[Openstack-security] [Bug 1534288] Re: keystoneclient should not be using pickle
Steve Martinelli
1534288 at bugs.launchpad.net
Mon Aug 1 20:06:41 UTC 2016
Automatically unassigning due to inactivity.
** Changed in: python-keystoneclient
Assignee: Brant Knudson (blk-u) => (unassigned)
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1534288
Title:
keystoneclient should not be using pickle
Status in OpenStack Security Advisory:
Won't Fix
Status in python-keystoneclient:
New
Bug description:
keystoneclient uses pickle to pull the keystoneclient_auth value out
of the keyring. pickle is not safe to use since it can run commands as
the user. I guess someone could use this to run some code as the nova
user by putting something into the keystoneclient_auth value in the
nova user's keyring and then getting nova to use
keystoneclient.httpclient.
There's probably a safer way to do serialize the auth info using JSON
or some other format.
Opening this as private security since there's a potential attack here
although I don't have any proof.
This was found using bandit 0.17.0.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ossa/+bug/1534288/+subscriptions
More information about the Openstack-security
mailing list