[Openstack-devel] Bug#692641: CVE-2012-4573: Authentication bypass for image deletion

[Thomas Goirand]

Package: glance
Version: 2012.1.1-1.1
Severity: critical

Gabe Westmaas from Rackspace reported a vulnerability in Glance
authentication of image deletion requests. Authenticated users may be
able to delete arbitrary, non-protected images from Glance servers. Only
Folsom/Grizzly deployments that expose the v1 API are affected by this
vulnerability. Additionally, Essex deployments that use the
delayed_delete option are also affected.

Below is the proposed patch.

Thomas

diff --git a/glance/api/v1/images.py b/glance/api/v1/images.py
index 9bedf20..2684454 100644
--- a/glance/api/v1/images.py
+++ b/glance/api/v1/images.py
@@ -738,10 +738,10 @@ class Controller(controller.BaseController):
         # to delete the image if the backend doesn't yet store it.
         # See https://bugs.launchpad.net/glance/+bug/747799
         try:
+            registry.delete_image_metadata(req.context, id)
             if image['location']:
                 schedule_delete_from_backend(image['location'], self.conf,
                                              req.context, id)
-            registry.delete_image_metadata(req.context, id)
         except exception.NotFound, e:
             msg = ("Failed to find image to delete: %(e)s" % locals())
             for line in msg.split('\n'):

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash