[Openstack-security] [Bug 1434545] Re: Several command injection vulnerabilities in guestagent/pkg
Amrith Kumar
1434545 at bugs.launchpad.net
Thu Sep 28 02:56:27 UTC 2017
** Changed in: trove
Assignee: Amrith Kumar (amrith) => (unassigned)
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1434545
Title:
Several command injection vulnerabilities in guestagent/pkg
Status in OpenStack Security Advisory:
Won't Fix
Status in OpenStack DBaaS (Trove):
Triaged
Bug description:
At several places in the file guestagent/pkg.py, there are shell
injection vulnerabilities:
https://github.com/openstack/trove/blob/master/trove/guestagent/pkg.py#L209
In this line, the cmd_list is being built parameterized, but then it
is just combined into one big string and called directly on a shell
through the command getstatusoutput, which does a popen. If package
name is set maliciously, the command will execute arbitrary code with
the privilege of the trove process.
The same is true on this line,
https://github.com/openstack/trove/blob/master/trove/guestagent/pkg.py#L258
, where a package named something like "abc; rm -rf /etc" will cause
all files in /etc which Trove has permissions for, to be deleted.
Again, on this line:
https://github.com/openstack/trove/blob/master/trove/guestagent/pkg.py#L371
, a malicious package name will cause arbitrary code injection with
the privileges of the Trove process.
I'm not nearly familiar enough with the Trove code and uses to know
all the ways that package names for this code can be set, but these
commands should be parameterized.
Finally, os.popen is a deprecated function. The subprocess module
should be used instead.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ossa/+bug/1434545/+subscriptions
More information about the Openstack-security
mailing list