Bug 557526 (CVE-2015-5163)

Summary:	<app-admin/glance-2015.1.1-r1: host file disclosure through qcow2 backing file (CVE-2015-5163)
Product:	Gentoo Security	Reporter:	Matthew Thode ( prometheanfire ) <prometheanfire>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://seclists.org/oss-sec/2015/q3/355
Whiteboard:	C3 [noglsa/cve]
Package list:		Runtime testing required:	---

Description Matthew Thode ( prometheanfire ) archtester

2015-08-14 05:25:01 UTC

Title: Glance v2 API host file disclosure through qcow2 backing file
Reporter: Eric Harney (Red Hat)
Products: Glance
Affects: 2015.1.0 versions through 2015.1.1

Description:
Eric Harney from Red Hat reported a vulnerability in Glance. By
importing a qcow2 image with a malicious backing file, an authenticated
user may mislead Glance import task action, resulting in the disclosure
of any file on the Glance server for which the Glance process user has
access to. Only setups using the Glance V2 API are affected by this flaw.

Comment 1 Matthew Thode ( prometheanfire ) archtester

2015-08-14 05:27:14 UTC

2015.1.1 has been out a while already and the patch doesn't backport cleanly, please stabilize =app-admin/glance-2015.1.1-r1.

Comment 2 Yury German Gentoo Infrastructure

2015-08-14 14:14:28 UTC

Arches, please test and mark stable:

=app-admin/glance-2015.1.1-r1

Target Keywords : "amd64 x86"

Thank you!

Comment 3 Agostino Sarubbo gentoo-dev

2015-08-20 08:49:16 UTC

amd64 stable

Comment 4 Agostino Sarubbo gentoo-dev

2015-08-20 08:50:10 UTC

x86 stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 5 Yury German Gentoo Infrastructure

2015-09-13 13:22:49 UTC

GLSA Vote: No

Comment 6 Kristian Fiskerstrand (RETIRED) gentoo-dev

2015-10-07 07:55:21 UTC

(In reply to Yury German from comment #5)
> GLSA Vote: No

GLSA Vote: No