Your message dated Tue, 24 Jan 2023 16:39:58 +0000
with message-id <e1pkml0-008y1z...@fasolo.debian.org>
and subject line Bug#1029563: fixed in glance 2:25.0.0-2
has caused the Debian Bug report #1029563,
regarding CVE-2022-47951: vulnerability in VMDK image processing
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1029563: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029563
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: glance-api
Version: 2:25.0.0-1.1
Severity: grave
Tags: patch
This is an advance warning of a vulnerability discovered in
OpenStack, to give you, as downstream stakeholders, a chance to
coordinate the release of fixes and reduce the vulnerability window.
Please treat the following information as confidential until the
proposed public disclosure date.
Title: Arbitrary file access through custom VMDK flat descriptor
Reporter: Guillaume Espanel, Pierre Libeau, Arnaud Morin and Damien
Rannou (OVH)
Products: Cinder, Glance, Nova
Affects: Cinder <19.1.2, >=20.0.0 <20.0.2, ==21.0.0;
Glance <23.0.1, >=24.0.0 <24.1.1, ==25.0.0;
Nova <24.1.2, >=25.0.0 <25.0.2, ==26.0.0
Description:
Guillaume Espanel, Pierre Libeau, Arnaud Morin and Damien Rannou
(OVH) reported a vulnerability in VMDK image processing for Cinder,
Glance and Nova. By supplying a specially created VMDK flat image
which references a specific backing file path, an authenticated user
may convince systems to return a copy of that file's contents from
the server resulting in unauthorized access to potentially sensitive
data. All Cinder deployments are affected; only Glance deployments
with image conversion enabled are affected; all Nova deployments are
affected.
Proposed patch:
See attached patches. Unless a flaw is discovered in them, these
patches will be merged to their corresponding branches on the public
disclosure date. Note that stable/wallaby and older branches are
under extended maintenance and will receive no new point releases,
but patches for some of them are provided as a courtesy.
CVE: CVE-2022-47951
Proposed public disclosure date/time:
2023-01-24, 1500UTC
Please do not make the issue public (or release public patches)
before this coordinated embargo date.
Original private report:
https://launchpad.net/bugs/1996188
For access to read and comment on this report, please reply to me
with your Launchpad username and I will subscribe you.
--
Jeremy Stanley
OpenStack Vulnerability Management Team
--- End Message ---
--- Begin Message ---
Source: glance
Source-Version: 2:25.0.0-2
Done: Thomas Goirand <z...@debian.org>
We believe that the bug you reported is fixed in the latest version of
glance, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1029...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <z...@debian.org> (supplier of updated glance package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 24 Jan 2023 16:51:31 +0100
Source: glance
Architecture: source
Version: 2:25.0.0-2
Distribution: unstable
Urgency: high
Maintainer: Debian OpenStack <team+openst...@tracker.debian.org>
Changed-By: Thomas Goirand <z...@debian.org>
Closes: 1029563
Changes:
glance (2:25.0.0-2) unstable; urgency=high
.
* CVE-2022-47951: vulnerability in VMDK image processing. By supplying a
specially created VMDK flat image which references a specific backing file
path, an authenticated user may convince systems to return a copy of that
file's contents from the server resulting in unauthorized access to
potentially sensitive data. Added upstream patch:
CVE-2022-47951-Enforce_image_safety_during_image_conversion.patch
(Closes: #1029563).
Checksums-Sha1:
f56b459a74f546285379f0e7c50dc75d8928fc1f 3787 glance_25.0.0-2.dsc
4dd37858906bebc273d42bd33b00c893e9259cbc 19280 glance_25.0.0-2.debian.tar.xz
9f6ae9809d8b67164125a61e0cfecd0ded251e40 18496 glance_25.0.0-2_amd64.buildinfo
Checksums-Sha256:
ee752adbf1e940c39e96db847d2bc4efd9b8c7d6f96a810106e1e64f4102e6f5 3787
glance_25.0.0-2.dsc
c7acfc24801e95673f1f26eb3ea913c2be5f713bfe073d86bfffd8adaf87437a 19280
glance_25.0.0-2.debian.tar.xz
c377e2c1f8a23e116b12e28b7e8e96a3cb04fe0c39886880b8fa55849ac75bf4 18496
glance_25.0.0-2_amd64.buildinfo
Files:
1f777f000e31fe587a8616c98595325c 3787 net optional glance_25.0.0-2.dsc
5c821447f6032523ac8b0b83a64de4e4 19280 net optional
glance_25.0.0-2.debian.tar.xz
a020222d7de619a6a35e3e66865699d1 18496 net optional
glance_25.0.0-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmPQAywACgkQ1BatFaxr
Q/654A//UQZCTjEgUNNDjUmM8iZ1C0WtKsF5fnMY1AHXzw49XCq0GgbOeI1Gb1A5
krG0JPvn1qV/yoMUkDyBMj3YI+qUNp9TECzsX5yQbUodI6cnRXCDZxLmebCqAtNJ
N2qDZ6j2nRylCX772QnR+DQwPEcuHZ8faUt+K7lQsAuPQhFD/FibhE9Q5Br7xRU1
PRPUBAjmwOtMKegVIpnlzDMZnTAi2lpNB0rkLL196yIe91zVZm/ZaDaf+GI586nR
wSG0jsxGi7w2HCa/ZNJOuErmSy5xigk4CDgNKijdW5TVb3lbDj5Z0Kkh9ekOYeA3
ZzRjkxOPdIad5qy58UAaDSdAbwhDehNcZocmobW210fjVbBRwH7KpoFiPRfbuZkS
6Q4JTPompmqAPeniGLou8leFi0rcxJtbAlhMNWFkd9aBSFGOavpP7c5H1/geDui5
Ds1g88WsaDbBW5JWZZzsCy1tf349KAq4DXHI7C9Y3LKW3DnFVzEcfm52DewmSc/1
qCo6i7QIKxzmMoVm0/MzHZYumY00RPum2IhcvRKA371zPiaXjD83yfLkTaB2voWu
XcD7TG4NC21fNo38BWpBQwM38mqrsn7hK7uD+XYMa4K6Sn0SZ5cGs8i84HRO6lIw
MeiTg90PTlQ1tZD4DEoVtDjlDXHkBbOPtUEELY2QVU/T6IhD0Gk=
=Nsjq
-----END PGP SIGNATURE-----
--- End Message ---
