Bugzilla – Bug 941157
VUL-0: CVE-2015-5163: openstack-glance: host file disclosure through qcow2 backing file
Last modified: 2022-01-22 14:57:55 UTC
Via distros: This is an advance warning of a vulnerability discovered in OpenStack, to give you, as downstream stakeholders, a chance to coordinate the release of fixes and reduce the vulnerability window. Please treat the following information as confidential until the proposed public disclosure date. Title: Glance v2 API host file disclosure through qcow2 backing file Reporter: Eric Harney (Red Hat) Products: Glance Affects: 2015.1.0 versions through 2015.1.1 Description: Eric Harney from Red Hat reported a vulnerability in Glance. By importing a qcow2 image with a malicious backing file, an authenticated user may mislead Glance import task action, resulting in the disclosure of any file on the Glance server for which the Glance process user has access to. Only setups using the Glance V2 API are affected by this flaw. Proposed patch: See attached patches. Unless a flaw is discovered in them, these patches will be merged to stable/kilo and master on the public disclosure date. CVE: CVE-2015-5163 Proposed public disclosure date/time: 2015-08-13, 1500UTC Please do not make the issue public (or release public patches) before this coordinated embargo date. Regards, -- Tristan Cacqueray OpenStack Vulnerability Management Team
Created attachment 643354 [details] cve-2015-5163-master-liberty.patch
Created attachment 643355 [details] cve-2015-5163-stable-kilo.patch
bugbot adjusting priority
> Affects: 2015.1.0 versions through 2015.1.1 SUSE:SLE-11-SP3:Update:Cloud4:Test:Update:Test: 2014.1.4.dev13 SUSE:SLE-11-SP3:Update:Cloud5:Test: 2014.2.3.dev4 SUSE:SLE-12-SP1:Update:Products:Cloud6: 2014.2.4.dev5 So this does not affect us. Cloud-Team, please confirm.
if it is really correct that this only affects Kilo or newer (which is something yet to verify), then we're not affected.
The patched file and function dont exist in Cloud5 so not affected.