Glance

[OSSA-2012-017.1] Non-admin users can cause public glance images to be deleted in the v2 api

Bug #1076506 reported by Mark Washenberger
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Glance
Fix Released
Critical
Mark Washenberger
Glance grizzly-1 "g1"
Declined for Grizzly by Thierry Carrez
Folsom
Fix Released
Critical
Mark Washenberger
Glance 2012.2.1
Grizzly
Fix Released
Critical
Mark Washenberger
Glance 2013.1 "grizzly"
OpenStack Security Advisory
Fix Released
Undecided
Russell Bryant
glance (Ubuntu)
Fix Released
Undecided
Unassigned
Quantal
Fix Released
Undecided
Unassigned

Bug Description

It appears that bug #1065187 also affects the v2 api. From the previous description:

Given a public, non-protected image, a non-admin user can issue a delete against that image which may delete the image from the backend storage repository. The client will get a 403 unauthorized response, but the backend delete method is called prior to checking for those permissions on the glance registry.

Revision history for this message
Mark Washenberger (markwash) wrote :

Here's a fix!

Revision history for this message
Russell Bryant (russellb) wrote :

Since this is effectively the same bug as bug 1065187, let's just get these patches in now and I'll post an update to the security advisory.

information type: Private Security → Public Security
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to glance (master)

Fix proposed to branch: master
Review: https://review.openstack.org/15658

Changed in glance:
assignee: nobody → Mark Washenberger (markwash)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to glance (stable/folsom)

Fix proposed to branch: stable/folsom
Review: https://review.openstack.org/15659

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to glance (master)

Reviewed: https://review.openstack.org/15658
Committed: http://github.com/openstack/glance/commit/b591304b8980d8aca8fa6cda9ea1621aca000c88
Submitter: Jenkins
Branch: master

commit b591304b8980d8aca8fa6cda9ea1621aca000c88
Author: Mark J. Washenberger <email address hidden>
Date: Thu Nov 8 10:56:07 2012 -0800

    Ensure authorization before deleting from store

    This fixes bug 1076506.

    Change-Id: I3794c14fe523a9a27e943d73dd0248489d2b91f6

Changed in glance:
status: In Progress → Fix Committed
tags: added: in-stable-folsom
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to glance (stable/folsom)

Reviewed: https://review.openstack.org/15659
Committed: http://github.com/openstack/glance/commit/fc0ee7623ec59c87ac6fc671e95a9798d6f2e2c3
Submitter: Jenkins
Branch: stable/folsom

commit fc0ee7623ec59c87ac6fc671e95a9798d6f2e2c3
Author: Mark J. Washenberger <email address hidden>
Date: Thu Nov 8 10:56:07 2012 -0800

    Ensure authorization before deleting from store

    This fixes bug 1076506.

    Change-Id: I3794c14fe523a9a27e943d73dd0248489d2b91f6

Brian Waldon (bcwaldon)
Changed in glance:
milestone: none → grizzly-1
importance: Undecided → Critical
Revision history for this message
Russell Bryant (russellb) wrote : Re: Non-admin users can cause public glance images to be deleted from the backend storage repository in the v2 api

Advisory updated: https://lists.launchpad.net/openstack/msg18433.html

Revision history for this message
Thierry Carrez (ttx) wrote :

Errata published at https://lists.launchpad.net/openstack/msg18466.html

no longer affects: glance/essex
Thierry Carrez (ttx)
Changed in glance:
status: Fix Committed → Fix Released
Adam Gandelman (gandelman-a)
Changed in glance (Ubuntu):
status: New → Fix Released
Changed in glance (Ubuntu Quantal):
status: New → Confirmed
Revision history for this message
Clint Byrum (clint-fewbar) wrote : Please test proposed package

Hello Mark, or anyone else affected,

Accepted glance into quantal-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/glance/2012.2.1-0ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in glance (Ubuntu Quantal):
status: Confirmed → Fix Committed
tags: added: verification-needed
Mark McLoughlin (markmc)
tags: removed: in-stable-folsom
Revision history for this message
Launchpad Janitor (janitor) wrote : Re: Non-admin users can cause public glance images to be deleted from the backend storage repository in the v2 api

This bug was fixed in the package glance - 2012.2.1-0ubuntu1

---------------
glance (2012.2.1-0ubuntu1) quantal-proposed; urgency=low

  * Dropped patches, applied upstream:
    - debian/patches/CVE-2012-4573.patch
    - debian/patches/CVE-2012-4573b.patch
  * Resynchronize with stable/folsom (199783ce) (LP: #1085255):
    - [49408e9] Glance image-delete HTTPInternalServerError HTTP 500
      (LP: #1075580)
    - [91aaa48] Image fails to upload to swift: TypeError: object of type
      'CooperativeReader' has no len( (LP: #1057322)
    - [a296a5b] Return 403 when admin deletes a deleted image (LP: #1060944)
    - [3e58a6a] Disallow updating deleted images. (LP: #1060930)
    - [26c8085] admins can see deleted images in v2 api (LP: #1071446)
    - [8321ca6] No exclude option to skip tests in run_tests.sh (LP: #1065758)
    - [c3bea11] Badly named stable/folsom Glance tarballs (LP: #1059634)
    - [fc0ee76] Non-admin users can cause public glance images to be deleted
      from the backend storage repository in the v2 api (LP: #1076506)
    - [90bcdc5] Non-admin users can cause public glance images to be deleted
      from the backend storage repository (LP: #1065187)
    - [7841cc9] FakeAuth not always admin
    - [ddad275] Jenkins jobs fail because of incompatibility between sqlalchemy-
      migrate and the newest sqlalchemy-0.8.0b1 (LP: #1073569)
    - [1d5c651] nosetest options cause no such option errors (LP: #1056420)
    - [ac223e2] Set defaultbranch in .gitreview to stable/folsom
 -- Adam Gandelman <email address hidden> Tue, 04 Dec 2012 09:19:35 -0800

Changed in glance (Ubuntu Quantal):
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
summary: - Non-admin users can cause public glance images to be deleted from the
- backend storage repository in the v2 api
+ [OSSA-2012-017] Non-admin users can cause public glance images to be
+ deleted from the backend storage repository in the v2 api
Changed in ossa:
assignee: nobody → Russell Bryant (russellb)
status: New → Fix Released
summary: - [OSSA-2012-017] Non-admin users can cause public glance images to be
+ [OSSA-2012-017.1] Non-admin users can cause public glance images to be
deleted from the backend storage repository in the v2 api
Thierry Carrez (ttx)
summary: [OSSA-2012-017.1] Non-admin users can cause public glance images to be
- deleted from the backend storage repository in the v2 api
+ deleted in the v2 api
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.