Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 507382 (CVE-2014-0162)

Summary: <app-admin/glance-2013.2.3-r1 : Remote code execution in Glance Sheepdog backend (CVE-2014-0162) (OSSA 2014-012)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: trivial    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~2 [noglsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2014-04-11 08:00:33 UTC
From ${URL} :

OpenStack Security Advisory: 2014-012
CVE: CVE-2014-0162
Date: April 10, 2014
Title: Remote code execution in Glance Sheepdog backend
Reporter: Paul McMillan (Nebula)
Products: Glance
Versions: from 2013.2 to 2013.2.3

Paul McMillan from Nebula reported a vulnerability in Glance Sheepdog
backend. By using a specially crafted location, a user allowed to insert
or modify Glance image metadata may trigger code execution on the Glance
host as the user the Glance service runs under. This may result in
Glance host unauthorized access and further compromise of the Glance
service. All setups using Glance server with the (enabled by default)
sheepdog backend are affected.

Juno (development branch) fix:

Icehouse (milestone-proposed branch) fix:

Havana fix:

This fix will be included in the icehouse-rc2 development milestone and
in a future 2013.2.4 release.


@maintainer(s): since the package has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2014-04-11 15:19:31 UTC
fixed in tree, vulnerable versions removed
Comment 2 Agostino Sarubbo gentoo-dev 2014-04-11 15:48:29 UTC
Closing as noglsa.