Bug 892779 - (CVE-2014-5356) VUL-0: CVE-2014-5356: openstack-glance: Glance store disk space exhaustion
VUL-0: CVE-2014-5356: openstack-glance: Glance store disk space exhaustion
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
cloud:nextupdate maint:released:sle...
Depends on:
  Show dependency treegraph
Reported: 2014-08-20 14:22 UTC by Alexander Bergmann
Modified: 2015-03-25 15:44 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2014-08-20 14:22:36 UTC
Via rh#1131770

The OpenStack project reports:

Thomas Leaman and Stuart McLaren from Hewlett Packard reported a
vulnerability in Glance. By uploading a large enough image to a Glance
store, an authenticated user may fill the store space because the
image_size_cap configuration option is not honored. This may prevent
further image upload and/or cause service disruption. Note that the
import method is not affected. All Glance setups using API v2 are
affected (unless you use a policy to restrict/disable image upload).

This affects versions up to 2013.2.3 and 2014.1 to 2014.1.2.

Comment 1 Swamp Workflow Management 2014-08-20 22:00:12 UTC
bugbot adjusting priority
Comment 2 Vincent Untz 2014-08-22 17:47:05 UTC
Patches are committed upstream, so I guess we can just submit the packages for Cloud 3 and Cloud 4.
Comment 3 SMASH SMASH 2014-09-08 12:25:10 UTC
Affected packages:

SLE-11-SP3-CL4: openstack-glance
Comment 4 Swamp Workflow Management 2014-09-26 11:24:03 UTC
An update workflow for this issue was started.
This issue was rated as low.
Please submit fixed packages until 2014-10-24.
Comment 6 Swamp Workflow Management 2014-10-31 17:06:29 UTC
SUSE-SU-2014:1341-1: An update that solves one vulnerability and has one errata is now available.

Category: security (low)
Bug References: 892779,897815
CVE References: CVE-2014-5356
Sources used:
SUSE Cloud 4 (src):    openstack-glance-2014.1.3.dev8.gf43b1c2-0.7.1, openstack-glance-doc-2014.1.3.dev8.gf43b1c2-0.7.1
Comment 7 Bernhard Wiedemann 2014-12-12 08:45:25 UTC
Cloud 3 update still missing? It was submitted and accepted already