[OSSA 2014-028] image_size_cap not checked in v2 (CVE-2014-5356)
Bug #1315321 reported by
Thomas Leaman
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Glance |
Fix Released
|
High
|
Manuel Desbonnet | ||
Havana |
Fix Released
|
High
|
Unassigned | ||
Icehouse |
Fix Released
|
High
|
Manuel Desbonnet | ||
OpenStack Security Advisory |
Fix Released
|
Medium
|
Tristan Cacqueray |
Bug Description
To reproduce (using devstack):
create an image
upload image data larger than image_size_cap
This should result in an error, but doesn't
Changed in glance: | |
assignee: | nobody → Arnaud Legendre (arnaudleg) |
Changed in glance: | |
assignee: | nobody → Thomas Leaman (thomas-leaman) |
Changed in ossa: | |
status: | Incomplete → Confirmed |
importance: | Undecided → Medium |
Changed in ossa: | |
assignee: | nobody → Tristan Cacqueray (tristan-cacqueray) |
Changed in ossa: | |
status: | Confirmed → Triaged |
Changed in glance: | |
importance: | Undecided → High |
Changed in glance: | |
assignee: | Thomas Leaman (thomas-leaman) → Manuel Desbonnet (manuel-desbonnet) |
Changed in ossa: | |
status: | Triaged → In Progress |
summary: |
- image_size_cap not checked in v2 + image_size_cap not checked in v2 (CVE-2014-5356) |
Changed in ossa: | |
status: | In Progress → Fix Committed |
summary: |
- image_size_cap not checked in v2 (CVE-2014-5356) + [OSSA 2014-028] image_size_cap not checked in v2 (CVE-2014-5356) |
Changed in ossa: | |
status: | Fix Committed → Fix Released |
Changed in glance: | |
milestone: | none → juno-3 |
status: | Fix Committed → Fix Released |
Changed in glance: | |
milestone: | juno-3 → 2014.2 |
To post a comment you must log in.
I'm wondering if there's a security aspect to this?
If it's possible to upload an image of unrestricted length and then create multiple compute instances using that image there is the possibility that the filesystem on the nova compute nodes will fill up, preventing further instances from being created.