Bug#775929: unblock: glance/2014.1.3-11 (Fix for CVE-2015-1195 / #775926)

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#775929: unblock: glance/2014.1.3-11 (Fix for CVE-2015-1195 / #775926)
From: Thomas Goirand <zigo@debian.org>
Date: Wed, 21 Jan 2015 17:42:39 +0100
Message-id: <[🔎] 20150121164239.24510.50491.reportbug@buzig.gplhost.com>
Reply-to: Thomas Goirand <zigo@debian.org>, 775929@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Dear release team,

Please unblock package glance. This is a security fix for CVE-2015-1195.
See #775926 for details.

Please unblock glance/2014.1.3-11. Debdiff attached.

Thomas Goirand (zigo)

diff -Nru glance-2014.1.3/debian/changelog glance-2014.1.3/debian/changelog
--- glance-2014.1.3/debian/changelog	2015-01-09 00:21:39.000000000 +0000
+++ glance-2014.1.3/debian/changelog	2015-01-21 16:24:22.000000000 +0000
@@ -1,3 +1,10 @@
+glance (2014.1.3-11) unstable; urgency=high
+
+  * CVE-2015-1195: fixes "Glance still allows users to download and delete any
+    file in glance-api server" by applying upstream patch (Closes: #775926).
+
+ -- Thomas Goirand <zigo@debian.org>  Wed, 21 Jan 2015 16:13:33 +0000
+
 glance (2014.1.3-10) unstable; urgency=medium
 
