[Openstack-security] [Bug 1367000] Re: Malicious name could lead to local information disclosure vulnerability
Duncan Thomas
duncan.thomas at gmail.com
Tue Sep 9 17:07:55 UTC 2014
I have vague memories of somebody needing '.' too due to a weird
backend, but that should be harmless as long as we require %s
On 9 September 2014 17:55, Eric Harney <1367000 at bugs.launchpad.net> wrote:
> I assume the volume/snapshot/backup_name_template options are rarely
> changed by deployers.
>
> For Duncan's suggestion, I'd propose we allow a limited set of
> characters for those options: alphanumeric, "-", and require the "%s" to
> be present, which should eliminate the concerns here.
>
> --
> You received this bug notification because you are a member of Cinder
> Bug Team, which is subscribed to Cinder.
> https://bugs.launchpad.net/bugs/1367000
>
> Title:
> Malicious name could lead to local information disclosure
> vulnerability
>
> Status in Cinder:
> Confirmed
> Status in OpenStack Security Advisories:
> Won't Fix
>
> Bug description:
> In the cinder scality driver, the following code sets file permissions to 0o666 (read, write for all users):
> https://github.com/openstack/cinder/blob/master/cinder/volume/drivers/scality.py#L118
>
> This code is called in a couple of locations, one of which is here:
> https://github.com/openstack/cinder/blob/master/cinder/volume/drivers/scality.py#L172
>
> That line of code gets the filename from this function:
> https://github.com/openstack/cinder/blob/master/cinder/volume/drivers/scality.py#L185
>
> Which joins two paths, one of which is this:
> https://github.com/openstack/cinder/blob/master/cinder/volume/drivers/scality.py#L181
>
> Which joins two paths, one of which is volume['name'] which is un-
> sanitized input. If a malicious user sets a volume name to something
> like "/etc/passwd", the /etc/passwd permissions will be set to '0o666'
> with the privileges of the user that is running Cinder. This could be
> used to expose files and sensitive data on the machine that is running
> Cinder. If combined with another vulnerability this could lead to
> some really bad things.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/cinder/+bug/1367000/+subscriptions
--
Duncan Thomas
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1367000
Title:
Malicious name could lead to local information disclosure
vulnerability
Status in Cinder:
Confirmed
Status in OpenStack Security Advisories:
Won't Fix
Bug description:
In the cinder scality driver, the following code sets file permissions to 0o666 (read, write for all users):
https://github.com/openstack/cinder/blob/master/cinder/volume/drivers/scality.py#L118
This code is called in a couple of locations, one of which is here:
https://github.com/openstack/cinder/blob/master/cinder/volume/drivers/scality.py#L172
That line of code gets the filename from this function:
https://github.com/openstack/cinder/blob/master/cinder/volume/drivers/scality.py#L185
Which joins two paths, one of which is this:
https://github.com/openstack/cinder/blob/master/cinder/volume/drivers/scality.py#L181
Which joins two paths, one of which is volume['name'] which is un-
sanitized input. If a malicious user sets a volume name to something
like "/etc/passwd", the /etc/passwd permissions will be set to '0o666'
with the privileges of the user that is running Cinder. This could be
used to expose files and sensitive data on the machine that is running
Cinder. If combined with another vulnerability this could lead to
some really bad things.
To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1367000/+subscriptions
More information about the Openstack-security
mailing list