Your message dated Tue, 24 Jan 2023 16:39:58 +0000 with message-id <[email protected]> and subject line Bug#1029563: fixed in glance 2:25.0.0-2 has caused the Debian Bug report #1029563, regarding CVE-2022-47951: vulnerability in VMDK image processing to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 1029563: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029563 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: glance-api Version: 2:25.0.0-1.1 Severity: grave Tags: patch This is an advance warning of a vulnerability discovered in OpenStack, to give you, as downstream stakeholders, a chance to coordinate the release of fixes and reduce the vulnerability window. Please treat the following information as confidential until the proposed public disclosure date. Title: Arbitrary file access through custom VMDK flat descriptor Reporter: Guillaume Espanel, Pierre Libeau, Arnaud Morin and Damien Rannou (OVH) Products: Cinder, Glance, Nova Affects: Cinder <19.1.2, >=20.0.0 <20.0.2, ==21.0.0; Glance <23.0.1, >=24.0.0 <24.1.1, ==25.0.0; Nova <24.1.2, >=25.0.0 <25.0.2, ==26.0.0 Description: Guillaume Espanel, Pierre Libeau, Arnaud Morin and Damien Rannou (OVH) reported a vulnerability in VMDK image processing for Cinder, Glance and Nova. By supplying a specially created VMDK flat image which references a specific backing file path, an authenticated user may convince systems to return a copy of that file's contents from the server resulting in unauthorized access to potentially sensitive data. All Cinder deployments are affected; only Glance deployments with image conversion enabled are affected; all Nova deployments are affected. Proposed patch: See attached patches. Unless a flaw is discovered in them, these patches will be merged to their corresponding branches on the public disclosure date. Note that stable/wallaby and older branches are under extended maintenance and will receive no new point releases, but patches for some of them are provided as a courtesy. CVE: CVE-2022-47951 Proposed public disclosure date/time: 2023-01-24, 1500UTC Please do not make the issue public (or release public patches) before this coordinated embargo date. Original private report: https://launchpad.net/bugs/1996188 For access to read and comment on this report, please reply to me with your Launchpad username and I will subscribe you. -- Jeremy Stanley OpenStack Vulnerability Management Team
--- End Message ---
--- Begin Message ---Source: glance Source-Version: 2:25.0.0-2 Done: Thomas Goirand <[email protected]> We believe that the bug you reported is fixed in the latest version of glance, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thomas Goirand <[email protected]> (supplier of updated glance package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 24 Jan 2023 16:51:31 +0100 Source: glance Architecture: source Version: 2:25.0.0-2 Distribution: unstable Urgency: high Maintainer: Debian OpenStack <[email protected]> Changed-By: Thomas Goirand <[email protected]> Closes: 1029563 Changes: glance (2:25.0.0-2) unstable; urgency=high . * CVE-2022-47951: vulnerability in VMDK image processing. By supplying a specially created VMDK flat image which references a specific backing file path, an authenticated user may convince systems to return a copy of that file's contents from the server resulting in unauthorized access to potentially sensitive data. Added upstream patch: CVE-2022-47951-Enforce_image_safety_during_image_conversion.patch (Closes: #1029563). Checksums-Sha1: f56b459a74f546285379f0e7c50dc75d8928fc1f 3787 glance_25.0.0-2.dsc 4dd37858906bebc273d42bd33b00c893e9259cbc 19280 glance_25.0.0-2.debian.tar.xz 9f6ae9809d8b67164125a61e0cfecd0ded251e40 18496 glance_25.0.0-2_amd64.buildinfo Checksums-Sha256: ee752adbf1e940c39e96db847d2bc4efd9b8c7d6f96a810106e1e64f4102e6f5 3787 glance_25.0.0-2.dsc c7acfc24801e95673f1f26eb3ea913c2be5f713bfe073d86bfffd8adaf87437a 19280 glance_25.0.0-2.debian.tar.xz c377e2c1f8a23e116b12e28b7e8e96a3cb04fe0c39886880b8fa55849ac75bf4 18496 glance_25.0.0-2_amd64.buildinfo Files: 1f777f000e31fe587a8616c98595325c 3787 net optional glance_25.0.0-2.dsc 5c821447f6032523ac8b0b83a64de4e4 19280 net optional glance_25.0.0-2.debian.tar.xz a020222d7de619a6a35e3e66865699d1 18496 net optional glance_25.0.0-2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmPQAywACgkQ1BatFaxr Q/654A//UQZCTjEgUNNDjUmM8iZ1C0WtKsF5fnMY1AHXzw49XCq0GgbOeI1Gb1A5 krG0JPvn1qV/yoMUkDyBMj3YI+qUNp9TECzsX5yQbUodI6cnRXCDZxLmebCqAtNJ N2qDZ6j2nRylCX772QnR+DQwPEcuHZ8faUt+K7lQsAuPQhFD/FibhE9Q5Br7xRU1 PRPUBAjmwOtMKegVIpnlzDMZnTAi2lpNB0rkLL196yIe91zVZm/ZaDaf+GI586nR wSG0jsxGi7w2HCa/ZNJOuErmSy5xigk4CDgNKijdW5TVb3lbDj5Z0Kkh9ekOYeA3 ZzRjkxOPdIad5qy58UAaDSdAbwhDehNcZocmobW210fjVbBRwH7KpoFiPRfbuZkS 6Q4JTPompmqAPeniGLou8leFi0rcxJtbAlhMNWFkd9aBSFGOavpP7c5H1/geDui5 Ds1g88WsaDbBW5JWZZzsCy1tf349KAq4DXHI7C9Y3LKW3DnFVzEcfm52DewmSc/1 qCo6i7QIKxzmMoVm0/MzHZYumY00RPum2IhcvRKA371zPiaXjD83yfLkTaB2voWu XcD7TG4NC21fNo38BWpBQwM38mqrsn7hK7uD+XYMa4K6Sn0SZ5cGs8i84HRO6lIw MeiTg90PTlQ1tZD4DEoVtDjlDXHkBbOPtUEELY2QVU/T6IhD0Gk= =Nsjq -----END PGP SIGNATURE-----
--- End Message ---
