yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1298698] Re: [OSSA 2014-012] Remote Code Execution in Sheepdog backend (CVE-2014-0162)

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Fri, 11 Apr 2014 08:15:41 -0000
Reply-to: Bug 1298698 <1298698@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: glance/havana
       Status: In Progress => Fix Committed

** Changed in: glance
       Status: Fix Committed => Fix Released

** Changed in: ossa
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1298698

Title:
  [OSSA 2014-012] Remote Code Execution in Sheepdog backend
  (CVE-2014-0162)

Status in OpenStack Image Registry and Delivery Service (Glance):
  Fix Released
Status in Glance havana series:
  Fix Committed
Status in OpenStack Security Advisories:
  Fix Released

Bug description:
  The Sheepdog backend for Glance appears to allow an attacker to
  remotely execute arbitrary code as the glance user.

  https://github.com/openstack/glance/blob/9e9ce645e39d55b4da540b15b41f85bd2b4bd518/glance/store/sheepdog.py#L75

  This code should be reworked so that it doesn't need shell=True. As it
  currently stands, it appears that an admin can insert or modify an
  image with a specially crafted id, which would trigger code execution.
  I don't immediately see a way for a non-admin user to trigger the
  injection, but the possibility does exist.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1298698/+subscriptions