Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 557526 (CVE-2015-5163) - <app-admin/glance-2015.1.1-r1: host file disclosure through qcow2 backing file (CVE-2015-5163)
Summary: <app-admin/glance-2015.1.1-r1: host file disclosure through qcow2 backing fil...
Status: RESOLVED FIXED
Alias: CVE-2015-5163
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://seclists.org/oss-sec/2015/q3/355
Whiteboard: C3 [noglsa/cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-08-14 05:25 UTC by Matthew Thode ( prometheanfire )
Modified: 2015-10-07 07:55 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2015-08-14 05:25:01 UTC
Title: Glance v2 API host file disclosure through qcow2 backing file
Reporter: Eric Harney (Red Hat)
Products: Glance
Affects: 2015.1.0 versions through 2015.1.1

Description:
Eric Harney from Red Hat reported a vulnerability in Glance. By
importing a qcow2 image with a malicious backing file, an authenticated
user may mislead Glance import task action, resulting in the disclosure
of any file on the Glance server for which the Glance process user has
access to. Only setups using the Glance V2 API are affected by this flaw.
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2015-08-14 05:27:14 UTC
2015.1.1 has been out a while already and the patch doesn't backport cleanly, please stabilize =app-admin/glance-2015.1.1-r1.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev Security 2015-08-14 14:14:28 UTC
Arches, please test and mark stable:

=app-admin/glance-2015.1.1-r1

Target Keywords : "amd64 x86"

Thank you!
Comment 3 Agostino Sarubbo gentoo-dev 2015-08-20 08:49:16 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2015-08-20 08:50:10 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 5 Yury German Gentoo Infrastructure gentoo-dev Security 2015-09-13 13:22:49 UTC
GLSA Vote: No
Comment 6 Kristian Fiskerstrand gentoo-dev Security 2015-10-07 07:55:21 UTC
(In reply to Yury German from comment #5)
> GLSA Vote: No

GLSA Vote: No