Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 485544 (CVE-2013-4354) - app-admin/glance: image creation in other tenant accounts (CVE-2013-4354)
Summary: app-admin/glance: image creation in other tenant accounts (CVE-2013-4354)
Alias: CVE-2013-4354
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~4 [upstream]
Depends on:
Reported: 2013-09-21 07:28 UTC by Agostino Sarubbo
Modified: 2016-03-29 07:10 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-09-21 07:28:31 UTC
From ${URL} :

Description of problem:

when I try to create an image with tenant name and not tenant ID, the image is not created and no 
errors are issued. 
you simply cannot find the image. 

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. install AIO with local tgt storage (using packstack)
2. create a tenant and a user 
3. create an image for the tenant using the tenant name
4. run glance image-list while logging in with user 
5. run the same create command using tenant ID
6. run glance image-list while logging in with the user

Actual results:

image is no created with tenant name. 
no errors or indicators that the image was not created. 

Expected results:

image should be created with tenant name
if we decided not to allow create of image with tenant name we should block the command from 
running with missing param error 


Upon further investigation Flavio Percoco of Red Hat reports:

Ayal suggested this could also be a security issue. I went ahead and tested current behavior and 
indeed, this behavior could be used to inject images to other users.

- Create an image using user1
- Pick tenant's id of user2 and add it as a member of the image user1 just created
- Use user2 to list images. This will list the image user1 created.

I think this is an issue because it allows user from other tenants to sneak images with a backdoor 
to other tenants.

@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-11-19 03:58:24 UTC
Upstream is not going to fix this.

see this link for more discussion
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2013-11-27 22:11:36 UTC
CVE-2013-4354 (
  The API before 2.1 in OpenStack Image Registry and Delivery Service (Glance)
  makes it easier for local users to inject images into arbitrary tenants by
  adding the tenant as a member of the image.
Comment 3 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2014-02-18 04:18:54 UTC
unccing since no fix will be provided upstream