Jammy package 2:20.3.1-0ubuntu1.4 is missing the upstream privsep pieces

Bug #2085851 reported by Marcin Wilk
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu Cloud Archive
Invalid
Undecided
Unassigned
Antelope
Fix Committed
High
Unassigned
Bobcat
Fix Committed
Undecided
Unassigned
Caracal
Fix Committed
Undecided
Unassigned
Ussuri
New
Undecided
Unassigned
Yoga
New
Undecided
Unassigned
cinder (Ubuntu)
Invalid
Undecided
Unassigned
Focal
Fix Released
Undecided
Marc Deslauriers
Jammy
Fix Released
Undecided
Marc Deslauriers
Noble
Fix Released
Undecided
Marc Deslauriers

Bug Description

Ubuntu Jammy cinder package version 2:20.3.1-0ubuntu1.4 [1] backported fix [2] for the LP#2059809 [3] (the CVE-2024-32498 fix).
The upstream fix [2] calls the `format_inspector.detect_file_format` with elevated privileges [4], however the code in the Ubuntu package does not [5]. Instead it calls the `format_inspector.detect_file_format` without using privsep. That is causing the following error when creating qcow image from volume (using purestorage driver):
2024-10-28 09:45:28.849 2007342 ERROR oslo_messaging.rpc.server File "/usr/lib/python3/dist-packages/cinder/volume/manager.py", line 1744, in copy_volume_to_image
2024-10-28 09:45:28.849 2007342 ERROR oslo_messaging.rpc.server self.driver.copy_volume_to_image(context, volume,
2024-10-28 09:45:28.849 2007342 ERROR oslo_messaging.rpc.server File "/usr/lib/python3/dist-packages/cinder/volume/driver.py", line 919, in copy_volume_to_image
2024-10-28 09:45:28.849 2007342 ERROR oslo_messaging.rpc.server volume_utils.upload_volume(context,
2024-10-28 09:45:28.849 2007342 ERROR oslo_messaging.rpc.server File "/usr/lib/python3/dist-packages/cinder/volume/volume_utils.py", line 1341, in upload_volume
2024-10-28 09:45:28.849 2007342 ERROR oslo_messaging.rpc.server image_utils.upload_volume(context, image_service, image_meta, volume_path,
2024-10-28 09:45:28.849 2007342 ERROR oslo_messaging.rpc.server File "/usr/lib/python3/dist-packages/cinder/image/image_utils.py", line 1083, in upload_volume
2024-10-28 09:45:28.849 2007342 ERROR oslo_messaging.rpc.server data = qemu_img_info(volume_path, run_as_root=run_as_root)
2024-10-28 09:45:28.849 2007342 ERROR oslo_messaging.rpc.server File "/usr/lib/python3/dist-packages/cinder/image/image_utils.py", line 164, in qemu_img_info
2024-10-28 09:45:28.849 2007342 ERROR oslo_messaging.rpc.server inspector = format_inspector.detect_file_format(path)
2024-10-28 09:45:28.849 2007342 ERROR oslo_messaging.rpc.server File "/usr/lib/python3/dist-packages/cinder/image/format_inspector.py", line 921, in detect_file_format
2024-10-28 09:45:28.849 2007342 ERROR oslo_messaging.rpc.server with open(filename, 'rb') as f:
2024-10-28 09:45:28.849 2007342 ERROR oslo_messaging.rpc.server PermissionError: [Errno 13] Permission denied: '/dev/dm-0'

[1] https://launchpad.net/ubuntu/+source/cinder/2:20.3.1-0ubuntu1.4
[2] https://review.opendev.org/c/openstack/cinder/+/923873
[3] https://launchpad.net/bugs/2059809
[4] https://review.opendev.org/c/openstack/cinder/+/923873/9/cinder/image/image_utils.py#164
[5] https://launchpadlibrarian.net/737789879/cinder_2%3A20.2.0-0ubuntu1.1_2%3A20.3.1-0ubuntu1.4.diff.gz

CVE References

Revision history for this message
James Page (james-page) wrote :

This is a regression as a result of the security fix for CVE-2024-32498 - the patch issued original was updated after the embargo lifted and Ubuntu still has the older version of the patch.

Changed in cinder (Ubuntu):
status: New → Invalid
Revision history for this message
James Page (james-page) wrote :

This will impact noble as well as it has the older version of the patch.

