Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 13 Aug 2015 21:11:30 +0000
From: Tristan Cacqueray <tdecacqu@...hat.com>
To: oss-security@...ts.openwall.com
Subject: [OSSA 2015-014] Glance v2 API host file disclosure through qcow2
 backing file (CVE-2015-5163)

============================================================================
OSSA-2015-014: Glance v2 API host file disclosure through qcow2 backing file
============================================================================

:Date: August 13, 2015
:CVE: CVE-2015-5163


Affects
~~~~~~~
- Glance: 2015.1 versions through 2015.1.1


Description
~~~~~~~~~~~
Eric Harney from Red Hat reported a vulnerability in Glance. By
importing a qcow2 image with a malicious backing file, an
authenticated user may mislead Glance import task action, resulting in
the disclosure of any file on the Glance server for which the Glance
process user has access to. Only setups using the Glance V2 API are
affected by this flaw.


Patches
~~~~~~~
- https://review.openstack.org/212568 (Kilo)
- https://review.openstack.org/212567 (Liberty)


Credits
~~~~~~~
- Eric Harney from Red Hat (CVE-2015-5163)


References
~~~~~~~~~~
- https://launchpad.net/bugs/1471912
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5163


Notes
~~~~~
- This fix will be included in the future 2015.1.2 (kilo) release.

-- 
Tristan Cacqueray
OpenStack Vulnerability Management Team


Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.