Bug 1252378 (CVE-2015-5163) - CVE-2015-5163 openstack-glance: Glance v2 API host file disclosure through qcow2 backing file
Summary: CVE-2015-5163 openstack-glance: Glance v2 API host file disclosure through qc...
Status: CLOSED ERRATA
Alias: CVE-2015-5163
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20150813,repo...
Keywords: Security
Depends On: 1253101 1254397
Blocks: 1252380
TreeView+ depends on / blocked
 
Reported: 2015-08-11 09:36 UTC by Vasyl Kaigorodov
Modified: 2016-04-26 21:22 UTC (History)
18 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A flaw was found in the OpenStack Image Service (glance) import task action. When processing a malicious qcow2 header, glance could be tricked into reading an arbitrary file from the glance host. Only setups using the glance V2 API are affected by this flaw.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-08-18 01:47:19 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
cve-2015-5163-master-liberty.patch (5.94 KB, text/plain)
2015-08-11 09:37 UTC, Vasyl Kaigorodov
no flags Details
cve-2015-5163-stable-kilo.patch (6.04 KB, text/plain)
2015-08-11 09:37 UTC, Vasyl Kaigorodov
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1639 normal SHIPPED_LIVE Important: openstack-glance security update 2015-08-18 05:25:23 UTC

Description Vasyl Kaigorodov 2015-08-11 09:36:18 UTC
Title: Glance v2 API host file disclosure through qcow2 backing file
Reporter: Eric Harney (Red Hat)
Products: Glance
Affects: 2015.1.0 versions through 2015.1.1

Description:
Eric Harney from Red Hat reported a vulnerability in Glance. By
importing a qcow2 image with a malicious backing file, an authenticated
user may mislead Glance import task action, resulting in the disclosure
of any file on the Glance server for which the Glance process user has
access to. Only setups using the Glance V2 API are affected by this flaw.

Proposed patch:
See attached patches. Unless a flaw is discovered in them, these patches
will be merged to stable/kilo and master on the public disclosure date.

Comment 1 Vasyl Kaigorodov 2015-08-11 09:37:16 UTC
Created attachment 1061407 [details]
cve-2015-5163-master-liberty.patch

Comment 2 Vasyl Kaigorodov 2015-08-11 09:37:19 UTC
Created attachment 1061408 [details]
cve-2015-5163-stable-kilo.patch

Comment 3 Vasyl Kaigorodov 2015-08-11 09:39:39 UTC
Acknowledgements:

Red Hat would like to thank the OpenStack team for reporting this issue. Upstream acknowledges Eric Harney (Red Hat) as the original reporter.

Comment 5 errata-xmlrpc 2015-08-18 01:25:33 UTC
This issue has been addressed in the following products:

  OpenStack 7 For RHEL 7

Via RHSA-2015:1639 https://access.redhat.com/errata/RHSA-2015:1639

Comment 6 Garth Mollett 2015-08-18 01:46:40 UTC
Created openstack-glance tracking bugs for this issue:

Affects: openstack-rdo [bug 1254397]


Note You need to log in before you can comment on or make changes to this bug.