|Summary:||<app-admin/glance-2015.1.1-r1: host file disclosure through qcow2 backing file (CVE-2015-5163)|
|Product:||Gentoo Security||Reporter:||Matthew Thode ( prometheanfire ) <prometheanfire>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Package list:||Runtime testing required:||---|
Description Matthew Thode ( prometheanfire ) 2015-08-14 05:25:01 UTC
Title: Glance v2 API host file disclosure through qcow2 backing file Reporter: Eric Harney (Red Hat) Products: Glance Affects: 2015.1.0 versions through 2015.1.1 Description: Eric Harney from Red Hat reported a vulnerability in Glance. By importing a qcow2 image with a malicious backing file, an authenticated user may mislead Glance import task action, resulting in the disclosure of any file on the Glance server for which the Glance process user has access to. Only setups using the Glance V2 API are affected by this flaw.
Comment 1 Matthew Thode ( prometheanfire ) 2015-08-14 05:27:14 UTC
2015.1.1 has been out a while already and the patch doesn't backport cleanly, please stabilize =app-admin/glance-2015.1.1-r1.
Comment 2 Yury German 2015-08-14 14:14:28 UTC
Arches, please test and mark stable: =app-admin/glance-2015.1.1-r1 Target Keywords : "amd64 x86" Thank you!
Comment 3 Agostino Sarubbo 2015-08-20 08:49:16 UTC
Comment 4 Agostino Sarubbo 2015-08-20 08:50:10 UTC
x86 stable. Maintainer(s), please cleanup. Security, please vote.
Comment 5 Yury German 2015-09-13 13:22:49 UTC
GLSA Vote: No