[Openstack-security] [Bug 1335208] Re: Shell injection possibility in cmd/control.py

OpenStack Infra 1335208 at bugs.launchpad.net
Tue Jul 22 07:05:36 UTC 2014 

Reviewed:  https://review.openstack.org/108127
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=63c606f696170ebf0a38e7650b242c0727342547
Submitter: Jenkins
Branch:    master

commit 63c606f696170ebf0a38e7650b242c0727342547
Author: tmcpeak <travis_mcpeak at symantec.com>
Date:   Fri Jul 18 11:23:16 2014 -0700

    Security hardening: fix possible shell injection vulnerability
    
    The glance/cmd/control.py file contains a possible shell injection
    vulnerability:
    
    https://github.com/openstack/glance/blob/master/glance/cmd/control.py#L134 .
    
    Setting 'shell=True' here opens the possibility of shell injection
    by setting server to something like '; rm -rf /'. This will cause
    the command 'rm -rf /' to be run with the privileges of the user
    that ran Glance.
    
    The fix is to parameterize the input so that the command run here
    can only be 'logger'.
    
    Change-Id: If48106ceea1dd582bcec9d03e056d88591bcba8d
    Closes-bug: 1335208


** Changed in: glance
       Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1335208

Title:
  Shell injection possibility in cmd/control.py

Status in OpenStack Image Registry and Delivery Service (Glance):
  Fix Committed
Status in OpenStack Security Advisories:
  Invalid

Bug description:
  The glance/cmd/control.py file contains a possible shell injection
  vulnerability:
  https://github.com/openstack/glance/blob/master/glance/cmd/control.py#L134
  .  Setting 'shell=True' here opens the possibility of shell injection
  by setting server to something like '; rm -rf /'.  This will cause the
  command 'rm -rf /' to be run with the privileges of the user that ran
  Glance.

  This may not be a major security concern at this time because the only
  place that I found for 'server' to come from is a Glance configuration
  file, which should be locked down.  Only privileged users should have
  write access to the config file, and if they want to do bad things on
  the system there are easier ways.

  Still, 'shell=True' appears to be completely unnecessary for this
  call.  Simply omitting the shell parameter here will cause it to
  revert to the default behavior, which requires that the command to be
  run be specified in a separate parameter than the arguments to the
  command.  This effectively prevents shell injection vulnerabilities.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1335208/+subscriptions

More information about the Openstack-security mailing list