Bug 941157 - (CVE-2015-5163) VUL-0: CVE-2015-5163: openstack-glance: host file disclosure through qcow2 backing file
VUL-0: CVE-2015-5163: openstack-glance: host file disclosure through qcow2 ba...
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Cloud Bugs
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2015-08-10 15:54 UTC by Alexander Bergmann
Modified: 2022-01-22 14:57 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2015-08-10 15:54:14 UTC
Via distros:

This is an advance warning of a vulnerability discovered in OpenStack,
to give you, as downstream stakeholders, a chance to coordinate the
release of fixes and reduce the vulnerability window. Please treat the
following information as confidential until the proposed public
disclosure date.

Title: Glance v2 API host file disclosure through qcow2 backing file
Reporter: Eric Harney (Red Hat)
Products: Glance
Affects: 2015.1.0 versions through 2015.1.1

Eric Harney from Red Hat reported a vulnerability in Glance. By
importing a qcow2 image with a malicious backing file, an authenticated
user may mislead Glance import task action, resulting in the disclosure
of any file on the Glance server for which the Glance process user has
access to. Only setups using the Glance V2 API are affected by this flaw.

Proposed patch:
See attached patches. Unless a flaw is discovered in them, these patches
will be merged to stable/kilo and master on the public disclosure date.

CVE: CVE-2015-5163

Proposed public disclosure date/time:
2015-08-13, 1500UTC
Please do not make the issue public (or release public patches) before
this coordinated embargo date.


Tristan Cacqueray
OpenStack Vulnerability Management Team
Comment 2 Alexander Bergmann 2015-08-10 15:58:27 UTC
Created attachment 643354 [details]
Comment 3 Alexander Bergmann 2015-08-10 15:58:49 UTC
Created attachment 643355 [details]
Comment 4 Swamp Workflow Management 2015-08-10 22:00:27 UTC
bugbot adjusting priority
Comment 5 Alexander Bergmann 2015-08-11 09:22:18 UTC
> Affects: 2015.1.0 versions through 2015.1.1

SUSE:SLE-11-SP3:Update:Cloud4:Test:Update:Test: 2014.1.4.dev13
SUSE:SLE-11-SP3:Update:Cloud5:Test:             2014.2.3.dev4
SUSE:SLE-12-SP1:Update:Products:Cloud6:         2014.2.4.dev5

So this does not affect us. Cloud-Team, please confirm.
Comment 6 Dirk Mueller 2015-08-12 15:20:52 UTC
if it is really correct that this only affects Kilo or newer (which is something yet to verify), then we're not affected.
Comment 7 Bernhard Wiedemann 2015-08-26 14:11:19 UTC
The patched file and function dont exist in Cloud5
so not affected.