Package: release.debian.org Severity: normal User: [email protected] Usertags: unblock
Dear release team, Please unblock package glance. This is a security fix for CVE-2015-1195. See #775926 for details. Please unblock glance/2014.1.3-11. Debdiff attached. Thomas Goirand (zigo)
diff -Nru glance-2014.1.3/debian/changelog glance-2014.1.3/debian/changelog --- glance-2014.1.3/debian/changelog 2015-01-09 00:21:39.000000000 +0000 +++ glance-2014.1.3/debian/changelog 2015-01-21 16:24:22.000000000 +0000 @@ -1,3 +1,10 @@ +glance (2014.1.3-11) unstable; urgency=high + + * CVE-2015-1195: fixes "Glance still allows users to download and delete any + file in glance-api server" by applying upstream patch (Closes: #775926). + + -- Thomas Goirand <[email protected]> Wed, 21 Jan 2015 16:13:33 +0000 + glance (2014.1.3-10) unstable; urgency=medium * Removed dbc_upgrade = true check before db_sync. diff -Nru glance-2014.1.3/debian/patches/CVE-2015-1195_Prevent_file_swift_config_and_filesystem_schemes.patch glance-2014.1.3/debian/patches/CVE-2015-1195_Prevent_file_swift_config_and_filesystem_schemes.patch --- glance-2014.1.3/debian/patches/CVE-2015-1195_Prevent_file_swift_config_and_filesystem_schemes.patch 1970-01-01 00:00:00.000000000 +0000 +++ glance-2014.1.3/debian/patches/CVE-2015-1195_Prevent_file_swift_config_and_filesystem_schemes.patch 2015-01-21 16:24:22.000000000 +0000 @@ -0,0 +1,113 @@ +Subject: Prevent file, swift+config and filesystem schemes + This change ensures that 'file', 'filesystem', and 'swift+config' URI schemes + are not allowed when setting the location field. A previous fix to + CVE-2014-9493 attempted to address this issue but did not include + 'filesystem', a URI scheme allowed by the glance_store. + . + Without this fix in place it is possible for a client to access any file the + glance-api server has read permissions for. +Author: Grant Murphy <[email protected]> +Date: Thu, 8 Jan 2015 00:09:38 +0000 (-0800) +X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fglance.git;a=commitdiff_plain;h=7d3a1db33ccbd25b9fc7326ce3468eabd2a41a99 +Change-Id: I02cd099a8634b9c7e3cf8f172bcbd33f8edcbc83 +Bug-Ubuntu: https://launchpad.net/bugs/1408663 +Bug-Debian: https://bugs.debian.org/775926 +Last-Update: 2014-01-21 + +diff --git a/glance/store/__init__.py b/glance/store/__init__.py +index 344311b..4974f0e 100644 +--- a/glance/store/__init__.py ++++ b/glance/store/__init__.py +@@ -76,6 +76,8 @@ _ALL_STORES = [ + 'glance.store.vmware_datastore.Store' + ] + ++RESTRICTED_URI_SCHEMAS = frozenset(['file', 'filesystem', 'swift+config']) ++ + + class BackendException(Exception): + pass +@@ -434,10 +436,11 @@ def validate_external_location(uri): + :param uri: The URI of external image location. + :return: Whether given URI of external image location are OK. + """ +- pieces = urlparse.urlparse(uri) +- valid_schemes = [scheme for scheme in get_known_schemes() +- if scheme != 'file' and scheme != 'swift+config'] +- return pieces.scheme in valid_schemes ++ ++ # TODO(gm): Use a whitelist of allowed schemes ++ scheme = urlparse.urlparse(uri).scheme ++ return (scheme in get_known_schemes() and ++ scheme not in RESTRICTED_URI_SCHEMAS) + + + class ImageRepoProxy(glance.domain.proxy.Repo): +diff --git a/glance/tests/unit/test_store_location.py b/glance/tests/unit/test_store_location.py +index eac5590..ebe8fbb 100644 +--- a/glance/tests/unit/test_store_location.py ++++ b/glance/tests/unit/test_store_location.py +@@ -524,12 +524,15 @@ class TestStoreLocation(base.StoreClearingUnitTest): + + loc1 = {'url': 'file:///fake1.img.tar.gz', 'metadata': {}} + loc2 = {'url': 'swift+config:///xxx', 'metadata': {}} ++ loc3 = {'url': 'filesystem:///foo.img.tar.gz', 'metadata': {}} + + # Test for insert location + image1 = TestStoreLocation.FakeImageProxy(utils.FakeStoreAPI()) + locations = glance.store.StoreLocations(image1, []) + self.assertRaises(exception.BadStoreUri, locations.insert, 0, loc1) ++ self.assertRaises(exception.BadStoreUri, locations.insert, 0, loc3) + self.assertNotIn(loc1, locations) ++ self.assertNotIn(loc3, locations) + + # Test for set_attr of _locations_proxy + image2 = TestStoreLocation.FakeImageProxy(utils.FakeStoreAPI()) +diff --git a/glance/tests/unit/v1/test_api.py b/glance/tests/unit/v1/test_api.py +index bea15c7..5aa2818 100644 +--- a/glance/tests/unit/v1/test_api.py ++++ b/glance/tests/unit/v1/test_api.py +@@ -1010,31 +1010,23 @@ class TestGlanceAPI(base.IsolatedUnitTest): + + def test_add_copy_from_with_restricted_sources(self): + """Tests creates an image from copy-from with restricted sources""" +- fixture_headers = {'x-image-meta-store': 'file', ++ header_template = {'x-image-meta-store': 'file', + 'x-image-meta-disk-format': 'vhd', +- 'x-glance-api-copy-from': 'file:///etc/passwd', + 'x-image-meta-container-format': 'ovf', + 'x-image-meta-name': 'fake image #F'} + +- req = webob.Request.blank("/images") +- req.method = 'POST' +- for k, v in six.iteritems(fixture_headers): +- req.headers[k] = v +- res = req.get_response(self.api) +- self.assertEqual(400, res.status_int) +- +- fixture_headers = {'x-image-meta-store': 'file', +- 'x-image-meta-disk-format': 'vhd', +- 'x-glance-api-copy-from': 'swift+config://xxx', +- 'x-image-meta-container-format': 'ovf', +- 'x-image-meta-name': 'fake image #F'} ++ schemas = ["file:///etc/passwd", ++ "swift+config:///xxx", ++ "filesystem:///etc/passwd"] + +- req = webob.Request.blank("/images") +- req.method = 'POST' +- for k, v in six.iteritems(fixture_headers): +- req.headers[k] = v +- res = req.get_response(self.api) +- self.assertEqual(400, res.status_int) ++ for schema in schemas: ++ req = webob.Request.blank("/images") ++ req.method = 'POST' ++ for k, v in six.iteritems(header_template): ++ req.headers[k] = v ++ req.headers['x-glance-api-copy-from'] = schema ++ res = req.get_response(self.api) ++ self.assertEqual(400, res.status_int) + + def test_add_copy_from_upload_image_unauthorized_with_body(self): + rules = {"upload_image": '!', "modify_image": '@', diff -Nru glance-2014.1.3/debian/patches/series glance-2014.1.3/debian/patches/series --- glance-2014.1.3/debian/patches/series 2015-01-09 00:21:39.000000000 +0000 +++ glance-2014.1.3/debian/patches/series 2015-01-21 16:24:22.000000000 +0000 @@ -2,3 +2,4 @@ default-config.patch sql_conn-registry.patch restrict_client_download_and_delete_files_in_glance-api.patch +CVE-2015-1195_Prevent_file_swift_config_and_filesystem_schemes.patch
