Bugzilla – Bug 934768
VUL-1: CVE-2015-1850: openstack-nova: Host file disclosure through qcow2 backing file
Last modified: 2017-08-04 09:01:19 UTC
http://seclists.org/oss-sec/2015/q2/704 > OpenStack Cinder and Nova do not provide input format to several calls > of "qemu-img convert". In Cinder these calls are done as root. This > allows the attacker to play the format guessing in qemu-img by providing > input with a qcow2 signature. If this signature contains a base file, > this file will be read by a process running as root and embedded in the > output. This bug is similar to CVE-2013-1922 and has been assigned > CVE-2015-1850. > > Tested with: lvm backed volume storage in Cinder, it may apply to others > as well. > > Steps to reproduce: > - create volume and attach to vm, > - create a qcow2 signature on the volume containing a base-file[1] from > within the vm and > - trigger an upload to Glance with "cinder upload-to-image --disk-type > qcow2"[2]. > The image uploaded to Glance will have the base-file from the > cinder-volume host embedded. > > Affected versions: tested on 2014.1.3, found while reading 2014.2.1 > > Timeline: > - Reported upstream 2015-01-27 > - Published 2015-06-13 > [...] > > [1]: qemu-img create -f qcow2 -b /etc/passwd /dev/vdb > [2]: The disk-type != raw triggers the use of "qemu-img convert" References: https://bugs.launchpad.net/cinder/+bug/1415087 https://bugzilla.redhat.com/show_bug.cgi?id=1231816 Waiting for nova confirmation.
bugbot adjusting priority
Still no fix upstream (for nova) as per https://bugs.launchpad.net/cinder/+bug/1415087 ; it seems there are some doubts that nova really is vulnerable for this bit.
https://bugs.launchpad.net/cinder/+bug/1415087#yui_3_10_3_1_1446110593667_390
https://review.openstack.org/#/c/191785/ was merged to cinder 2015-06-15
fixed in cloud 6, older products are out of support. Do you need this bug for something or can we close it?
fixed