[OSSA 2015-003] Glance image leak when in saving state (CVE-2014-9623)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Glance |
Fix Released
|
High
|
Zhi Yan Liu | ||
Icehouse |
Fix Released
|
Critical
|
Flavio Percoco | ||
Juno |
Fix Committed
|
Critical
|
Ian Cordasco | ||
OpenStack Security Advisory |
Fix Released
|
High
|
Tristan Cacqueray |
Bug Description
Tushar Patil reported that https:/
The image in saving state is not taken into account by global quota enforcement.
Attached is a script to reproduce the behavior:
Steps to reproduce (tested on file backend store)
1. Check how many images are present in the directory that the Filesystem backend store write the image data to (filesystem_
2. Run the program for 1 hour
3. Again count images (step 1), it should be the same as recorded in Step 1.
We ran this program for 1 hour in our environment.
Before running the program, count of images in the file store (/opt/stack/
After running the program for 1 hr,
* Total count of images in the folder /opt/stack/
* Total count of images created = 1014
* Total count of images deleted in saving state = 800
* Total count of images deleted = 1014
Considering the bug is already public, fix should be proposed directly on gerrit, this new report will let us work on the impact statement and coordinate the security work in parallel to the public fix being merged.
Changed in glance: | |
importance: | Undecided → High |
Changed in glance: | |
assignee: | nobody → Zhi Yan Liu (lzy-dev) |
summary: |
- Glance image leak when in saving state + Glance image leak when in saving state (CVE-2014-9623) |
Changed in ossa: | |
status: | In Progress → Fix Committed |
summary: |
- Glance image leak when in saving state (CVE-2014-9623) + [OSSA 2015-003] Glance image leak when in saving state (CVE-2014-9623) |
Changed in ossa: | |
status: | Fix Committed → Fix Released |
Changed in glance: | |
status: | Fix Committed → Fix Released |
Changed in glance: | |
milestone: | kilo-2 → 2015.1.0 |
I see bug 1383973 was switched to private security after being public for more than a month. Is the intent to mark one as a duplicate of the other?