   * Removed dbc_upgrade = true check before db_sync.
diff -Nru glance-2014.1.3/debian/patches/CVE-2015-1195_Prevent_file_swift_config_and_filesystem_schemes.patch glance-2014.1.3/debian/patches/CVE-2015-1195_Prevent_file_swift_config_and_filesystem_schemes.patch
--- glance-2014.1.3/debian/patches/CVE-2015-1195_Prevent_file_swift_config_and_filesystem_schemes.patch	1970-01-01 00:00:00.000000000 +0000
+++ glance-2014.1.3/debian/patches/CVE-2015-1195_Prevent_file_swift_config_and_filesystem_schemes.patch	2015-01-21 16:24:22.000000000 +0000
@@ -0,0 +1,113 @@
+Subject: Prevent file, swift+config and filesystem schemes
+ This change ensures that 'file', 'filesystem', and 'swift+config' URI schemes
+ are not allowed when setting the location field. A previous fix to
+ CVE-2014-9493 attempted to address this issue but did not include
+ 'filesystem', a URI scheme allowed by the glance_store.
+ .
+ Without this fix in place it is possible for a client to access any file the
+ glance-api server has read permissions for.
+Author: Grant Murphy <grant.murphy@hp.com>
+Date: Thu, 8 Jan 2015 00:09:38 +0000 (-0800)
+X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fglance.git;a=commitdiff_plain;h=7d3a1db33ccbd25b9fc7326ce3468eabd2a41a99
+Change-Id: I02cd099a8634b9c7e3cf8f172bcbd33f8edcbc83
+Bug-Ubuntu: https://launchpad.net/bugs/1408663
+Bug-Debian: https://bugs.debian.org/775926
+Last-Update: 2014-01-21
+
+diff --git a/glance/store/__init__.py b/glance/store/__init__.py
+index 344311b..4974f0e 100644
+--- a/glance/store/__init__.py
++++ b/glance/store/__init__.py
+@@ -76,6 +76,8 @@ _ALL_STORES = [
+     'glance.store.vmware_datastore.Store'
+ ]
+ 
++RESTRICTED_URI_SCHEMAS = frozenset(['file', 'filesystem', 'swift+config'])
++
+ 
+ class BackendException(Exception):
+     pass
+@@ -434,10 +436,11 @@ def validate_external_location(uri):
+     :param uri: The URI of external image location.
+     :return: Whether given URI of external image location are OK.
+     """
+-    pieces = urlparse.urlparse(uri)
+-    valid_schemes = [scheme for scheme in get_known_schemes()
+-                     if scheme != 'file' and scheme != 'swift+config']
+-    return pieces.scheme in valid_schemes
++
++    # TODO(gm): Use a whitelist of allowed schemes
++    scheme = urlparse.urlparse(uri).scheme
++    return (scheme in get_known_schemes() and
++            scheme not in RESTRICTED_URI_SCHEMAS)
+ 
+ 
+ class ImageRepoProxy(glance.domain.proxy.Repo):
+diff --git a/glance/tests/unit/test_store_location.py b/glance/tests/unit/test_store_location.py
+index eac5590..ebe8fbb 100644
+--- a/glance/tests/unit/test_store_location.py
++++ b/glance/tests/unit/test_store_location.py
+@@ -524,12 +524,15 @@ class TestStoreLocation(base.StoreClearingUnitTest):
+ 
+         loc1 = {'url': 'file:///fake1.img.tar.gz', 'metadata': {}}
+         loc2 = {'url': 'swift+config:///xxx', 'metadata': {}}
++        loc3 = {'url': 'filesystem:///foo.img.tar.gz', 'metadata': {}}
+ 
+         # Test for insert location
+         image1 = TestStoreLocation.FakeImageProxy(utils.FakeStoreAPI())
+         locations = glance.store.StoreLocations(image1, [])
+         self.assertRaises(exception.BadStoreUri, locations.insert, 0, loc1)
++        self.assertRaises(exception.BadStoreUri, locations.insert, 0, loc3)
+         self.assertNotIn(loc1, locations)
++        self.assertNotIn(loc3, locations)
+ 
+         # Test for set_attr of _locations_proxy
+         image2 = TestStoreLocation.FakeImageProxy(utils.FakeStoreAPI())
+diff --git a/glance/tests/unit/v1/test_api.py b/glance/tests/unit/v1/test_api.py
+index bea15c7..5aa2818 100644
+--- a/glance/tests/unit/v1/test_api.py
++++ b/glance/tests/unit/v1/test_api.py
+@@ -1010,31 +1010,23 @@ class TestGlanceAPI(base.IsolatedUnitTest):
+ 
+     def test_add_copy_from_with_restricted_sources(self):
+         """Tests creates an image from copy-from with restricted sources"""
+-        fixture_headers = {'x-image-meta-store': 'file',
++        header_template = {'x-image-meta-store': 'file',
+                            'x-image-meta-disk-format': 'vhd',
+-                           'x-glance-api-copy-from': 'file:///etc/passwd',
+                            'x-image-meta-container-format': 'ovf',
+                            'x-image-meta-name': 'fake image #F'}
+ 
+-        req = webob.Request.blank("/images")
+-        req.method = 'POST'
+-        for k, v in six.iteritems(fixture_headers):
+-            req.headers[k] = v
+-        res = req.get_response(self.api)
+-        self.assertEqual(400, res.status_int)
+-
+-        fixture_headers = {'x-image-meta-store': 'file',
+-                           'x-image-meta-disk-format': 'vhd',
+-                           'x-glance-api-copy-from': 'swift+config://xxx',
+-                           'x-image-meta-container-format': 'ovf',
+-                           'x-image-meta-name': 'fake image #F'}
++        schemas = ["file:///etc/passwd",
++                   "swift+config:///xxx",
++                   "filesystem:///etc/passwd"]
+ 
+-        req = webob.Request.blank("/images")
+-        req.method = 'POST'
+-        for k, v in six.iteritems(fixture_headers):
+-            req.headers[k] = v
+-        res = req.get_response(self.api)
+-        self.assertEqual(400, res.status_int)
++        for schema in schemas:
++            req = webob.Request.blank("/images")
++            req.method = 'POST'
++            for k, v in six.iteritems(header_template):
++                req.headers[k] = v
++            req.headers['x-glance-api-copy-from'] = schema
++            res = req.get_response(self.api)
++            self.assertEqual(400, res.status_int)
+ 
+     def test_add_copy_from_upload_image_unauthorized_with_body(self):
+         rules = {"upload_image": '!', "modify_image": '@',
diff -Nru glance-2014.1.3/debian/patches/series glance-2014.1.3/debian/patches/series
--- glance-2014.1.3/debian/patches/series	2015-01-09 00:21:39.000000000 +0000
+++ glance-2014.1.3/debian/patches/series	2015-01-21 16:24:22.000000000 +0000
@@ -2,3 +2,4 @@
 default-config.patch
 sql_conn-registry.patch
 restrict_client_download_and_delete_files_in_glance-api.patch
+CVE-2015-1195_Prevent_file_swift_config_and_filesystem_schemes.patch

Reply to:

Follow-Ups:
- Bug#775929: marked as done (unblock: glance/2014.1.3-11 (Fix for CVE-2015-1195 / #775926))
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#775923: unblock: horizon/2014.1.3-7
Next by Date: Bug#775288: unblock: openstack-trove/2014.1.3-8
Previous by thread: Bug#775923: marked as done (unblock: horizon/2014.1.3-7)
Next by thread: Bug#775929: marked as done (unblock: glance/2014.1.3-11 (Fix for CVE-2015-1195 / #775926))
Index(es):
- Date
- Thread