** Tags added: security
** Changed in: ossa
Status: Incomplete => Won't Fix
** Tags removed: security
** Information type changed from Private Security to Public
** Tags added: security
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1367000
Title:
Malicious name could lead to local information disclosure
vulnerability
Status in Cinder:
Confirmed
Status in OpenStack Security Advisories:
Won't Fix
Bug description:
In the cinder scality driver, the following code sets file permissions to 0o666 (read, write for all users):
https://github.com/openstack/cinder/blob/master/cinder/volume/drivers/scality.py#L118
This code is called in a couple of locations, one of which is here:
https://github.com/openstack/cinder/blob/master/cinder/volume/drivers/scality.py#L172
That line of code gets the filename from this function:
https://github.com/openstack/cinder/blob/master/cinder/volume/drivers/scality.py#L185
Which joins two paths, one of which is this:
https://github.com/openstack/cinder/blob/master/cinder/volume/drivers/scality.py#L181
Which joins two paths, one of which is volume['name'] which is un-
sanitized input. If a malicious user sets a volume name to something
like "/etc/passwd", the /etc/passwd permissions will be set to '0o666'
with the privileges of the user that is running Cinder. This could be
used to expose files and sensitive data on the machine that is running
Cinder. If combined with another vulnerability this could lead to
some really bad things.
To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1367000/+subscriptions