CVE-2022-47951: vulnerability in VMDK image processing

Debian Bug report logs - #1029561
CVE-2022-47951: vulnerability in VMDK image processing

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2022-47951: vulnerability in VMDK image processing

Date: Tue, 24 Jan 2023 16:18:28 +0100

Package: nova-compute
Version: 2:26.0.0-5
Severity: grave
Tags: patch

This is an advance warning of a vulnerability discovered in
OpenStack, to give you, as downstream stakeholders, a chance to
coordinate the release of fixes and reduce the vulnerability window.
Please treat the following information as confidential until the
proposed public disclosure date.

Title: Arbitrary file access through custom VMDK flat descriptor
Reporter: Guillaume Espanel, Pierre Libeau, Arnaud Morin and Damien
          Rannou (OVH)
Products: Cinder, Glance, Nova
Affects: Cinder <19.1.2, >=20.0.0 <20.0.2, ==21.0.0;
         Glance <23.0.1, >=24.0.0 <24.1.1, ==25.0.0;
         Nova <24.1.2, >=25.0.0 <25.0.2, ==26.0.0

Description:
Guillaume Espanel, Pierre Libeau, Arnaud Morin and Damien Rannou
(OVH) reported a vulnerability in VMDK image processing for Cinder,
Glance and Nova. By supplying a specially created VMDK flat image
which references a specific backing file path, an authenticated user
may convince systems to return a copy of that file's contents from
the server resulting in unauthorized access to potentially sensitive
data. All Cinder deployments are affected; only Glance deployments
with image conversion enabled are affected; all Nova deployments are
affected.

Proposed patch:
See attached patches. Unless a flaw is discovered in them, these
patches will be merged to their corresponding branches on the public
disclosure date. Note that stable/wallaby and older branches are
under extended maintenance and will receive no new point releases,
but patches for some of them are provided as a courtesy.

CVE: CVE-2022-47951

Proposed public disclosure date/time:
2023-01-24, 1500UTC
Please do not make the issue public (or release public patches)
before this coordinated embargo date.

Original private report:
https://launchpad.net/bugs/1996188
For access to read and comment on this report, please reply to me
with your Launchpad username and I will subscribe you.
-- 
Jeremy Stanley
OpenStack Vulnerability Management Team

Message #10 received at 1029561-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 1029561-close@bugs.debian.org

Subject: Bug#1029561: fixed in nova 2:26.0.0-6

Date: Tue, 24 Jan 2023 16:45:10 +0000

Source: nova
Source-Version: 2:26.0.0-6
Done: Thomas Goirand <zigo@debian.org>

We believe that the bug you reported is fixed in the latest version of
nova, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1029561@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated nova package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 24 Jan 2023 14:11:46 +0100
Source: nova
Architecture: source
Version: 2:26.0.0-6
Distribution: unstable
Urgency: high
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 1029561
Changes:
 nova (2:26.0.0-6) unstable; urgency=high
 .
   * CVE-2022-47951: By supplying a specially created VMDK flat image which
     references a specific backing file path, an authenticated user may convince
     systems to return a copy of that file's contents from the server resulting
     in unauthorized access to potentially sensitive data. Add upstream patch
     cve-2022-47951-glance-stable-zed.patch (Closes: #1029561).
Checksums-Sha1:
 505c29ba929e249cf22955e1c7edd7702c21f482 5042 nova_26.0.0-6.dsc
 3daa1f3524316bb60961ee7c617770fda2f84dff 62696 nova_26.0.0-6.debian.tar.xz
 32cadc362c6f3f009c1b37e3399d1c90989045be 22202 nova_26.0.0-6_amd64.buildinfo
Checksums-Sha256:
 4ed40c6cf1e2f069f881418341692fa9d42a4c5b79d8680f044cfedf907ca146 5042 nova_26.0.0-6.dsc
 a010170a561579be0b5e75d4cea48654a1939b3ae8c58a16b47433db99d67d8c 62696 nova_26.0.0-6.debian.tar.xz
 5db77128c47f971774d6ba4ebd26bfe5fc11fa3f47199a86053138d51d140fbb 22202 nova_26.0.0-6_amd64.buildinfo
Files:
 06fb71f148e5e26e2f3c5225a13487ba 5042 net optional nova_26.0.0-6.dsc
 9b5cb17a1905b86ca0cb83722aa180bd 62696 net optional nova_26.0.0-6.debian.tar.xz
 e6c4b454d8cee51c352c46e9ac09dda7 22202 net optional nova_26.0.0-6_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmPQAt8ACgkQ1BatFaxr
Q/7Gmw//R5/srmTolvgFfKhfeWlfDgw5ZlzdtZG2Wmt0c4kULbhOPdF2B/jnmSih
d//QmRoFpzET1E70ze5SYwfc00sM+Qh4xXDT25xwQlWwW1vCraAwY31hTbEOBkNY
ql1fy48YmnA27BCPaVZvpfx82DDkcsMgSTi3fAkacrsRAM5XzNiJzljAR317N3lv
YBcjfXCl0AojWSOl+P0xW7dTZpRz6ScDeDhRgrSjGskxpU4uRUmL+n52ozdPgBIs
jzpY+jm4LKIwpl2FiemLZKsfyAHIFtbBF6017N0irBWo6gKz4mQdlz5HxE7bDTXp
/pRZQHYOv/d5y5ifroRYznGu33z3wZk3/zOfNuKY1jGDpROjg7QKFYclb9s7ASCl
FJTsaP0aJD5ksAakXTzZCcdqGUmPFjEmw3bWamun1boGKvspGZsW6dbslPBU8Jy1
AMtYf27ZCVxy1+38BxfE363BUZosv9cMnFCIa9cCHxKqFqlZIVu/l+h4fqRD/tHz
YHDNnJzQ2xro2jzoqj2llkUzz9kOJOK1VJRb5bQs1t43d00m+zYUQCva/4WwEwMU
OMPtAMW1UpiAZOsQUD+YFVA/lk5PE4C0eIH1ZTqs9xbqwrtGwRO0kIlUe4/MLMn9
I3MzlXuMIDxPhmcTwxhNoNzdfgwII9kKUgRMJUolsTS8Crnakvs=
=y79u
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.