Changed in cinder (Ubuntu Jammy):
status: New → Triaged
Changed in cinder (Ubuntu Noble):
status: New → Triaged
James Page (james-page)
Changed in cloud-archive:
status: New → Invalid
Changed in cinder (Ubuntu Focal):
assignee: nobody → Marc Deslauriers (mdeslaur)
information type: Public → Public Security
Changed in cinder (Ubuntu Jammy):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in cinder (Ubuntu Noble):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in cinder (Ubuntu Focal):
status: New → In Progress
Changed in cinder (Ubuntu Jammy):
status: Triaged → In Progress
Changed in cinder (Ubuntu Noble):
status: Triaged → In Progress
description: updated
James Page (james-page)
no longer affects: cloud-archive/dalmation
Revision history for this message
James Page (james-page) wrote :

noble proposed update:

======
Totals
======
Ran: 94 tests in 827.0558 sec.
 - Passed: 87
 - Skipped: 6
 - Expected Fail: 0
 - Unexpected Success: 0
 - Failed: 1
Sum of execute time for each test: 314.3333 sec.

single failure is an know issue in how the tests are configured for octavia and unrelated to this update.

$ apt-cache policy python3-cinder
python3-cinder:
  Installed: 2:24.0.0-0ubuntu1.3
  Candidate: 2:24.0.0-0ubuntu1.3
  Version table:
 *** 2:24.0.0-0ubuntu1.3 500
        500 https://ppa.launchpadcontent.net/ubuntu-security-proposed/ppa/ubuntu noble/main amd64 Packages
        100 /var/lib/dpkg/status
     2:24.0.0-0ubuntu1.2 500
        500 http://availability-zone-3.clouds.archive.ubuntu.com/ubuntu noble-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu noble-security/main amd64 Packages
     2:24.0.0-0ubuntu1 500
        500 http://availability-zone-3.clouds.archive.ubuntu.com/ubuntu noble/main amd64 Packages

Revision history for this message
James Page (james-page) wrote :

jammy proposed update:

======
Totals
======
Ran: 94 tests in 751.9069 sec.
 - Passed: 87
 - Skipped: 6
 - Expected Fail: 0
 - Unexpected Success: 0
 - Failed: 1
Sum of execute time for each test: 311.0578 sec.

$ apt-cache policy python3-cinder
python3-cinder:
  Installed: 2:20.3.1-0ubuntu1.5
  Candidate: 2:20.3.1-0ubuntu1.5
  Version table:
 *** 2:20.3.1-0ubuntu1.5 500
        500 https://ppa.launchpadcontent.net/ubuntu-security-proposed/ppa/ubuntu jammy/main amd64 Packages
        100 /var/lib/dpkg/status
     2:20.3.1-0ubuntu1.4 500
        500 http://availability-zone-2.clouds.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages
     2:20.0.0-0ubuntu1 500
        500 http://availability-zone-2.clouds.archive.ubuntu.com/ubuntu jammy/main amd64 Packages

Revision history for this message
James Page (james-page) wrote :

focal proposed update:

====== Totals
======
Ran: 94 tests in 988.8594 sec.
 - Passed: 87
 - Skipped: 6
 - Expected Fail: 0
 - Unexpected Success: 0
 - Failed: 1
Sum of execute time for each test: 433.6734 sec.

$ apt-cache policy python3-cinder
python3-cinder:
  Installed: 2:16.4.2-0ubuntu2.9
  Candidate: 2:16.4.2-0ubuntu2.9
  Version table:
 *** 2:16.4.2-0ubuntu2.9 500
        500 http://ppa.launchpad.net/ubuntu-security-proposed/ppa/ubuntu focal/main amd64 Packages
        100 /var/lib/dpkg/status
     2:16.4.2-0ubuntu2.8 500
        500 http://availability-zone-3.clouds.archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages
     2:16.0.0~b3~git2020041012.eb915e2db-0ubuntu1 500
        500 http://availability-zone-3.clouds.archive.ubuntu.com/ubuntu focal/main amd64 Packages

Revision history for this message
James Page (james-page) wrote :

@mdeslaur - proposed updates regression tested OK for all three targets and I had confirmation from the bug reporter that the proposed package update fixes the specific issue (cinder volume -> glance image with an kernel drive backed block device backend).

