[Openstack-security] [Bug 1192971] Re: Command execution cases need to be strengthened
OpenStack Hudson
1192971 at bugs.launchpad.net
Thu Jul 18 15:04:32 UTC 2013
Reviewed: https://review.openstack.org/37469
Committed: http://github.com/openstack/cinder/commit/6be79a8e3b4607adbbe6a26ee565156cd0fb36b0
Submitter: Jenkins
Branch: master
commit 6be79a8e3b4607adbbe6a26ee565156cd0fb36b0
Author: Haomai Wang <haomai at unitedstack.com>
Date: Wed Jul 17 21:36:55 2013 +0800
Tidy up the SSH call to avoid injection attacks in storwize_svc
Let the command and arguments form up a list and avoid the extra arguments
attackers inserted to the command string
fix bug 1192971
Change-Id: I72bb7ef137223381c9daa613e61f1fde4c3bc8ae
** Changed in: cinder
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1192971
Title:
Command execution cases need to be strengthened
Status in Cinder:
Fix Committed
Status in OpenStack Compute (Nova):
In Progress
Status in OpenStack Security Advisories:
Won't Fix
Bug description:
Grant Murphy from Red Hat Product Security Team reports the following
potential vulnerability:
For the most part OpenStack seems to do command execution safely using
subprocess.Popen. There are two instances where things become a little
dubious. The first is when shell=True is used with subprocess. This
doesn't prevent arguments being supplied that allow for multiple
commands to be executed. e.g. '; cat /etc/passwd'. The second case is
where commands are made to an external ssh host.
See attached file for a lit of potential injections: we should double-
check them (even if I expect most of them to turn false positive)
To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1192971/+subscriptions
More information about the Openstack-security
mailing list