oss-sec mailing list archives
Re: CVE-2015-1850: OpenStack Cinder/Nova: Format-guessing and file disclosure in image convert
From: Dave Walker <email () daviey com>
Date: Sat, 13 Jun 2015 13:58:42 +0100
On 13 Jun 2015 10:17 am, "Bastian Blank" <waldi () debian org> wrote:
Hi OpenStack Cinder and Nova do not provide input format to several calls of "qemu-img convert". In Cinder these calls are done as root. This allows the attacker to play the format guessing in qemu-img by providing input with a qcow2 signature. If this signature contains a base file, this file will be read by a process running as root and embedded in the output. This bug is similar to CVE-2013-1922 and has been assigned CVE-2015-1850. Tested with: lvm backed volume storage in Cinder, it may apply to others as well. Steps to reproduce: - create volume and attach to vm, - create a qcow2 signature on the volume containing a base-file[1] from within the vm and - trigger an upload to Glance with "cinder upload-to-image --disk-type qcow2"[2]. The image uploaded to Glance will have the base-file from the cinder-volume host embedded. Affected versions: tested on 2014.1.3, found while reading 2014.2.1 Timeline: - Reported upstream 2015-01-27 - Published 2015-06-13 Regards, Bastian Blank [1]: qemu-img create -f qcow2 -b /etc/passwd /dev/vdb [2]: The disk-type != raw triggers the use of "qemu-img convert"
Hi, +CC openstack-security I see that this is being brought to oss-sec', but seemingly not via the OpenStack Security Group or Vulnerability Management Team. CVE-2015-1850 is referenced in your mail, are you saying that this has been assigned to this issue? I cannot easily find any other reference of its allocation. You said that this was raised upstream on 2015-01-27, do you have a Launchpad bug number or information on this discourse as to what was the outcome? Thanks -- Kind Regards, Dave Walker
Current thread:
- CVE-2015-1850: OpenStack Cinder/Nova: Format-guessing and file disclosure in image convert Bastian Blank (Jun 13)
- Re: CVE-2015-1850: OpenStack Cinder/Nova: Format-guessing and file disclosure in image convert Dave Walker (Jun 13)
- Re: CVE-2015-1850: OpenStack Cinder/Nova: Format-guessing and file disclosure in image convert Jeremy Stanley (Jun 13)
- Re: CVE-2015-1850: OpenStack Cinder/Nova: Format-guessing and file disclosure in image convert Dave Walker (Jun 13)