[pre-OSSA] Vulnerability in OpenStack Glance (CVE-2016-0757) / Glance image status manipulation through locations removal (OSSA-2016-006)

This is an advance warning of a vulnerability discovered in OpenStack,
to give you, as downstream stakeholders, a chance to coordinate the
release of fixes and reduce the vulnerability window. Please treat the
following information as confidential until the proposed public
disclosure date.

Title: Glance image status manipulation through locations removal
Reporter: Erno Kuvaja (HPE)
Products: Glance
Affects: <=2015.1.2, >=11.0.0 <= 11.0.1

Description:
Erno Kuvaja from HPE reported a vulnerability in Glance. By removing the
last location of an image, an authenticated user may change the image
status back to queued and may be able to upload new image data resulting
in a broken Glance's immutability promise. A malicious tenant may
exploit this flaw to silently replace image data it owns, regardless of
the original creator or the visibility settings. Only setups with
show_multiple_locations enabled (not default) are affected.

Note:
The proposed fix prevents the removal of the last location of an image
so that an active image is always available. This action was previously
incorrectly allowed and the fix might break some users who are relying
on the false assumption that it would be ok to replace the data of
existing image in the special case that the multiple locations has been
configured.

Proposed patch:
See attached patches. Unless a flaw is discovered in them, these patches
will be merged to master/mitaka, stable/kilo and stable/liberty on the
public disclosure date.

CVE: CVE-2016-0757

Proposed public disclosure date/time:
2016-02-03, 1500UTC
Please do not make the issue public (or release public patches) before
this coordinated embargo date.