Debian Bug report logs -
#788996
cinder: CVE-2015-1851: [OSSA 2015-011] Cinder host file disclosure through qcow2 backing file
Reported by: Thomas Goirand <zigo@debian.org>
Date: Tue, 16 Jun 2015 20:42:06 UTC
Severity: grave
Tags: patch, security
Found in versions cinder/2014.1.1-1, cinder/2014.1.3-11
Fixed in versions cinder/2015.1.0+2015.06.16.git26.9634b76ba5-1, cinder/2014.1.3-11+deb8u1
Done: Thomas Goirand <zigo@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>:
Bug#788996; Package src:cinder.
(Tue, 16 Jun 2015 20:42:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Thomas Goirand <zigo@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>.
(Tue, 16 Jun 2015 20:42:09 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: cinder
Severity: grave
Tags: security patch
=====================================================================
OSSA-2015-011: Cinder host file disclosure through qcow2 backing file
=====================================================================
:Date: June 16, 2015
:CVE: CVE-2015-1850
Affects
~~~~~~~
- Cinder: versions through 2014.1.4,
and 2014.2 versions through 2014.2.3,
and version 2015.1.0
Description
~~~~~~~~~~~
Bastian Blank from credativ reported a vulnerability in Cinder. By
overwriting an image with a malicious qcow2 header, an authenticated
user may mislead Cinder upload-to-image action, resulting in
disclosure of any file from the Cinder server. All Cinder setups are
affected.
Patches
~~~~~~~
- https://review.openstack.org/191871 (Icehouse)
- https://review.openstack.org/191865 (Juno)
- https://review.openstack.org/191786 (Kilo)
- https://review.openstack.org/191785 (Liberty)
Credits
~~~~~~~
- Bastian Blank from Credativ (CVE-2015-1850)
References
~~~~~~~~~~
- https://launchpad.net/bugs/1415087
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1850
Notes
~~~~~
- This fix will be included in future 2014.1.5 (icehouse), 2014.2.4
(juno) and 2015.1.1 (kilo) releases.
Reply sent
to Thomas Goirand <zigo@debian.org>:
You have taken responsibility.
(Tue, 16 Jun 2015 22:09:08 GMT) (full text, mbox, link).
Notification sent
to Thomas Goirand <zigo@debian.org>:
Bug acknowledged by developer.
(Tue, 16 Jun 2015 22:09:08 GMT) (full text, mbox, link).
Message #10 received at 788996-close@bugs.debian.org (full text, mbox, reply):
Source: cinder
Source-Version: 2015.1.0+2015.06.16.git26.9634b76ba5-1
We believe that the bug you reported is fixed in the latest version of
cinder, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 788996@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated cinder package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 16 Jun 2015 22:36:48 +0200
Source: cinder
Binary: python-cinder cinder-common cinder-api cinder-volume cinder-scheduler cinder-backup
Architecture: source all
Version: 2015.1.0+2015.06.16.git26.9634b76ba5-1
Distribution: unstable
Urgency: high
Maintainer: PKG OpenStack <openstack-devel@lists.alioth.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description:
cinder-api - OpenStack block storage system - API server
cinder-backup - OpenStack block storage system - Backup server
cinder-common - OpenStack block storage system - common files
cinder-scheduler - OpenStack block storage system - Scheduler server
cinder-volume - OpenStack block storage system - Volume server
python-cinder - OpenStack block storage system - Python libraries
Closes: 788996
Changes:
cinder (2015.1.0+2015.06.16.git26.9634b76ba5-1) unstable; urgency=high
.
* New upstream release (based on commit 26th g9634b76):
- Addresses CVE-2015-1850 / OSSA 2015-011 (Closes: #788996).
