Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 488548 (CVE-2013-4428) - <app-admin/glance-2013.1.4: image_download policy not enforced for cached images (CVE-2013-4428)
Summary: <app-admin/glance-2013.1.4: image_download policy not enforced for cached im...
Alias: CVE-2013-4428
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~4 [noglsa]
Depends on:
Reported: 2013-10-19 06:38 UTC by Mikle Kolyada
Modified: 2013-11-19 04:13 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2013-10-19 06:38:42 UTC
from ${URL}:

A vulnerability was discovered in OpenStack (see below). In order to
ensure full traceability, we need a CVE number assigned that we can
attach to further notifications. This issue is already public,
although an advisory was not sent yet.

Title: Glance image_download policy not enforced for cached images
Reporter: Stuart McLaren (HP)
Products: Glance
Affects: Folsom, Grizzly

Stuart McLaren from HP reported a vulnerability in Glance download_image
policy enforcement in the case of cached images. Deployers may opt to
set a download_image policy to restrict image download to specific
roles. However, when an image is previously cached by an authorized
download, any authenticated user could download image contents if it can
determine the image UUID, bypassing any download_image policy
restrictions. This could result in disclosure of image contents that
were thought to be protected by the download_image policy setting. Only
setups making use of the download_image policy are affected.


Thanks in advance,

- -- 
Thierry Carrez (ttx)
OpenStack Vulnerability Management Team
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-10-29 05:18:40 UTC
grizzly fixed, but the next folsom release should be out soon.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2013-11-05 02:32:22 UTC
CVE-2013-4428 (
  OpenStack Image Registry and Delivery Service (Glance) Folsom, Grizzly
  before 2013.1.4, and Havana before 2013.2, when the image_download policy is
  configured, does not properly restrict access to cached images, which allows
  remote authenticated users to read otherwise restricted images via an image
Comment 3 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-11-19 03:51:46 UTC
folsom removed from tree, should be good to close now.