Debian Bug report logs -
#773836
glance: CVE-2014-9493: unrestricted path traversal flaw
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 23 Dec 2014 20:48:18 UTC
Severity: serious
Tags: security, upstream
Found in version glance/2014.1.3-5
Fixed in versions glance/2014.1.3-6, glance/2014.2.1-2
Done: Thomas Goirand <zigo@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>:
Bug#773836; Package src:glance.
(Tue, 23 Dec 2014 20:48:23 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>.
(Tue, 23 Dec 2014 20:48:23 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: glance
Version: 2014.1.3-5
Severity: serious
Tags: security upstream
Hi
Setting this to serious/RC since this probably should go as well to
jessie (please let me know if you disagree on severity). From [1]:
[1] http://www.openwall.com/lists/oss-security/2014/12/23/2
> Masahito Muroi from NTT reported a vulnerability in Glance. By setting
> a malicious image location an authenticated user can download or delete
> any file on the Glance server for which the Glance process user has
> access to. Only setups using the Glance V2 API are affected by this flaw.
More details are also on the Red Hat bugzilla entry[2].
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1174474
Regards,
Salvatore
Reply sent
to Thomas Goirand <zigo@debian.org>:
You have taken responsibility.
(Thu, 25 Dec 2014 10:21:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 25 Dec 2014 10:21:05 GMT) (full text, mbox, link).
Message #10 received at 773836-close@bugs.debian.org (full text, mbox, reply):
Source: glance
Source-Version: 2014.1.3-6
We believe that the bug you reported is fixed in the latest version of
glance, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 773836@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated glance package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 25 Dec 2014 17:28:05 +0800
Source: glance
Binary: python-glance glance python-glance-doc glance-common glance-api glance-registry
Architecture: source all
Version: 2014.1.3-6
Distribution: unstable
Urgency: high
Maintainer: PKG OpenStack <openstack-devel@lists.alioth.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description:
glance - OpenStack Image Service - metapackage
glance-api - OpenStack Image Service - API server
glance-common - OpenStack Image Service - common files
glance-registry - OpenStack Image Service - registry server
python-glance - OpenStack Image Service - Python client library
python-glance-doc - OpenStack Image Service - Python library documentation
Closes: 773836
Changes:
glance (2014.1.3-6) unstable; urgency=high
.
* Added restrict_client_download_and_delete_files_in_glance-api_juno.patch
from upstream (Closes: #773836).
* Build-depends on openstack-pkg-tools (>= 20~) to ensure we have the
systemd fixes.
Checksums-Sha1:
a5c5d62b1ac1023803725ce388f3f76a9682d17f 3438 glance_2014.1.3-6.dsc
6fb5d8f44ea75bf449e7be118a11c86d525fba62 39152 glance_2014.1.3-6.debian.tar.xz
f313a8ae542a9b2cd6925c1ba64fd8025f258607 407610 python-glance_2014.1.3-6_all.deb
29eaa71d12288ef8a648c30a3a482e207bf146c0 9290 glance_2014.1.3-6_all.deb
d8ddc7ee7578265987aab995eb677916411fec6c 215192 python-glance-doc_2014.1.3-6_all.deb
f19a35b1307ba80fcd83c608d614714f357470b7 43228 glance-common_2014.1.3-6_all.deb
a18ead101d4949e97fd0987ff800b1adf47d831d 38818 glance-api_2014.1.3-6_all.deb
67c07c1fbadddda54710311c60d52828977cd252 14022 glance-registry_2014.1.3-6_all.deb
Checksums-Sha256:
b0f3111ede34a0f1f8005e9a78dd3fec2e1ff232d3d585eb090283d35289c068 3438 glance_2014.1.3-6.dsc