Checksums-Sha1:
4abb1cf3d98887c45179a27f17f071d88b861074 3758 cinder_2015.1.0+2015.06.16.git26.9634b76ba5-1.dsc
2f9fa5f18e1075b73ffc888564e937dc2a2e10ba 1423016 cinder_2015.1.0+2015.06.16.git26.9634b76ba5.orig.tar.xz
cc12a735f3257ef1126be37dbcfed21ec20ef5dc 54760 cinder_2015.1.0+2015.06.16.git26.9634b76ba5-1.debian.tar.xz
c098d613d123dadbb85caf4a9453097c075e4bee 23288 cinder-api_2015.1.0+2015.06.16.git26.9634b76ba5-1_all.deb
95a3e871dfaff671cc8e9bd003f48f51b51ef71a 9354 cinder-backup_2015.1.0+2015.06.16.git26.9634b76ba5-1_all.deb
1ca10181fbf426c9a2199134be38f50fdf73b61c 26744 cinder-common_2015.1.0+2015.06.16.git26.9634b76ba5-1_all.deb
99475d198f42907098c7763d9d12883830538236 9676 cinder-scheduler_2015.1.0+2015.06.16.git26.9634b76ba5-1_all.deb
6452b1f0c148e07cce323482ed6340d7a3717a3e 18584 cinder-volume_2015.1.0+2015.06.16.git26.9634b76ba5-1_all.deb
2f85cd797282ac29a80435596c2ed00e0d5c10a6 1195396 python-cinder_2015.1.0+2015.06.16.git26.9634b76ba5-1_all.deb
Checksums-Sha256:
1d38997aee7ebb2b850b85b931c7171138ebd9cacbf2a2d69c013c2dd19a7537 3758 cinder_2015.1.0+2015.06.16.git26.9634b76ba5-1.dsc
ac92f2c5670c9d39ebb8785330f758d600aa13952ed2f8231222be68b711b816 1423016 cinder_2015.1.0+2015.06.16.git26.9634b76ba5.orig.tar.xz
dcc2747ecab1057cf397c187a39719d0cdbf3cf7dc7dd283fa788d96e601b216 54760 cinder_2015.1.0+2015.06.16.git26.9634b76ba5-1.debian.tar.xz
8d0c97d54226dc1dd0207649061aac3565d429c8150059ce1f3a33a348839ffc 23288 cinder-api_2015.1.0+2015.06.16.git26.9634b76ba5-1_all.deb
55fb4f4f58356a0dd64780141691d289183a8c932c8015ab7e49da98690fdd34 9354 cinder-backup_2015.1.0+2015.06.16.git26.9634b76ba5-1_all.deb
e8887c242604a182bdc58e9e3ddbad994fa1a1b7b8ce468bd363327eb7917154 26744 cinder-common_2015.1.0+2015.06.16.git26.9634b76ba5-1_all.deb
d93eac8c2992fcd4f50fec167699317f595bfe4497ce832567c1c55c7d93e6d2 9676 cinder-scheduler_2015.1.0+2015.06.16.git26.9634b76ba5-1_all.deb
6d3225757d71adf790cab47522082ced9b5c8e0b01e84471a1a51db290edf65a 18584 cinder-volume_2015.1.0+2015.06.16.git26.9634b76ba5-1_all.deb
2ea088090a0525701b8145144c1c2ec63a32353d73f75407487d2e07a9c91340 1195396 python-cinder_2015.1.0+2015.06.16.git26.9634b76ba5-1_all.deb
Files:
7245753c95ed6a42e7c3fcdfebd701b2 3758 net extra cinder_2015.1.0+2015.06.16.git26.9634b76ba5-1.dsc
0cd4e00f04281794a83577a77a729734 1423016 net extra cinder_2015.1.0+2015.06.16.git26.9634b76ba5.orig.tar.xz
5f070cd49cb7a90cc60503c4e04f7a00 54760 net extra cinder_2015.1.0+2015.06.16.git26.9634b76ba5-1.debian.tar.xz
3613e787cd6b9e386ffdd984e885e6e3 23288 net extra cinder-api_2015.1.0+2015.06.16.git26.9634b76ba5-1_all.deb
3fcef046f7a62e8c2ba07389888f32d3 9354 net extra cinder-backup_2015.1.0+2015.06.16.git26.9634b76ba5-1_all.deb
3a89ae96e0715fa6f356698b7a234e61 26744 net extra cinder-common_2015.1.0+2015.06.16.git26.9634b76ba5-1_all.deb
761bce9547d4d824dd3fe1a1109cf1fb 9676 net extra cinder-scheduler_2015.1.0+2015.06.16.git26.9634b76ba5-1_all.deb
06a849a18f1920edcb904322b0b38dd0 18584 net extra cinder-volume_2015.1.0+2015.06.16.git26.9634b76ba5-1_all.deb
3bd51e8014c7f5ad35f13889fb420c89 1195396 python extra python-cinder_2015.1.0+2015.06.16.git26.9634b76ba5-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJVgI2DAAoJENQWrRWsa0P+ZfkP/3yC83YXpoIdbyCqejLaMT4j
EEqj9mi22wgR2zS/PwYREgF7kLDFud1jSOQLdQkGQArdEh4gYr/uUi/Y0DxPOVEs
Dq3Z6M5B4olCB2RvpcNeLAddAYM0twA7gWmkIu5fZpZ1t0jUlStzoY6N+7/pnx7a
TfF/0INcePwsSC3gC+RrVxpgTsY5LDM3cFtFTjypbSycFvhDmpwNnd3MBfL+Q4lC
l5/LpzPQ/r7r5t9ME3ubIDUR9+MV4VEfW5nHbOOQuAwZl3/8Rpwyp2FozW1coc0V
kavos6WGcXdkK4YWGqNNHkCpDvPLfKIjlEtXFTjphLMxJRpm/G3zUhw5Vz9NQFQ1
QPi8y1hEMBMIDiAcBPa+IxUSFTh4+YJkFFnu+SnzG+PkRCdV6bsuBSQ+HIH6rVWf
8ziRPG9Qq526xM4w8Tn2NEicHzI7010nYenNcCzl/S/hjxggSWMmw6kUQhXvkaJj
K1gDhnbZPssXboWVJ5dMuzKBnbVxmpZ4fO7FIY0oaZYAHE9XQZRLL1Iev/OcEjrQ
Y4JcyqdEBZU9XUidN1d89scO8S3HKdI5ld1eDgS0wagEJoX32IKaLL6WgTDJPbbD
HrAm6PIWoUAVjx8/MzsAdXVB8hRNx7qXFKPFj7eXgsqirdm/wXOyD95WXArw4Awd
P9jS7WvOwrRWwcC3is7U
=ru8s
-----END PGP SIGNATURE-----
Marked as found in versions cinder/2014.1.3-11.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 17 Jun 2015 03:15:06 GMT) (full text, mbox, link).
