-11 09:39:39 UTC
Acknowledgements:

Red Hat would like to thank the OpenStack team for reporting this issue. Upstream acknowledges Eric Harney (Red Hat) as the original reporter.

Comment 5 errata-xmlrpc 2015-08-18 01:25:33 UTC
This issue has been addressed in the following products:

  OpenStack 7 For RHEL 7

Via RHSA-2015:1639 https://access.redhat.com/errata/RHSA-2015:1639

Comment 6 Garth Mollett 2015-08-18 01:46:40 UTC
Created openstack-glance tracking bugs for this issue:

Affects: openstack-rdo [bug 1254397]