[Openstack-security] [Bug 1343657] Re: Shell Injection in backup strategies
Travis McPeak
travis.mcpeak at hp.com
Thu Aug 28 17:22:42 UTC 2014
** Changed in: ossn
Importance: Undecided => High
** Changed in: ossn
Assignee: (unassigned) => Travis McPeak (travis-mcpeak)
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1343657
Title:
Shell Injection in backup strategies
Status in OpenStack Security Advisories:
Won't Fix
Status in OpenStack Security Notes:
New
Status in Openstack Database (Trove):
New
Bug description:
Trove uses subprocess.Popen with shell=True in
trove/trove/guestagent/strategies/backup/base.py line 61:
def run(self):
self.process = subprocess.Popen(self.command, shell=True,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
preexec_fn=os.setsid)
self.pid = self.process.pid
This could be used, maliciously or not, to inject arbitrary commands
into a command line string. An example of this could be triggered is
in trove/trove/guestagent/strategies/backup/mysql_imply.py line 37. It
is creating a MySQL string with single quote. If the password, either
maliciously or just happens to contain another single quote, it will
escape from the command and arbitrary data will be executed instead.
For more information on subprocess, shell=True and command injection
see: https://docs.python.org/2/library/subprocess.html#frequently-
used-arguments
To manage notifications about this bug go to:
https://bugs.launchpad.net/ossa/+bug/1343657/+subscriptions
More information about the Openstack-security
mailing list