d475263a0dd9b44975fb6e97e430a7a12b1b1980c77fe539e2829dbab024012d 39152 glance_2014.1.3-6.debian.tar.xz
fa4a516d9b159811cf1885562b317dc58b15de70beb55b80063b824e39801de7 407610 python-glance_2014.1.3-6_all.deb
8f03a9e2fd2243138e925d202ed98809c74c065f0cef3eb4c49003c2df7880bd 9290 glance_2014.1.3-6_all.deb
f775ff96d17129d3a89e04fe5233441c3166cb3042a81f1e8b170d585b427492 215192 python-glance-doc_2014.1.3-6_all.deb
831a883797de4dad8d88c7e04092e82d7b3b585dca2b0b1c1ec33801320d1c37 43228 glance-common_2014.1.3-6_all.deb
ef965846dfb83459bd66e2fc6a548eec76152a755457db08c21e9499ecd4fc29 38818 glance-api_2014.1.3-6_all.deb
d42653b6aee37824f7bd713710ffc7fd3886901b5e7551a1d7193f4cb1c781f0 14022 glance-registry_2014.1.3-6_all.deb
Files:
e7bbdad2cf539ae95e311b235feef062 3438 net extra glance_2014.1.3-6.dsc
70b91c95e835746c7752e1e3e6a156e5 39152 net extra glance_2014.1.3-6.debian.tar.xz
3c9992e1e75782a7e824be2ea3f0cc33 407610 python extra python-glance_2014.1.3-6_all.deb
05fe4f3deaeeb8688779a0350e5eb72f 9290 python extra glance_2014.1.3-6_all.deb
4e073ee5a11c2ae00ac922ce80db389f 215192 doc extra python-glance-doc_2014.1.3-6_all.deb
bcc1d39cb81709461c1c29230225ff04 43228 python extra glance-common_2014.1.3-6_all.deb
4c048071f94457d85eb656352ebd738e 38818 python extra glance-api_2014.1.3-6_all.deb
8bed0dfe46a6723c72971358f0bd6a97 14022 python extra glance-registry_2014.1.3-6_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJUm+EdAAoJENQWrRWsa0P+pw8P/0fGYV5nPKepUnvWIQp6tzNr
w6wv3N/B/lF8yJXErO/9OR2uheI/wxni/snKLT+N1uSnxrQRdLaz+AdpxFu8yq2y
VaschqoOUFvrcLs7nps19qo5RKhg/WYQEXuZ+NOB5p4es1faTE3Z0mzNLsz7engU
P1If7Fgo9wRRsiWuRV9vEz8/BaJeCrgPwFJJWFz0ZEWiR9XL138eKwvjyssfeOp8
9139oLq+EOjhkBp6ijW88C5NDKNAPqk9EfKRSgcwKYEGA2Fa8UFb/aRKep2JgCQy
5JSEmmQE+uMjs/fdcpxhDmTCW84aT3UMXMYLApfxrM6pKyumdmJoBJVFWswij4Tg
gYV4o3esRqkextBqERosavWGYLGG9zAfrhmHS/RvfUq8zgiwvXh49GOA20wJ02Nc
w4mx5wHAJ5oLiuuWsN40wuzEzgJWq5tF9c1tfxgVjWkuG+L000pwiZjywgnT+DVp
CxM0AI8UDXooz7PobHS8OQwQKdko/zpJzSV+OhwzwnX55A2TZvWcf9dIkFw3KZW5
OcQcFQN5hS3E0ba+LkBJcbJC35l2iBoWf4sCh8NcjUfNLjYOX9YyQPgRDJphbToV
sjUefOGEC6JY257jFrpqyySuYPkY9Idu0pv+8sjCn+GYrJ39D2e0oq+OenecXOrt
2qrzgD0eB5Ap/gCQeSSQ
=33ol
-----END PGP SIGNATURE-----
Reply sent
to Thomas Goirand <zigo@debian.org>:
You have taken responsibility.
(Thu, 25 Dec 2014 15:39:14 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 25 Dec 2014 15:39:14 GMT) (full text, mbox, link).
Message #15 received at 773836-close@bugs.debian.org (full text, mbox, reply):
Source: glance
Source-Version: 2014.2.1-2
We believe that the bug you reported is fixed in the latest version of
glance, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 773836@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated glance package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 25 Dec 2014 17:24:40 +0800
Source: glance
Binary: python-glance glance python-glance-doc glance-common glance-api glance-registry
Architecture: source all
Version: 2014.2.1-2
Distribution: experimental
Urgency: medium
Maintainer: PKG OpenStack <openstack-devel@lists.alioth.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description:
glance - OpenStack Image Service - metapackage
glance-api - OpenStack Image Service - API server
glance-common - OpenStack Image Service - common files
glance-registry - OpenStack Image Service - registry server
python-glance - OpenStack Image Service - Python client library
python-glance-doc - OpenStack Image Service - Python library documentation
Closes: 773836
Changes:
glance (2014.2.1-2) experimental; urgency=medium
.
* Added restrict_client_download_and_delete_files_in_glance-api_juno.patch
from upstream (Closes: #773836).
