[Openstack-security] [Bug 1534288] Re: keystoneclient should not be using pickle

Morgan Fainberg morgan.fainberg at gmail.com
Thu Aug 10 19:28:10 UTC 2017


Marked as wont fix based on comment #10 and #9

** Changed in: python-keystoneclient
       Status: New => Won't Fix

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1534288

Title:
  keystoneclient should not be using pickle

Status in OpenStack Security Advisory:
  Won't Fix
Status in python-keystoneclient:
  Won't Fix

Bug description:
  keystoneclient uses pickle to pull the keystoneclient_auth value out
  of the keyring. pickle is not safe to use since it can run commands as
  the user. I guess someone could use this to run some code as the nova
  user by putting something into the keystoneclient_auth value in the
  nova user's keyring and then getting nova to use
  keystoneclient.httpclient.

  There's probably a safer way to do serialize the auth info using JSON
  or some other format.

  Opening this as private security since there's a potential attack here
  although I don't have any proof.

  This was found using bandit 0.17.0.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ossa/+bug/1534288/+subscriptions




More information about the Openstack-security mailing list