Bug#775929: marked as done (unblock: glance/2014.1.3-11 (Fix for CVE-2015-1195 / #775926))

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Subject: Bug#775929: marked as done (unblock: glance/2014.1.3-11 (Fix for CVE-2015-1195 / #775926))
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Wed, 21 Jan 2015 19:33:11 +0000
Message-id: <[🔎] handler.775929.D775929.142186853110679.ackdone@bugs.debian.org>
References: <1421868523.31559.5.camel@adam-barratt.org.uk> <[🔎] 20150121164239.24510.50491.reportbug@buzig.gplhost.com>

Your message dated Wed, 21 Jan 2015 19:28:43 +0000
with message-id <1421868523.31559.5.camel@adam-barratt.org.uk>
and subject line Re: Bug#775929: unblock: glance/2014.1.3-11 (Fix for CVE-2015-1195 / #775926)
has caused the Debian Bug report #775929,
regarding unblock: glance/2014.1.3-11 (Fix for CVE-2015-1195 / #775926)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
775929: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775929
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: glance/2014.1.3-11 (Fix for CVE-2015-1195 / #775926)
From: Thomas Goirand <zigo@debian.org>
Date: Wed, 21 Jan 2015 17:42:39 +0100
Message-id: <[🔎] 20150121164239.24510.50491.reportbug@buzig.gplhost.com>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Dear release team,

Please unblock package glance. This is a security fix for CVE-2015-1195.
See #775926 for details.

Please unblock glance/2014.1.3-11. Debdiff attached.

Thomas Goirand (zigo)

diff -Nru glance-2014.1.3/debian/changelog glance-2014.1.3/debian/changelog
--- glance-2014.1.3/debian/changelog	2015-01-09 00:21:39.000000000 +0000
+++ glance-2014.1.3/debian/changelog	2015-01-21 16:24:22.000000000 +0000
@@ -1,3 +1,10 @@
+glance (2014.1.3-11) unstable; urgency=high
+
+  * CVE-2015-1195: fixes "Glance still allows users to download and delete any
+    file in glance-api server" by applying upstream patch (Closes: #775926).
+
+ -- Thomas Goirand <zigo@debian.org>  Wed, 21 Jan 2015 16:13:33 +0000
+
 glance (2014.1.3-10) unstable; urgency=medium
 