Checksums-Sha1:
09c9cf854a6dc0801691b37663ea505a2e5bdba3 3706 glance_2014.2.1-2.dsc
53ad31c733804a2238005ea39261eb0ae0bfd8b9 204816 glance_2014.2.1-2.debian.tar.xz
8a64026359ef939bb8fdce09dbdd3fc04f0ca506 586150 python-glance_2014.2.1-2_all.deb
13dc43b042206d14f1c080404586d96f6874eb50 213772 glance_2014.2.1-2_all.deb
270d3d6b191c040ff16a6bdcea68771031379a7c 428222 python-glance-doc_2014.2.1-2_all.deb
f56280c4d027cd9e5c2fcaa67b3fddeb24c6d84f 248220 glance-common_2014.2.1-2_all.deb
d384e5dc8dbc4a7a55c7e94bc749869d7c763e5d 243304 glance-api_2014.2.1-2_all.deb
f319dc3a8f462e8f75b393423730f162daf45c6a 218526 glance-registry_2014.2.1-2_all.deb
Checksums-Sha256:
841525637d60d527a5755904eabb3dd9a0d63c89a78317f8f0c8ccc7fd57df86 3706 glance_2014.2.1-2.dsc
f217f24a7a8e62e6758eab68de6843d6221bfe7ec5854f3bb7fa2ef0cf818901 204816 glance_2014.2.1-2.debian.tar.xz
59f00cb0ed180925e21e14f4b8a15388f2098664175639c71573e81b7ca1bde2 586150 python-glance_2014.2.1-2_all.deb
ce60d6bd76b3318c6cae506254742e3e335f628793fd1eef241b048726766268 213772 glance_2014.2.1-2_all.deb
1c8488f383a4250937954db9e31eeb7da5662cb3ea918a69f1702662548d08a7 428222 python-glance-doc_2014.2.1-2_all.deb
0dd874309ce81844bbcdc65a7b685e59e9ab3d7f8c89f37c2e33c234132970ab 248220 glance-common_2014.2.1-2_all.deb
ffd604d9567b51676515276efa9fc6be724e1705c43970c0e8ed963798b1ae0c 243304 glance-api_2014.2.1-2_all.deb
cbaaee1fbb1aec7d879278cd7b7eadf8ac59779897af628bfa4c015569b4c8be 218526 glance-registry_2014.2.1-2_all.deb
Files:
abb70b3decb5c7ffe11657a9823f8c9c 3706 net extra glance_2014.2.1-2.dsc
ada1e18ac552a56f2b564aa611fca20f 204816 net extra glance_2014.2.1-2.debian.tar.xz
a5ff49ac382af333eb1be61a742f1b61 586150 python extra python-glance_2014.2.1-2_all.deb
42f4e7c23c8f1efa0db011f94c0bfe18 213772 python extra glance_2014.2.1-2_all.deb
dec18cab34f62a7fe02b345e4389d570 428222 doc extra python-glance-doc_2014.2.1-2_all.deb
695def7c7a3609590d4b1ad89efec669 248220 python extra glance-common_2014.2.1-2_all.deb
ffee8a68be947d8200aff0029ae0cbb7 243304 python extra glance-api_2014.2.1-2_all.deb
61740b7239e7641b30a34548e46a8cf7 218526 python extra glance-registry_2014.2.1-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJUnC0kAAoJENQWrRWsa0P+xigQAIlX+Cmh7Gk4SdECkNHE+5tA
Nmfq9prUntunFkn7J46v3TI4Ftj/8q9LwnWecqWKqlR7q+6m2fZMUQBxzKi0wa8L
D6xlpjUnuq8Wy8rWyxaGeIcSAVUiQ6eWU0Ps2YwTTwDT2dxde6sJeX4CGK8wnNae
Z0ZU7vl+bFom8WD1Yaw+yEr4EvXTTLv6ouL97uK+dfaTaKT61yhesG6TD/nqTmQF
qG2mPJqKynEeQX8eO+G/gfiAgOCYPcUABfzqC9zhnFDH0Oucetb5FKB5nkrH482U
r5FPDWmc+tAEQm/wsiuaVyv2v5AYJAJRfeaOTZHGfzHJWOQa9czwZ6/nH0QWk3ic
bFu6spPWJHeeNRwAm7qig26wmj1QVVdTkEIcDvZ5HGHnZdKAUKxUkp0dgeFbZqxS
DzNVm1cpMMMpdj3dS9WcAra+NEsBjtJdAWoFXBCpYZhs2FilmP5UqjOBPZUTlay0
hOaFxj0voWcES47+yKIaY7XzEp0nltI94HcpOMaoO91PNS63+Pa4xlUKN2CAUneL
x/ok23bLiRHT3sW1DT4c9mwlPk+lHjLiYgDykBnxXJjTRByc68r9u4rBYW9rjk5h
1xXwezQa4ixRBFGYQaNNW+ncGl6eLMHauPahx3O/K0yJZ411wri8hiAJkzVvsJwf
K+vjvTv85wiX3smdbUlx
=IXMq
-----END PGP SIGNATURE-----
Changed Bug title to 'glance: CVE-2014-9493: unrestricted path traversal flaw' from 'glance: unrestricted path traversal flaw'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 04 Jan 2015 04:39:05 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 01 Feb 2015 07:29:19 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:06:42 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon