[Openstack-security] [Bug 1534288] Re: keystoneclient should not be using pickle
Steve Martinelli
1534288 at bugs.launchpad.net
Mon Aug 1 23:26:31 UTC 2016
As Brant mentioned in #1, the content using pickle is deprecated [1].
Since we haven't had any issues with this in many years I'd prefer to
mark this as Won't Fix and resolve this issue when we eventually remove
the httpclient code. Thoughts?
[1] https://github.com/openstack/python-
keystoneclient/blob/fb2fef9100beeaaa281e1e7ddef48e9eea327c70/keystoneclient/httpclient.py#L32
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1534288
Title:
keystoneclient should not be using pickle
Status in OpenStack Security Advisory:
Won't Fix
Status in python-keystoneclient:
New
Bug description:
keystoneclient uses pickle to pull the keystoneclient_auth value out
of the keyring. pickle is not safe to use since it can run commands as
the user. I guess someone could use this to run some code as the nova
user by putting something into the keystoneclient_auth value in the
nova user's keyring and then getting nova to use
keystoneclient.httpclient.
There's probably a safer way to do serialize the auth info using JSON
or some other format.
Opening this as private security since there's a potential attack here
although I don't have any proof.
This was found using bandit 0.17.0.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ossa/+bug/1534288/+subscriptions
More information about the Openstack-security
mailing list