Debian Bug report logs -
#692641
CVE-2012-4573: Authentication bypass for image deletion
Reported by: Thomas Goirand <zigo@debian.org>
Date: Thu, 8 Nov 2012 03:45:01 UTC
Severity: critical
Found in version glance/2012.1.1-1.1
Fixed in versions glance/2012.1.1-2, glance/2012.1.1-3
Done: Thomas Goirand <zigo@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>:
Bug#692641; Package glance.
(Thu, 08 Nov 2012 03:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Thomas Goirand <zigo@debian.org>:
New Bug report received and forwarded. Copy sent to PKG OpenStack <openstack-devel@lists.alioth.debian.org>.
(Thu, 08 Nov 2012 03:45:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: glance
Version: 2012.1.1-1.1
Severity: critical
Gabe Westmaas from Rackspace reported a vulnerability in Glance
authentication of image deletion requests. Authenticated users may be
able to delete arbitrary, non-protected images from Glance servers. Only
Folsom/Grizzly deployments that expose the v1 API are affected by this
vulnerability. Additionally, Essex deployments that use the
delayed_delete option are also affected.
Below is the proposed patch.
Thomas
diff --git a/glance/api/v1/images.py b/glance/api/v1/images.py
index 9bedf20..2684454 100644
--- a/glance/api/v1/images.py
+++ b/glance/api/v1/images.py
@@ -738,10 +738,10 @@ class Controller(controller.BaseController):
# to delete the image if the backend doesn't yet store it.
# See https://bugs.launchpad.net/glance/+bug/747799
try:
+ registry.delete_image_metadata(req.context, id)
if image['location']:
schedule_delete_from_backend(image['location'], self.conf,
req.context, id)
- registry.delete_image_metadata(req.context, id)
except exception.NotFound, e:
msg = ("Failed to find image to delete: %(e)s" % locals())
for line in msg.split('\n'):
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Reply sent
to Thomas Goirand <zigo@debian.org>:
You have taken responsibility.
(Thu, 08 Nov 2012 08:51:06 GMT) (full text, mbox, link).
Notification sent
to Thomas Goirand <zigo@debian.org>:
Bug acknowledged by developer.
(Thu, 08 Nov 2012 08:51:06 GMT) (full text, mbox, link).
Message #10 received at 692641-close@bugs.debian.org (full text, mbox, reply):
Source: glance
Source-Version: 2012.1.1-2
We believe that the bug you reported is fixed in the latest version of
glance, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 692641@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated glance package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 27 Aug 2012 12:05:22 +0000
Source: glance
Binary: python-glance glance-common glance-api glance-registry glance python-glance-doc
Architecture: source all
Version: 2012.1.1-2
Distribution: unstable
Urgency: high
Maintainer: PKG OpenStack <openstack-devel@lists.alioth.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description:
glance - OpenStack Image Service - metapackage
glance-api - OpenStack Image Service - API server
glance-common - OpenStack Image Service - common files
glance-registry - OpenStack Image Service - registry server
python-glance - OpenStack Image Service - Python client library
python-glance-doc - OpenStack Image Service - Python library documentation
Closes: 681582 692641
Changes:
glance (2012.1.1-2) unstable; urgency=high
.
* Added Chinese Debconf translation, thanks to ben <duyujie.dyj@gmail.com>.
* CVE-2012-4573: Authentication bypass for image deletion (Closes: #692641).
* Fixes test_interrupt_avoids_respawn_storm fails when run under fakeroot
disabling the tests (Closes: #681582). Also adds a || true since pep8 is
neatpicking a source code line as too large.
