Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 562156 (CVE-2015-5286) - <app-admin/glance-2015.1.1-r3: Glance storage quota bypass when token is expired (CVE-2015-5286)
Summary: <app-admin/glance-2015.1.1-r3: Glance storage quota bypass when token is expi...
Status: RESOLVED FIXED
Alias: CVE-2015-5286
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-10-03 19:17 UTC by Matthew Thode ( prometheanfire )
Modified: 2015-11-09 21:57 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2015-10-03 19:17:15 UTC 
Title: Glance storage overrun
Reporter: Mike Fedosin and Alexei Galkin (Mirantis)
Products: Glance
Affects: <=2014.2.3, >=2015.1.0, <=2015.1.1

Description:
Mike Fedosin and Alexei Galkin from Mirantis reported a vulnerability in
Glance. By deleting images that are being uploaded using a token that is
about to expire, a malicious user can overcome the storage quota and
accumulate untracked image data in the backend resulting in potential
resource exhaustion and denial of service. All Glance setups using the
V1 API are affected and all setups using the V2 API with the registry
db_api enabled are affected.

Reproducible: Always
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2015-10-03 19:18:18 UTC 
arches, please stabilize the following for amd64 and x86

=app-admin/glance-2015.1.1-r3
Comment 2 Agostino Sarubbo gentoo-dev 2015-10-04 09:31:43 UTC 
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2015-10-04 09:32:22 UTC 
x86 stable.

Maintainer(s), please cleanup.
Comment 4 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2015-10-04 18:47:37 UTC 
cleaned up
Comment 5 Ulenrich 2015-10-06 19:26:31 UTC 
Why is nearly every package in the portage tree
infected by this vulnerability
---
I just did
egencache --repo gentoo --update-changelogs
perhaps not related to this bug 
but a portage tree in git failure ...
Comment 6 Justin Lecher (RETIRED) gentoo-dev 2015-10-30 12:54:15 UTC 
Tree cleaned

commit 1d56fda8ae8dbf384176751bb5f0530cc7b48aee
Author: Justin Lecher <jlec@gentoo.org>
Date:   Fri Oct 30 13:50:51 2015 +0100
    
    app-admin/glance: Clean vulnerable version
    
    Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=562156
    
    Package-Manager: portage-2.2.23
    Signed-off-by: Justin Lecher <jlec@gentoo.org>
    
    https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1d56fda8ae8dbf384176751bb5f0530cc7b48aee
Comment 7 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2015-10-30 13:55:22 UTC 
The new version of glance is 11.x.y the old naming scheme was date based. don't remove new versions of software.
Comment 8 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-10-30 14:02:25 UTC 
GLSA Vote: No
Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2015-11-09 21:57:52 UTC 
Vote: NO.