From ${URL} : Description of problem: when I try to create an image with tenant name and not tenant ID, the image is not created and no errors are issued. you simply cannot find the image. Version-Release number of selected component (if applicable): openstack-glance-2013.1.3-1.el6ost.noarch How reproducible: 100% Steps to Reproduce: 1. install AIO with local tgt storage (using packstack) 2. create a tenant and a user 3. create an image for the tenant using the tenant name 4. run glance image-list while logging in with user 5. run the same create command using tenant ID 6. run glance image-list while logging in with the user Actual results: image is no created with tenant name. no errors or indicators that the image was not created. Expected results: image should be created with tenant name if we decided not to allow create of image with tenant name we should block the command from running with missing param error ======== Upon further investigation Flavio Percoco of Red Hat reports: Ayal suggested this could also be a security issue. I went ahead and tested current behavior and indeed, this behavior could be used to inject images to other users. Scenario: - Create an image using user1 - Pick tenant's id of user2 and add it as a member of the image user1 just created - Use user2 to list images. This will list the image user1 created. I think this is an issue because it allows user from other tenants to sneak images with a backdoor to other tenants. @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Upstream is not going to fix this. https://bugs.launchpad.net/glance/+bug/1226078 see this link for more discussion https://bugs.launchpad.net/ossn/+bug/1226078
CVE-2013-4354 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4354): The API before 2.1 in OpenStack Image Registry and Delivery Service (Glance) makes it easier for local users to inject images into arbitrary tenants by adding the tenant as a member of the image.
unccing since no fix will be provided upstream