[Openstack-security] [Bug 1192971] Fix merged to cinder (master)

OpenStack Infra 1192971 at bugs.launchpad.net
Thu Aug 15 13:34:20 UTC 2013


Reviewed:  https://review.openstack.org/37697
Committed: http://github.com/openstack/cinder/commit/c55589b131828f3a595903f6796cb2d0babb772f
Submitter: Jenkins
Branch:    master

commit c55589b131828f3a595903f6796cb2d0babb772f
Author: Haomai Wang <haomai at unitedstack.com>
Date:   Thu Jul 18 23:05:43 2013 +0800

    Tidy up the SSH call to avoid injection attacks for HP's driver
    
    Let the command and arguments form up a list and avoid the extra arguments
    attackers inserted to the command string.
    
    And modify the interface of _cli_run, there is no need for a extra argument.
    
    fix bug 1192971
    Change-Id: Iff6a3ecb64feccae1b29164117576cab9943200a

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1192971

Title:
  Command execution cases need to be strengthened

Status in Cinder:
  In Progress
Status in OpenStack Compute (Nova):
  In Progress
Status in OpenStack Security Advisories:
  Won't Fix

Bug description:
  Grant Murphy from Red Hat Product Security Team reports the following
  potential vulnerability:

  For the most part OpenStack seems to do command execution safely using
  subprocess.Popen. There are two instances where things become a little
  dubious. The first is when shell=True is used with subprocess. This
  doesn't prevent arguments being supplied that allow for multiple
  commands to be executed. e.g. '; cat /etc/passwd'. The second case is
  where commands are made to an external ssh host.

  See attached file for a lit of potential injections: we should double-
  check them (even if I expect most of them to turn false positive)

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1192971/+subscriptions




More information about the Openstack-security mailing list