A flaw was found in the Glance Sheepdog backend. A user who is able to insert or modify Glance image metadata could use this flaw to execute arbitrary commands with the privileges of the user who is running the Glance service.
Versions 2013.2 up to 2013.2.3 are affected.
Red Hat would like to thank the OpenStack project for reporting this issue. Upstream acknowledges Paul McMillan (Nebula) as the original reporter.
Juno (development branch) fix:
Icehouse (milestone-proposed branch) fix:
Created openstack-glance tracking bugs for this issue:
Affects: fedora-20 [bug 1086721]
This issue has been addressed in following products:
OpenStack 4 for RHEL 6
Via RHSA-2014:0455 https://rhn.redhat.com/errata/RHSA-2014-0455.html
openstack-glance-2013.2.3-3.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.