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

@james-page thanks for the tests, will publish today.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cinder - 2:16.4.2-0ubuntu2.9

---------------
cinder (2:16.4.2-0ubuntu2.9) focal-security; urgency=medium

  * SECURITY REGRESSION: regression due to missing privset handling
  (LP: #2085851)
    - debian/patches/CVE-2024-32498.patch: switch to final upstream patch
      which differs from the patch provided during embargo.
    - debian/patches/fix_CVE-2022-47951_test.patch: fix test after updating
      CVE-2024-32498 patch.

 -- Marc Deslauriers <email address hidden> Mon, 04 Nov 2024 08:29:59 -0500

Changed in cinder (Ubuntu Focal):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cinder - 2:24.0.0-0ubuntu1.3

---------------
cinder (2:24.0.0-0ubuntu1.3) noble-security; urgency=medium

  * SECURITY REGRESSION: regression due to missing privset handling
  (LP: #2085851)
    - debian/patches/CVE-2024-32498.patch: switch to final upstream patch
      which differs from the patch provided during embargo.

 -- Marc Deslauriers <email address hidden> Mon, 04 Nov 2024 07:16:36 -0500

Changed in cinder (Ubuntu Noble):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cinder - 2:20.3.1-0ubuntu1.5

---------------
cinder (2:20.3.1-0ubuntu1.5) jammy-security; urgency=medium

  * SECURITY REGRESSION: regression due to missing privset handling
  (LP: #2085851)
    - debian/patches/CVE-2024-32498.patch: switch to final upstream patch
      which differs from the patch provided during embargo.

 -- Marc Deslauriers <email address hidden> Mon, 04 Nov 2024 07:35:21 -0500

Changed in cinder (Ubuntu Jammy):
status: In Progress → Fix Released
Revision history for this message
James Page (james-page) wrote : Please test proposed package

Hello Marcin, or anyone else affected,

Accepted cinder into bobcat-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:bobcat-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-bobcat-needed to verification-bobcat-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-bobcat-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-bobcat-needed
Revision history for this message
James Page (james-page) wrote :

Hello Marcin, or anyone else affected,

Accepted cinder into antelope-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:antelope-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-antelope-needed to verification-antelope-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-antelope-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-antelope-needed
Revision history for this message
James Page (james-page) wrote :

Hello Marcin, or anyone else affected,

Accepted cinder into caracal-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:caracal-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-caracal-needed to verification-caracal-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-caracal-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-caracal-needed
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Just a note that during my SRU shift I noticed that cinder 2:20.3.1-0ubuntu1.5 on jammy/s390x is consistently failing[1] its autopkgtests, including a migration-reference/0 run:

133s autopkgtest [18:26:22]: test cinder-daemons: [-----------------------
134s /usr/lib/python3/dist-packages/cinder/db/sqlalchemy/models.py:152: SAWarning: implicitly coercing SELECT object to scalar subquery; please use the .scalar_subquery() method to produce a scalar subquery.
134s last_heartbeat = column_property(
134s /usr/lib/python3/dist-packages/cinder/db/sqlalchemy/models.py:160: SAWarning: implicitly coercing SELECT object to scalar subquery; please use the .scalar_subquery() method to produce a scalar subquery.
134s num_hosts = column_property(
134s /usr/lib/python3/dist-packages/cinder/db/sqlalchemy/models.py:169: SAWarning: implicitly coercing SELECT object to scalar subquery; please use the .scalar_subquery() method to produce a scalar subquery.
134s num_down_hosts = column_property(
134s 2024-11-14 18:26:23.805 9856 INFO cinder.db.migration [-] Applying migration(s)
134s 2024-11-14 18:26:23.806 9856 INFO alembic.runtime.migration [-] Context impl MySQLImpl.
134s 2024-11-14 18:26:23.806 9856 INFO alembic.runtime.migration [-] Will assume non-transactional DDL.
134s 2024-11-14 18:26:23.817 9856 INFO alembic.runtime.migration [-] Running upgrade -> 921e1a36b076, Initial migration.
135s 2024-11-14 18:26:24.627 9856 INFO cinder.db.migration [-] Migration(s) applied
135s Job for cinder-scheduler.service failed.
135s See "systemctl status cinder-scheduler.service" and "journalctl -xeu cinder-scheduler.service" for details.
136s autopkgtest [18:26:25]: test cinder-daemons: -----------------------]
136s autopkgtest [18:26:25]: test cinder-daemons: - - - - - - - - - - results - - - - - - - - - -
136s cinder-daemons FAIL non-zero exit status 1

1. https://autopkgtest.ubuntu.com/packages/cinder/jammy/s390x

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.