A vulnerability was discovered in OpenStack (see below). In order to
ensure full traceability, we need a CVE number assigned that we can
attach to further notifications. This issue is already public, although
an advisory was not sent yet.
Title: Glance store DoS through disk space exhaustion
Reporter: Thomas Leaman (HP), Stuart McLaren (HP)
Versions: up to 2013.2.3 and 2014.1 to 2014.1.2 (K_F: version edited from original message due to followup to list)
Thomas Leaman and Stuart McLaren from Hewlett Packard reported a
vulnerability in Glance. By uploading a large enough image to a Glance
store, an authenticated user may fill the store space because the
image_size_cap configuration option is not honored. This may prevent
further image upload and/or cause service disruption. Note that the
import method is not affected. All Glance setups using API v2 are
affected (unless you use a policy to restrict/disable image upload).
Thanks in advance,
fixed in =app-admin/glance-2014.1.2
vulnerable removed from tree
Thanks for the ebuild and cleanup.
No stable versions, closing noglsa.
OpenStack Image Registry and Delivery Service (Glance) before 2013.2.4,
2014.x before 2014.1.3, and Juno before Juno-3, when using the V2 API, does
not properly enforce the image_size_cap configuration option, which allows
remote authenticated users to cause a denial of service (disk consumption)
by uploading a large image.