Checksums-Sha1:
412c20f208f8661d7b74f3800931940283236cc6 1971 glance_2012.1.1-2.dsc
304efa89b183629463fc03b4a1f9a6b67d8f1141 25347 glance_2012.1.1-2.debian.tar.gz
75ac6ec9eddd6ae75b00e94cf114761205a69c69 235314 python-glance_2012.1.1-2_all.deb
79299cc117310a97af279c8f62000c2043420a65 27366 glance-common_2012.1.1-2_all.deb
632dbfb50af139d26c08322f260029a260c45429 25394 glance-api_2012.1.1-2_all.deb
d09c6c8ed3fce34b61b966af93ffbcd7bd25bad9 14636 glance-registry_2012.1.1-2_all.deb
aa1ff0fa752c07c5977b95ccd7e09d01e3604a6f 5048 glance_2012.1.1-2_all.deb
fc5d4e1b125e44ad24c7a1c46abcfae931b7603a 137682 python-glance-doc_2012.1.1-2_all.deb
Checksums-Sha256:
ace046400431bee53c3a618a4dc04bd110b56d2770c89dfe3086438b9c9156a2 1971 glance_2012.1.1-2.dsc
a154322283cf73ff5276eff9855123be49dcfb1b685d821a9465d3f3074c5be2 25347 glance_2012.1.1-2.debian.tar.gz
40474559b5b77f5803539fef25290c95c3aeada78f66d8fca3e83400d1731444 235314 python-glance_2012.1.1-2_all.deb
5ee841581061276387b8e9e742b71bc347338a484e9feef03eb536fa1e223646 27366 glance-common_2012.1.1-2_all.deb
7a57db7c45f2fa90718760e19c0cf375398d63a91cc006dfe5bc61916023044b 25394 glance-api_2012.1.1-2_all.deb
85f522fee02c52b66342a0600dc763ebb6a5c12599029c0898df54527888bc30 14636 glance-registry_2012.1.1-2_all.deb
e14a5aa5f86812709863abf6dc3f5ed59ee393bc617b701a31a82ef813554eed 5048 glance_2012.1.1-2_all.deb
e02c979437349fdc598122ebbbeabc7d8cbaab3e06b349f2ff24bae189a56cae 137682 python-glance-doc_2012.1.1-2_all.deb
Files:
dd5864799553d99a66f5585f573fe648 1971 net extra glance_2012.1.1-2.dsc
103429e5547ef401cf0b868829ef4af3 25347 net extra glance_2012.1.1-2.debian.tar.gz
79b633b64a67f3168a37a44add6f46a8 235314 python extra python-glance_2012.1.1-2_all.deb
9cc437966a585432076634cff2da24f6 27366 python extra glance-common_2012.1.1-2_all.deb
2419ab11de9a15087d56ac7cd45076d9 25394 python extra glance-api_2012.1.1-2_all.deb
26b5987e2327ba967b4e8e2fa2a66789 14636 python extra glance-registry_2012.1.1-2_all.deb
b95e405bbadd19a0d7a1ce8602bc3d34 5048 python extra glance_2012.1.1-2_all.deb
d515f76b9347030c79a0f9ff3f23c10c 137682 doc extra python-glance-doc_2012.1.1-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlCbe9kACgkQl4M9yZjvmklJtgCfRqfrCXWZlWks1aVoeuTmQDH1
xEMAoJ0yr8/U2VNqCVN6rjTYZnrZsGfw
=aQQg
-----END PGP SIGNATURE-----
Reply sent
to Thomas Goirand <zigo@debian.org>:
You have taken responsibility.
(Fri, 09 Nov 2012 18:06:04 GMT) (full text, mbox, link).
Notification sent
to Thomas Goirand <zigo@debian.org>:
Bug acknowledged by developer.
(Fri, 09 Nov 2012 18:06:04 GMT) (full text, mbox, link).
Message #15 received at 692641-close@bugs.debian.org (full text, mbox, reply):
Source: glance
Source-Version: 2012.1.1-3
We believe that the bug you reported is fixed in the latest version of
glance, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 692641@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated glance package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 09 Nov 2012 18:38:02 +0000
Source: glance
Binary: python-glance glance-common glance-api glance-registry glance python-glance-doc
Architecture: source all
Version: 2012.1.1-3
Distribution: unstable
Urgency: high
Maintainer: PKG OpenStack <openstack-devel@lists.alioth.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description:
glance - OpenStack Image Service - metapackage
glance-api - OpenStack Image Service - API server
glance-common - OpenStack Image Service - common files
glance-registry - OpenStack Image Service - registry server
python-glance - OpenStack Image Service - Python client library
python-glance-doc - OpenStack Image Service - Python library documentation
Closes: 692641
Changes:
glance (2012.1.1-3) unstable; urgency=high
.
