Date: Sat, 13 Jun 2015 13:58:42 +0100 From: Dave Walker <email@...iey.com> To: oss-security@...ts.openwall.com, Bastian Blank <waldi@...ian.org> Cc: openstack-security@...ts.openstack.org Subject: Re: CVE-2015-1850: OpenStack Cinder/Nova: Format-guessing and file disclosure in image convert On 13 Jun 2015 10:17 am, "Bastian Blank" <waldi@...ian.org> wrote: > > Hi > > OpenStack Cinder and Nova do not provide input format to several calls > of "qemu-img convert". In Cinder these calls are done as root. This > allows the attacker to play the format guessing in qemu-img by providing > input with a qcow2 signature. If this signature contains a base file, > this file will be read by a process running as root and embedded in the > output. This bug is similar to CVE-2013-1922 and has been assigned > CVE-2015-1850. > > Tested with: lvm backed volume storage in Cinder, it may apply to others > as well. > > Steps to reproduce: > - create volume and attach to vm, > - create a qcow2 signature on the volume containing a base-file from > within the vm and > - trigger an upload to Glance with "cinder upload-to-image --disk-type > qcow2". > The image uploaded to Glance will have the base-file from the > cinder-volume host embedded. > > Affected versions: tested on 2014.1.3, found while reading 2014.2.1 > > Timeline: > - Reported upstream 2015-01-27 > - Published 2015-06-13 > > Regards, > Bastian Blank > > : qemu-img create -f qcow2 -b /etc/passwd /dev/vdb > : The disk-type != raw triggers the use of "qemu-img convert" Hi, +CC openstack-security I see that this is being brought to oss-sec', but seemingly not via the OpenStack Security Group or Vulnerability Management Team. CVE-2015-1850 is referenced in your mail, are you saying that this has been assigned to this issue? I cannot easily find any other reference of its allocation. You said that this was raised upstream on 2015-01-27, do you have a Launchpad bug number or information on this discourse as to what was the outcome? Thanks -- Kind Regards, Dave Walker
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