[Openstack-security] [Bug 1534288] Re: keystoneclient should not be using pickle

Tristan Cacqueray tdecacqu at redhat.com
Tue Jan 19 16:40:33 UTC 2016 

I've removed the privacy settings and put the OSSA tasks as Won't Fix
based on above comments. This can be put back to incomplete if the
situation changes.

** Description changed:

- This issue is being treated as a potential security risk under embargo.
- Please do not make any public mention of embargoed (private) security
- vulnerabilities before their coordinated publication by the OpenStack
- Vulnerability Management Team in the form of an official OpenStack
- Security Advisory. This includes discussion of the bug or associated
- fixes in public forums such as mailing lists, code review systems and
- bug trackers. Please also avoid private disclosure to other individuals
- not already approved for access to this information, and provide this
- same reminder to those who are made aware of the issue prior to
- publication. All discussion should remain confined to this private bug
- report, and any proposed fixes should be added to the bug as
- attachments.
- 
- --
- 
  keystoneclient uses pickle to pull the keystoneclient_auth value out of
  the keyring. pickle is not safe to use since it can run commands as the
  user. I guess someone could use this to run some code as the nova user
  by putting something into the keystoneclient_auth value in the nova
  user's keyring and then getting nova to use keystoneclient.httpclient.
  
  There's probably a safer way to do serialize the auth info using JSON or
  some other format.
  
  Opening this as private security since there's a potential attack here
  although I don't have any proof.
  
  This was found using bandit 0.17.0.

** Tags added: security

** Changed in: ossa
       Status: Incomplete => Won't Fix

** Information type changed from Private Security to Public

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1534288

Title:
  keystoneclient should not be using pickle

Status in OpenStack Security Advisory:
  Won't Fix
Status in python-keystoneclient:
  New

Bug description:
  keystoneclient uses pickle to pull the keystoneclient_auth value out
  of the keyring. pickle is not safe to use since it can run commands as
  the user. I guess someone could use this to run some code as the nova
  user by putting something into the keystoneclient_auth value in the
  nova user's keyring and then getting nova to use
  keystoneclient.httpclient.

  There's probably a safer way to do serialize the auth info using JSON
  or some other format.

  Opening this as private security since there's a potential attack here
  although I don't have any proof.

  This was found using bandit 0.17.0.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ossa/+bug/1534288/+subscriptions

More information about the Openstack-security mailing list