   * Removed dbc_upgrade = true check before db_sync.
diff -Nru glance-2014.1.3/debian/patches/CVE-2015-1195_Prevent_file_swift_config_and_filesystem_schemes.patch glance-2014.1.3/debian/patches/CVE-2015-1195_Prevent_file_swift_config_and_filesystem_schemes.patch
--- glance-2014.1.3/debian/patches/CVE-2015-1195_Prevent_file_swift_config_and_filesystem_schemes.patch	1970-01-01 00:00:00.000000000 +0000
+++ glance-2014.1.3/debian/patches/CVE-2015-1195_Prevent_file_swift_config_and_filesystem_schemes.patch	2015-01-21 16:24:22.000000000 +0000
@@ -0,0 +1,113 @@
+Subject: Prevent file, swift+config and filesystem schemes
+ This change ensures that 'file', 'filesystem', and 'swift+config' URI schemes
+ are not allowed when setting the location field. A previous fix to
+ CVE-2014-9493 attempted to address this issue but did not include
+ 'filesystem', a URI scheme allowed by the glance_store.
+ .
+ Without this fix in place it is possible for a client to access any file the
+ glance-api server has read permissions for.
+Author: Grant Murphy <grant.murphy@hp.com>
+Date: Thu, 8 Jan 2015 00:09:38 +0000 (-0800)
+X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fglance.git;a=commitdiff_plain;h=7d3a1db33ccbd25b9fc7326ce3468eabd2a41a99
+Change-Id: I02cd099a8634b9c7e3cf8f172bcbd33f8edcbc83
+Bug-Ubuntu: https://launchpad.net/bugs/1408663
+Bug-Debian: https://bugs.debian.org/775926
+Last-Update: 2014-01-21
+
+diff --git a/glance/store/__init__.py b/glance/store/__init__.py
+index 344311b..4974f0e 100644
+--- a/glance/store/__init__.py
++++ b/glance/store/__init__.py
+@@ -76,6 +76,8 @@ _ALL_STORES = [
+     'glance.store.vmware_datastore.Store'
+ ]
+ 
++RESTRICTED_URI_SCHEMAS = frozenset(['file', 'filesystem', 'swift+config'])
++
+ 
+ class BackendException(Exception):
+     pass
+@@ -434,10 +436,11 @@ def validate_external_location(uri):
+     :param uri: The URI of external image location.
+     :return: Whether given URI of external image location are OK.
+     """
+-    pieces = urlparse.urlparse(uri)
+-    valid_schemes = [scheme for scheme in get_known_schemes()
+-                     if scheme != 'file' and scheme != 'swift+config']
+-    return pieces.scheme in valid_schemes
++
++    # TODO(gm): Use a whitelist of allowed schemes
++    scheme = urlparse.urlparse(uri).scheme
++    return (scheme in get_known_schemes() and
++            scheme not in RESTRICTED_URI_SCHEMAS)
+ 
+ 
+ class ImageRepoProxy(glance.domain.proxy.Repo):
+diff --git a/glance/tests/unit/test_store_location.py b/glance/tests/unit/test_store_location.py
+index eac5590..ebe8fbb 100644
+--- a/glance/tests/unit/test_store_location.py
++++ b/glance/tests/unit/test_store_location.py
+@@ -524,12 +524,15 @@ class TestStoreLocation(base.StoreClearingUnitTest):
+ 
+         loc1 = {'url': 'file:///fake1.img.tar.gz', 'metadata': {}}
+         loc2 = {'url': 'swift+config:///xxx', 'metadata': {}}
++        loc3 = {'url': 'filesystem:///foo.img.tar.gz', 'metadata': {}}
+ 
+         # Test for insert location
+         image1 = TestStoreLocation.FakeImageProxy(utils.FakeStoreAPI())
+         locations = glance.store.StoreLocations(image1, [])
+         self.assertRaises(exception.BadStoreUri, locations.insert, 0, loc1)
++        self.assertRaises(exception.BadStoreUri, locations.insert, 0, loc3)
+         self.assertNotIn(loc1, locations)
++        self.assertNotIn(loc3, locations)
+ 
+         # Test for set_attr of _locations_proxy
+         image2 = TestStoreLocation.FakeImageProxy(utils.FakeStoreAPI())
+diff --git a/glance/tests/unit/v1/test_api.py b/glance/tests/unit/v1/test_api.py
+index bea15c7..5aa2818 100644
+--- a/glance/tests/unit/v1/test_api.py
++++ b/glance/tests/unit/v1/test_api.py
+@@ -1010,31 +1010,23 @@ class TestGlanceAPI(base.IsolatedUnitTest):
+ 
+     def test_add_copy_from_with_restricted_sources(self):
+         """Tests creates an image from copy-from with restricted sources"""
+-        fixture_headers = {'x-image-meta-store': 'file',
++        header_template = {'x-image-meta-store': 'file',
+                            'x-image-meta-disk-format': 'vhd',
+-                           'x-glance-api-copy-from': 'file:///etc/passwd',
+                            'x-image-meta-container-format': 'ovf',
+                            'x-image-meta-name': 'fake image #F'}
+ 
+-        req = webob.Request.blank("/images")
+-        req.method = 'POST'
+-        for k, v in six.iteritems(fixture_headers):
+-            req.headers[k] = v
+-        res = req.get_response(self.api)
+-        self.assertEqual(400, res.status_int)
+-
+-        fixture_headers = {'x-image-meta-store': 'file',
+-                           'x-image-meta-disk-format': 'vhd',
+-                           'x-glance-api-copy-from': 'swift+config://xxx',
+-                           'x-image-meta-container-format': 'ovf',
+-                           'x-image-meta-name': 'fake image #F'}
++        schemas = ["file:///etc/passwd",
++                   "swift+config:///xxx",
++                   "filesystem:///etc/passwd"]
+ 
+-        req = webob.Request.blank("/images")
+-        req.method = 'POST'
+-        for k, v in six.iteritems(fixture_headers):
+-            req.headers[k] = v
+-        res = req.get_response(self.api)
+-        self.assertEqual(400, res.status_int)
++        for schema in schemas:
++            req = webob.Request.blank("/images")
++            req.method = 'POST'
++            for k, v in six.iteritems(header_template):
++                req.headers[k] = v
++            req.headers['x-glance-api-copy-from'] = schema
++            res = req.get_response(self.api)
++            self.assertEqual(400, res.status_int)
+ 
+     def test_add_copy_from_upload_image_unauthorized_with_body(self):
+         rules = {"upload_image": '!', "modify_image": '@',
diff -Nru glance-2014.1.3/debian/patches/series glance-2014.1.3/debian/patches/series
--- glance-2014.1.3/debian/patches/series	2015-01-09 00:21:39.000000000 +0000
+++ glance-2014.1.3/debian/patches/series	2015-01-21 16:24:22.000000000 +0000
@@ -2,3 +2,4 @@
 default-config.patch
 sql_conn-registry.patch
 restrict_client_download_and_delete_files_in_glance-api.patch
+CVE-2015-1195_Prevent_file_swift_config_and_filesystem_schemes.patch

--- End Message ---

--- Begin Message ---

To: Thomas Goirand <zigo@debian.org>, 775929-done@bugs.debian.org

Subject: Re: Bug#775929: unblock: glance/2014.1.3-11 (Fix for CVE-2015-1195 / #775926)

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Date: Wed, 21 Jan 2015 19:28:43 +0000

Message-id: <1421868523.31559.5.camel@adam-barratt.org.uk>

In-reply-to: <[🔎] 20150121164239.24510.50491.reportbug@buzig.gplhost.com>

References: <[🔎] 20150121164239.24510.50491.reportbug@buzig.gplhost.com>
On Wed, 2015-01-21 at 17:42 +0100, Thomas Goirand wrote:
> Please unblock package glance. This is a security fix for CVE-2015-1195.
> See #775926 for details.

Unblocked.

Regards,

Adam
--- End Message ---

Reply to:

References:
- Bug#775929: unblock: glance/2014.1.3-11 (Fix for CVE-2015-1195 / #775926)
  - From: Thomas Goirand <zigo@debian.org>

Prev by Date: Bug#775937: marked as done (unblock: dh-make-perl/0.84-2)
Next by Date: Bug#775880: marked as done (unblock: gaviotatb/0.4-2)
Previous by thread: Bug#775929: unblock: glance/2014.1.3-11 (Fix for CVE-2015-1195 / #775926)
Next by thread: Bug#775288: unblock: openstack-trove/2014.1.3-8
Index(es):
- Date
- Thread