* New upstream patch for CVE-2012-4573. Previous patch is to be discarded,
according to bcwaldon on IRC (Closes: #692641).
Checksums-Sha1:
f3403c2d9ea713a2b7781bc41932c0a2b56789e6 1971 glance_2012.1.1-3.dsc
476b78c53c837d41369b22d429963f646e3e76e7 25263 glance_2012.1.1-3.debian.tar.gz
c9300cc6c85567ffa314f228825463781ded3ac4 235400 python-glance_2012.1.1-3_all.deb
1654d81944ed67b9cb393233a87add096d94b0e0 27444 glance-common_2012.1.1-3_all.deb
7ac468733a7fed3e4ac7e184ed886018e197089e 25442 glance-api_2012.1.1-3_all.deb
7d17a5065743a8465f8fa3e4cef321087148c8af 14700 glance-registry_2012.1.1-3_all.deb
23273ed3065d886a626fb3afe438c22125e648b5 5126 glance_2012.1.1-3_all.deb
4d7761eb8cc20da9c1f1ea4f0158c618e9654c2a 137748 python-glance-doc_2012.1.1-3_all.deb
Checksums-Sha256:
e75075dae087ef15fdb9ac7fdcbe0e73ca3d366fa3d02e912b396a1680eaf062 1971 glance_2012.1.1-3.dsc
bc765a78698c6d8580c8c7317394b6f448593018a94ba791e2cd8b71f33ca6e5 25263 glance_2012.1.1-3.debian.tar.gz
77c6b9c722bf029747f7bb4478c26a3f87e4b61323f267facb2c962c68969a40 235400 python-glance_2012.1.1-3_all.deb
759da62035f9a9436ae15ed1be4e63787e222be84900cb1f03c94586f2ec3ec1 27444 glance-common_2012.1.1-3_all.deb
a993389c1bd761b3af9def189d2e003c3d44b3a797abb13463a4f4765fadd5d9 25442 glance-api_2012.1.1-3_all.deb
42eea36f99243a1f3f96cd66689ba05a6cfa598ba48428aefac520f69f9a72ac 14700 glance-registry_2012.1.1-3_all.deb
0213ad1021797d29ad198afb83e397865b2a7fd96fda27b475c8de8b21ea83ba 5126 glance_2012.1.1-3_all.deb
dced7320ff9d969b1cc98a2b9ee2522a2ffcc4e19aeb02187550d91cf6b97c0b 137748 python-glance-doc_2012.1.1-3_all.deb
Files:
cab9f67ccd274a5afb1e7da8927af6c2 1971 net extra glance_2012.1.1-3.dsc
885d8a2b4f392c1ce0b97f4010c83d1c 25263 net extra glance_2012.1.1-3.debian.tar.gz
110b7a451ae41159e4dbe32cd67bd5a6 235400 python extra python-glance_2012.1.1-3_all.deb
f2d052b861261ac28498f5e2734ef545 27444 python extra glance-common_2012.1.1-3_all.deb
b97926216ae966324667ec73337b045d 25442 python extra glance-api_2012.1.1-3_all.deb
87e7a64da28f79c582c5e880ab506608 14700 python extra glance-registry_2012.1.1-3_all.deb
52590257ca6eaef2a3e600f6c1096f1a 5126 python extra glance_2012.1.1-3_all.deb
5e8654b28a8147dd27da50b9ce6d748a 137748 doc extra python-glance-doc_2012.1.1-3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlCdUSQACgkQl4M9yZjvmkmtvQCgjO2Ol7+5wnBS5wsbvM8j5rec
xLkAoJQtJAU1tR8o54x5RT7KfTB9o1f6
=Bw2N
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 21 Dec 2012 07:26:47 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:36:56 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon