Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 540678 (CVE-2014-9684)

Summary: app-admin/glance: Glance import task leaks image in backend (CVE-2014-9684,CVE-2015-1881)
Product: Gentoo Security Reporter: Kristian Fiskerstrand (RETIRED) <k_f>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://seclists.org/oss-sec/2015/q1/600
Whiteboard: ~4 [noglsa]
Package list:
Runtime testing required: ---

Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-02-19 15:48:27 UTC 
From ${URL}:
A vulnerability was discovered in OpenStack (see below). In order to
ensure full traceability, we need a CVE number assigned that we can
attach to further notifications. This issue is already public, although an
advisory was not sent yet.

Title: Glance import task leaks image in backend
Reporter: Abhishek Kekane (NTT)
Products: Glance
Affects: 2014.2 versions through 2014.2.2

Description:
Abhishek Kekane from NTT reported a vulnerability in the Glance import task.
By creating numerous images using the task API and deleting them, an
authenticated attacker may accumulate untracked image data in the backend
resulting in potential resource exhaustion and denial of service. All glance
setups using API v2 are affected.

References:
https://launchpad.net/bugs/1420696
https://launchpad.net/bugs/1422716

Thanks in advance,

##

@maintainers: since this package has not been stabilized, please remove the vulnerable packages after bump.
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2015-03-09 01:28:14 UTC 
fixed in 2014.2.2-r1

no vuln versions in tree
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2015-06-14 21:34:57 UTC 
CVE-2015-1881 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1881):
  OpenStack Image Registry and Delivery Service (Glance) 2014.2 through
  2014.2.2 does not properly remove images, which allows remote authenticated
  users to cause a denial of service (disk consumption) by creating a large
  number of images using the task v2 API and then deleting them, a different
  vulnerability than CVE-2014-9684.

CVE-2014-9684 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9684):
  OpenStack Image Registry and Delivery Service (Glance) 2014.2 through
  2014.2.2 does not properly remove images, which allows remote authenticated
  users to cause a denial of service (disk consumption) by creating a large
  number of images using the task v2 API and then deleting them before the
  uploads finish, a different vulnerability than CVE-2015-1881.