Your message dated Sat, 04 Feb 2023 17:17:09 +0000
with message-id <e1poma1-006hy4...@fasolo.debian.org>
and subject line Bug#1029562: fixed in cinder 2:17.0.1-1+deb11u1
has caused the Debian Bug report #1029562,
regarding CVE-2022-47951: vulnerability in VMDK image processing
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1029562: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029562
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: python3-cinder
Version: 2:21.0.0-2
Severity: grave
Tags: patch
This is an advance warning of a vulnerability discovered in
OpenStack, to give you, as downstream stakeholders, a chance to
coordinate the release of fixes and reduce the vulnerability window.
Please treat the following information as confidential until the
proposed public disclosure date.
Title: Arbitrary file access through custom VMDK flat descriptor
Reporter: Guillaume Espanel, Pierre Libeau, Arnaud Morin and Damien
Rannou (OVH)
Products: Cinder, Glance, Nova
Affects: Cinder <19.1.2, >=20.0.0 <20.0.2, ==21.0.0;
Glance <23.0.1, >=24.0.0 <24.1.1, ==25.0.0;
Nova <24.1.2, >=25.0.0 <25.0.2, ==26.0.0
Description:
Guillaume Espanel, Pierre Libeau, Arnaud Morin and Damien Rannou
(OVH) reported a vulnerability in VMDK image processing for Cinder,
Glance and Nova. By supplying a specially created VMDK flat image
which references a specific backing file path, an authenticated user
may convince systems to return a copy of that file's contents from
the server resulting in unauthorized access to potentially sensitive
data. All Cinder deployments are affected; only Glance deployments
with image conversion enabled are affected; all Nova deployments are
affected.
Proposed patch:
See attached patches. Unless a flaw is discovered in them, these
patches will be merged to their corresponding branches on the public
disclosure date. Note that stable/wallaby and older branches are
under extended maintenance and will receive no new point releases,
but patches for some of them are provided as a courtesy.
CVE: CVE-2022-47951
Proposed public disclosure date/time:
2023-01-24, 1500UTC
Please do not make the issue public (or release public patches)
before this coordinated embargo date.
Original private report:
https://launchpad.net/bugs/1996188
For access to read and comment on this report, please reply to me
with your Launchpad username and I will subscribe you.
--
Jeremy Stanley
OpenStack Vulnerability Management Team
--- End Message ---
--- Begin Message ---
Source: cinder
Source-Version: 2:17.0.1-1+deb11u1
Done: Thomas Goirand <z...@debian.org>
We believe that the bug you reported is fixed in the latest version of
cinder, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1029...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <z...@debian.org> (supplier of updated cinder package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 18 Jan 2023 09:06:59 +0100
Source: cinder
Architecture: source
Version: 2:17.0.1-1+deb11u1
Distribution: bullseye-security
Urgency: high
Maintainer: Debian OpenStack <team+openst...@tracker.debian.org>
Changed-By: Thomas Goirand <z...@debian.org>
Closes: 1029562
Changes:
cinder (2:17.0.1-1+deb11u1) bullseye-security; urgency=high
.
* CVE-2022-47951: By supplying a specially created VMDK flat image which
references a specific backing file path, an authenticated user may convince
systems to return a copy of that file's contents from the server resulting
in unauthorized access to potentially sensitive data. Add upstream patch
cve-2022-47951-cinder-stable-victoria.patch (Closes: #1029562).
Checksums-Sha1:
a746edeffab61559f6687a32cfd5b23726569cb1 4446 cinder_17.0.1-1+deb11u1.dsc
bf3252756d954a9cc64397f5412a64ff4e416155 3944016 cinder_17.0.1.orig.tar.xz
2c2c8632317b24dbdbbc08bb329af285f59d3f5e 49680
cinder_17.0.1-1+deb11u1.debian.tar.xz
a00e8535972e15460ec290a1d9f7b96ac2610021 19320
cinder_17.0.1-1+deb11u1_amd64.buildinfo
Checksums-Sha256:
99c03544f718fa3bfbace7933d3f48b57686b32055abdaad65ee7ec66ffa1857 4446
cinder_17.0.1-1+deb11u1.dsc
9079a000149f68dea0e26e0f4387a6e67299492271479e4cce47ac96ce463f70 3944016
cinder_17.0.1.orig.tar.xz
ca459eeb760cb413279dd3c8072932eddb4caa6a3dc1ca760fb535309f784d7c 49680
cinder_17.0.1-1+deb11u1.debian.tar.xz
6c04cab5719347687405610576804b4a4b29d0cf19392c0036136ba45972c2f7 19320
cinder_17.0.1-1+deb11u1_amd64.buildinfo
Files:
f3572de4170a4259b5b3a5ca4730780a 4446 net optional cinder_17.0.1-1+deb11u1.dsc
335613ed3c07981f3998174867497c78 3944016 net optional cinder_17.0.1.orig.tar.xz
e967136fc43fd1cccb57f9b4d7602786 49680 net optional
cinder_17.0.1-1+deb11u1.debian.tar.xz
4dcdd672564c212780109728f92816f8 19320 net optional
cinder_17.0.1-1+deb11u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmPXwY8ACgkQ1BatFaxr
Q/5/wQ//bXx2/S2HbGTuUAarAl0a+X6coLHPUou0dLecC77DnfpIuG2q427eUhbi
Met849UZnVmtVhVrM5/F8PjJdwZ5s4CcLsZTT7sIVMlP93rVY7Ds7cxFmpFIeStf
2aHMhjW7KfAgCgs3lqCer5djWAeYNr6yIpHBTVlail0B++JbpQgt701VfLa0qLJk
RRKqn/geeFUxGn3iahzRpsQCVwVnEzBJvheRYUDw0ZYzrXr6Uu3UtOK1X7INzmot
LA0ItGMPyoBqaWOXznB+2M9ToKqqGYvFYY2j9q4hgKSK0r2yNtwEomPNsljt2+J9
1TIBiOjWxaj8DauJaRfbGlTLPXJLYgP5nepaDqa/tYMIZIqQm9R+FnV3rGTKx01r
60N2BdTCMP+3yjIg2Ngsg9zeeRJCQ1YW3V10Zrb8WE+PmfFT5nivl5uZXaTiBm6Y
cfbt384lMm1ZG/8kwKVQWREDe1FOFf3dR+IKeDJAQ9uQC9whyHZZm3z17VjJhBqK
VaD8Xb0DBzj1Ws6kSPSbs8e9f1e0D/YJc7//diMC/6tZeK2NcpnQpyUD8T31abZo
4BdoExpWG10O2/ARebzlW5xIlaFPklmaLqIwbVetdAaSFaapO/M0/wKMjCusWtPS
12fF/SzFBq4pWE8wz6UnxpHQA1hBxbe5nsS1KcCQJV7tyN+MgAY=
=mWnX
-----END PGP SIGNATURE-----
--- End Message ---
