diff -r a477397bba8b -r c9748fcc32de components/openstack/glance/patches/05-CVE-2015-1881.patch --- a/components/openstack/glance/patches/05-CVE-2015-1881.patch Mon May 16 14:46:20 2016 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,85 +0,0 @@ -Errata patch for CVE-2015-1881 -https://review.openstack.org/156553 -git fetch https://review.openstack.org/openstack/glance refs/changes/53/156553/1 && git format-patch -1 --stdout FETCH_HEAD -Fixed upstream and in a future release. ---- -From: abhishekkekane -Date: Thu, 12 Feb 2015 04:09:14 -0800 -Subject: [PATCH] Image data remains in backend for deleted image - -Trying to delete image created using task api (import-from) image gets -deleted from the database, but image data remains in the backend. Import -task does not update the location of the image and it remains None even -image becomes active. Location entry is not added in the database in -image_locations table. - -Added location information to the image before saving the image in -the database. - -SecurityImpact - -Conflicts: - glance/common/scripts/image_import/main.py - -Change-Id: Ie389de6538a9b98dc51c7d781b81b3ab10b83842 -Closes-Bug: #1420696 -(cherry picked from commit 78b5b0a9575cd5e9c4543ec0e8fd6072af1f0ebb) ---- glance-2014.2.2/glance/common/scripts/image_import/main.py -+++ glance-2014.2.2/glance/common/scripts/image_import/main.py -@@ -84,29 +84,29 @@ def import_image(image_repo, image_factory, task_input, task_id, uri): - # NOTE: set image status to saving just before setting data - original_image.status = 'saving' - image_repo.save(original_image) -- set_image_data(original_image, uri, None) -- -- # NOTE: Check if the Image is not deleted after setting the data -- # before setting it's status to active. We need to set the status -- # explicitly here using the Image object returned from image_repo .The -- # Image object returned from create_image method does not have appropriate -- # factories wrapped around it. - image_id = original_image.image_id -+ -+ # NOTE: Retrieving image from the database because the Image object -+ # returned from create_image method does not have appropriate factories -+ # wrapped around it. - new_image = image_repo.get(image_id) -- if new_image.status in ['saving']: -- new_image.status = 'active' -- new_image.size = original_image.size -- new_image.virtual_size = original_image.virtual_size -- new_image.checksum = original_image.checksum -+ set_image_data(new_image, uri, None) -+ -+ # NOTE: Check if the Image is not deleted after setting the data -+ # before saving the active image. Here if image status is -+ # saving, then new_image is saved as it contains updated location, -+ # size, virtual_size and checksum information and the status of -+ # new_image is already set to active in set_image_data() call. -+ image = image_repo.get(image_id) -+ if image.status == 'saving': -+ image_repo.save(new_image) -+ return image_id - else: - msg = _LE("The Image %(image_id)s object being created by this task " - "%(task_id)s, is no longer in valid status for further " - "processing." % {"image_id": new_image.image_id, - "task_id": task_id}) - raise exception.Conflict(msg) -- image_repo.save(new_image) -- -- return image_id - - - def create_image(image_repo, image_factory, image_properties, task_id): ---- glance-2014.2.2/glance/tests/unit/common/scripts/image_import/test_main.py -+++ glance-2014.2.2/glance/tests/unit/common/scripts/image_import/test_main.py -@@ -56,7 +56,8 @@ class TestImageImport(test_utils.BaseTestCase): - image_id, - image_import_script.import_image(image_repo, image_factory, - task_input, None, uri)) -- self.assertEqual('active', image.status) -+ # Check image is in saving state before image_repo.save called -+ self.assertEqual('saving', image.status) - self.assertTrue(image_repo.save.called) - mock_set_img_data.assert_called_once_with(image, uri, None) - self.assertTrue(image_repo.get.called)