Marked as found in versions cinder/2014.1.1-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 20 Jun 2015 05:15:06 GMT) (full text, mbox, link).
Changed Bug title to 'cinder: CVE-2015-1851: [OSSA 2015-011] Cinder host file disclosure through qcow2 backing file' from 'CVE-2015-1850: [OSSA 2015-011] Cinder host file disclosure through qcow2 backing file'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 20 Jun 2015 05:15:09 GMT) (full text, mbox, link).
Reply sent
to Thomas Goirand <zigo@debian.org>:
You have taken responsibility.
(Sat, 20 Jun 2015 11:03:33 GMT) (full text, mbox, link).
Notification sent
to Thomas Goirand <zigo@debian.org>:
Bug acknowledged by developer.
(Sat, 20 Jun 2015 11:03:33 GMT) (full text, mbox, link).
Message #21 received at 788996-close@bugs.debian.org (full text, mbox, reply):
Source: cinder
Source-Version: 2014.1.3-11+deb8u1
We believe that the bug you reported is fixed in the latest version of
cinder, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 788996@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated cinder package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 17 Jun 2015 00:07:12 +0200
Source: cinder
Binary: python-cinder cinder-common cinder-api cinder-volume cinder-scheduler cinder-backup
Architecture: source all
Version: 2014.1.3-11+deb8u1
Distribution: jessie-security
Urgency: medium
Maintainer: PKG OpenStack <openstack-devel@lists.alioth.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description:
cinder-api - OpenStack block storage system - API server
cinder-backup - OpenStack block storage system - Backup server
cinder-common - OpenStack block storage system - common files
cinder-scheduler - OpenStack block storage system - Scheduler server
cinder-volume - OpenStack block storage system - Volume server
python-cinder - OpenStack block storage system - Python libraries
Closes: 788996
Changes:
cinder (2014.1.3-11+deb8u1) jessie-security; urgency=medium
.
* CVE-2015-1851: Cinder host file disclosure through qcow2 backing file.
Applied upstream patch (Closes: #788996):
Disallow_backing_files_when_uploading_volumes_to_image.patch
Checksums-Sha1:
a76437b01acec2cb101f32d0588c290f06c4976a 3479 cinder_2014.1.3-11+deb8u1.dsc
87ac3f63c7a400517b27485a3cd28503371c918b 1057900 cinder_2014.1.3.orig.tar.xz
8c4b4f50548effcdfe9d66ebca11ead4c888a5b8 388652 cinder_2014.1.3-11+deb8u1.debian.tar.xz
f9ab8a4e7356e23c5ff7781cb389e0eea2f8a8ae 1264900 python-cinder_2014.1.3-11+deb8u1_all.deb
94675c7c33ba133ba04e05d1f3429c5cf61c8f55 510296 cinder-common_2014.1.3-11+deb8u1_all.deb
b06801241456c35aa399d6a64f3c771e0f4b25eb 486724 cinder-api_2014.1.3-11+deb8u1_all.deb
e488e496b4d6a68006eb316a9c3f521a29184c5b 481632 cinder-volume_2014.1.3-11+deb8u1_all.deb
d03f63958538047212eff91c2b749c06233b53e1 469994 cinder-scheduler_2014.1.3-11+deb8u1_all.deb
50fc41f622368ea0ea54f9cf68c8af67c844217b 469692 cinder-backup_2014.1.3-11+deb8u1_all.deb
Checksums-Sha256:
5e06b7f6bd72624e5523f879a70000c82df08f4ccec22f8fcdfc4aee7f231626 3479 cinder_2014.1.3-11+deb8u1.dsc
f552a73ecc1024aa765029171a50abebb5bfaf4d2d0f3384558118406ceadedc 1057900 cinder_2014.1.3.orig.tar.xz
a93ba1d1b8b49807fe94b488e9ac2b8ef4bdc3ef8cc4dcefb1bde06a68df32c2 388652 cinder_2014.1.3-11+deb8u1.debian.tar.xz
4bc928baed38a57cf16344f270a82ba6cfeb7c906e6b314ed36a09a25f5b643c 1264900 python-cinder_2014.1.3-11+deb8u1_all.deb
fd76790530d8ffe3546930703e530c310e2824495677c66046d7c0627b55b0cc 510296 cinder-common_2014.1.3-11+deb8u1_all.deb
7004ee572429521dc90fa084fba12e814555a9fc83be814218db4a5837c27b0e 486724 cinder-api_2014.1.3-11+deb8u1_all.deb
7b40c545d600795c37772b46914aa3a72de0b2265128de8162c85e09b748a5d1 481632 cinder-volume_2014.1.3-11+deb8u1_all.deb
ebb2c7a7505315855b0792dbb8326e82675cfc87c1550a233aaf4c9e40916bf3 469994 cinder-scheduler_2014.1.3-11+deb8u1_all.deb
5a2ae260309de27995fb4401647e76a05c111a5e76a2755ec0220ed435d69a59 469692 cinder-backup_2014.1.3-11+deb8u1_all.deb
Files:
193c08ea2eaa305cb42525d4bfa4c4f2 3479 net extra cinder_2014.1.3-11+deb8u1.dsc
915ad0a7b5ae87a55362c984f2bfaa93 1057900 net extra cinder_2014.1.3.orig.tar.xz
c5ee30d39dbf95b9b8501b9c68748832 388652 net extra cinder_2014.1.3-11+deb8u1.debian.tar.xz
b596a67d3cb6e3d676dc06c65bb8b4fd 1264900 python extra python-cinder_2014.1.3-11+deb8u1_all.deb
5b24c0009926047bb2340bf9ad7b663a 510296 net extra cinder-common_2014.1.3-11+deb8u1_all.deb
b6e4b0f1293ed7f76a34037c839d3633 486724 net extra cinder-api_2014.1.3-11+deb8u1_all.deb
6272de9e240b7c5d250379e6cb478c04 481632 net extra cinder-volume_2014.1.3-11+deb8u1_all.deb
fad200936a6a9a241fe634f9e6d1d598 469994 net extra cinder-scheduler_2014.1.3-11+deb8u1_all.deb
2b5fe84c8d5003f6c9d91f182599a4fb 469692 net extra cinder-backup_2014.1.3-11+deb8u1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJVg8jcAAoJENQWrRWsa0P+JzEP/As6//GPvjNdiBTBnzXLJo6u
7z3j1/c+N2GcglnTtHQHZ6RkEQydQxTsLFDksQE020PzinkJlN/1Hr9eg6FmCytj
6g6wr3mj6WxoM5Y5dUp5iK9gzaOQ3SaTlbxKx+vaisw0Gr6I6sBtqaaBoCKdhx27
kkQBF4FEpBNvBxj/MhWcOW4zY0z5r+EEF8Ja7Ba7hbh7PSE1m7ROr5ocHRFzmR+V
jltMteKE78XWd8PLPM3g8bwa8EjWeWNZbROUg6gCtsdUi1FHcW3vaHyUIVGTwWkN
yZcGdEJ0hqyagic6SL69v5GEfZemswOA52I5MiH90tlV+CQBkJE+p4RUOlFyyrDz
J2HWEdDA/la/jqKEOMkABv8wfGL+x21KWp4u7iVdwEl31+AQeCDs4dEQun3HYiRU
RrdBIAlg+FC5dtjUGPP1FQzSR03MR5hoZPKRc2QOd+BZvPBXXyEw1eVOCi59zbiN
ksEkpVoSmvUkoCl0OfFyTVvU4vN53rU60t2Bz3vRDmhgCoiM2sLLzOkqySDfHO54
g7mT8DM0W+gAtZefnma/TlJGccitWg2tqLfZ9jgqopqeiQ17L28d8Scf8SkGRojV
bQBcEQv8/gDPvIq4VJXJ5zc52WYVOn4rJG0p/P9hAdpUUhhIn4SVX8ya+htr4+8R
kGqAGtxES6Pi2bO8dflZ
=y/u+
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 07 Sep 2015 07:33:10 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:54:22 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon