Debian Bug report logs -
#1029561
CVE-2022-47951: vulnerability in VMDK image processing
Reported by: Thomas Goirand <zigo@debian.org>
Date: Tue, 24 Jan 2023 15:21:01 UTC
Severity: grave
Tags: patch, security, upstream
Found in version nova/2:26.0.0-5
Fixed in version nova/2:26.0.0-6
Done: Thomas Goirand <zigo@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenStack <team+openstack@tracker.debian.org>
:
Bug#1029561
; Package nova-compute
.
(Tue, 24 Jan 2023 15:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Thomas Goirand <zigo@debian.org>
:
New Bug report received and forwarded. Copy sent to Debian OpenStack <team+openstack@tracker.debian.org>
.
(Tue, 24 Jan 2023 15:21:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: nova-compute
Version: 2:26.0.0-5
Severity: grave
Tags: patch
This is an advance warning of a vulnerability discovered in
OpenStack, to give you, as downstream stakeholders, a chance to
coordinate the release of fixes and reduce the vulnerability window.
Please treat the following information as confidential until the
proposed public disclosure date.
Title: Arbitrary file access through custom VMDK flat descriptor
Reporter: Guillaume Espanel, Pierre Libeau, Arnaud Morin and Damien
Rannou (OVH)
Products: Cinder, Glance, Nova
Affects: Cinder <19.1.2, >=20.0.0 <20.0.2, ==21.0.0;
Glance <23.0.1, >=24.0.0 <24.1.1, ==25.0.0;
Nova <24.1.2, >=25.0.0 <25.0.2, ==26.0.0
Description:
Guillaume Espanel, Pierre Libeau, Arnaud Morin and Damien Rannou
(OVH) reported a vulnerability in VMDK image processing for Cinder,
Glance and Nova. By supplying a specially created VMDK flat image
which references a specific backing file path, an authenticated user
may convince systems to return a copy of that file's contents from
the server resulting in unauthorized access to potentially sensitive
data. All Cinder deployments are affected; only Glance deployments
with image conversion enabled are affected; all Nova deployments are
affected.
Proposed patch:
See attached patches. Unless a flaw is discovered in them, these
patches will be merged to their corresponding branches on the public
disclosure date. Note that stable/wallaby and older branches are
under extended maintenance and will receive no new point releases,
but patches for some of them are provided as a courtesy.
CVE: CVE-2022-47951
Proposed public disclosure date/time:
2023-01-24, 1500UTC
Please do not make the issue public (or release public patches)
before this coordinated embargo date.
Original private report:
https://launchpad.net/bugs/1996188
For access to read and comment on this report, please reply to me
with your Launchpad username and I will subscribe you.
--
Jeremy Stanley
OpenStack Vulnerability Management Team
Reply sent
to Thomas Goirand <zigo@debian.org>
:
You have taken responsibility.
(Tue, 24 Jan 2023 16:48:11 GMT) (full text, mbox, link).
Notification sent
to Thomas Goirand <zigo@debian.org>
:
Bug acknowledged by developer.
(Tue, 24 Jan 2023 16:48:11 GMT) (full text, mbox, link).
Message #10 received at 1029561-close@bugs.debian.org (full text, mbox, reply):
Source: nova
Source-Version: 2:26.0.0-6
Done: Thomas Goirand <zigo@debian.org>
We believe that the bug you reported is fixed in the latest version of
nova, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1029561@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated nova package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 24 Jan 2023 14:11:46 +0100
Source: nova
Architecture: source
Version: 2:26.0.0-6
Distribution: unstable
Urgency: high
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 1029561
Changes:
nova (2:26.0.0-6) unstable; urgency=high
.
* CVE-2022-47951: By supplying a specially created VMDK flat image which
references a specific backing file path, an authenticated user may convince
systems to return a copy of that file's contents from the server resulting
in unauthorized access to potentially sensitive data. Add upstream patch
cve-2022-47951-glance-stable-zed.patch (Closes: #1029561).
Checksums-Sha1:
505c29ba929e249cf22955e1c7edd7702c21f482 5042 nova_26.0.0-6.dsc
3daa1f3524316bb60961ee7c617770fda2f84dff 62696 nova_26.0.0-6.debian.tar.xz
32cadc362c6f3f009c1b37e3399d1c90989045be 22202 nova_26.0.0-6_amd64.buildinfo
Checksums-Sha256:
4ed40c6cf1e2f069f881418341692fa9d42a4c5b79d8680f044cfedf907ca146 5042 nova_26.0.0-6.dsc
a010170a561579be0b5e75d4cea48654a1939b3ae8c58a16b47433db99d67d8c 62696 nova_26.0.0-6.debian.tar.xz
5db77128c47f971774d6ba4ebd26bfe5fc11fa3f47199a86053138d51d140fbb 22202 nova_26.0.0-6_amd64.buildinfo
Files:
06fb71f148e5e26e2f3c5225a13487ba 5042 net optional nova_26.0.0-6.dsc
9b5cb17a1905b86ca0cb83722aa180bd 62696 net optional nova_26.0.0-6.debian.tar.xz
e6c4b454d8cee51c352c46e9ac09dda7 22202 net optional nova_26.0.0-6_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmPQAt8ACgkQ1BatFaxr
Q/7Gmw//R5/srmTolvgFfKhfeWlfDgw5ZlzdtZG2Wmt0c4kULbhOPdF2B/jnmSih
d//QmRoFpzET1E70ze5SYwfc00sM+Qh4xXDT25xwQlWwW1vCraAwY31hTbEOBkNY
ql1fy48YmnA27BCPaVZvpfx82DDkcsMgSTi3fAkacrsRAM5XzNiJzljAR317N3lv
YBcjfXCl0AojWSOl+P0xW7dTZpRz6ScDeDhRgrSjGskxpU4uRUmL+n52ozdPgBIs
jzpY+jm4LKIwpl2FiemLZKsfyAHIFtbBF6017N0irBWo6gKz4mQdlz5HxE7bDTXp
/pRZQHYOv/d5y5ifroRYznGu33z3wZk3/zOfNuKY1jGDpROjg7QKFYclb9s7ASCl
FJTsaP0aJD5ksAakXTzZCcdqGUmPFjEmw3bWamun1boGKvspGZsW6dbslPBU8Jy1
AMtYf27ZCVxy1+38BxfE363BUZosv9cMnFCIa9cCHxKqFqlZIVu/l+h4fqRD/tHz
YHDNnJzQ2xro2jzoqj2llkUzz9kOJOK1VJRb5bQs1t43d00m+zYUQCva/4WwEwMU
OMPtAMW1UpiAZOsQUD+YFVA/lk5PE4C0eIH1ZTqs9xbqwrtGwRO0kIlUe4/MLMn9
I3MzlXuMIDxPhmcTwxhNoNzdfgwII9kKUgRMJUolsTS8Crnakvs=
=y79u
-----END PGP SIGNATURE-----
Added tag(s) security and upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Tue, 24 Jan 2023 21:09:02 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jan 25 13:04:28 2023;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.