yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1192971] Re: Command execution cases need to be strengthened

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Sean Dague <sean@xxxxxxxxx>
Date: Mon, 15 Sep 2014 15:27:22 -0000
Reply-to: Bug 1192971 <1192971@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

It looks like all the nova cases are actually handled here

** No longer affects: nova

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1192971

Title:
  Command execution cases need to be strengthened

Status in Cinder:
  In Progress
Status in OpenStack Security Advisories:
  Won't Fix

Bug description:
  Grant Murphy from Red Hat Product Security Team reports the following
  potential vulnerability:

  For the most part OpenStack seems to do command execution safely using
  subprocess.Popen. There are two instances where things become a little
  dubious. The first is when shell=True is used with subprocess. This
  doesn't prevent arguments being supplied that allow for multiple
  commands to be executed. e.g. '; cat /etc/passwd'. The second case is
  where commands are made to an external ssh host.

  See attached file for a lit of potential injections: we should double-
  check them (even if I expect most of them to turn false positive)

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1192971/+subscriptions