Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 520352 (CVE-2014-5356) - <app-admin/glance-2014.1.2: Glance store DoS through disk space exhaustion (OSSA 2014-028) (CVE-2014-5356)
Summary: <app-admin/glance-2014.1.2: Glance store DoS through disk space exhaustion (O...
Alias: CVE-2014-5356
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~3 [noglsa]
Depends on:
Reported: 2014-08-20 19:58 UTC by Kristian Fiskerstrand (RETIRED)
Modified: 2014-09-10 06:31 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-08-20 19:58:31 UTC
From ${URL}:
A vulnerability was discovered in OpenStack (see below). In order to
ensure full traceability, we need a CVE number assigned that we can
attach to further notifications. This issue is already public, although
an advisory was not sent yet.

Title: Glance store DoS through disk space exhaustion
Reporter: Thomas Leaman (HP), Stuart McLaren (HP)
Products: Glance
Versions: up to 2013.2.3 and 2014.1 to 2014.1.2 (K_F: version edited from original message due to followup to list)

Thomas Leaman and Stuart McLaren from Hewlett Packard reported a
vulnerability in Glance. By uploading a large enough image to a Glance
store, an authenticated user may fill the store space because the
image_size_cap configuration option is not honored. This may prevent
further image upload and/or cause service disruption. Note that the
import method is not affected. All Glance setups using API v2 are
affected (unless you use a policy to restrict/disable image upload).


Thanks in advance,
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2014-08-21 20:40:28 UTC
fixed in =app-admin/glance-2014.1.2

vulnerable removed from tree
Comment 2 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-08-21 21:07:05 UTC
Thanks for the ebuild and cleanup. 

No stable versions, closing noglsa.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2014-09-10 06:31:43 UTC
CVE-2014-5356 (
  OpenStack Image Registry and Delivery Service (Glance) before 2013.2.4,
  2014.x before 2014.1.3, and Juno before Juno-3, when using the V2 API, does
  not properly enforce the image_size_cap configuration option, which allows
  remote authenticated users to cause a denial of service (disk consumption)
  by uploading a large image.