osdir.com


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Openstack-security] [Bug 1434545] Re: Several command injection vulnerabilities in guestagent/pkg


** Changed in: trove
     Assignee: Amrith Kumar (amrith) => (unassigned)

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1434545

Title:
  Several command injection vulnerabilities in guestagent/pkg

Status in OpenStack Security Advisory:
  Won't Fix
Status in OpenStack DBaaS (Trove):
  Triaged

Bug description:
  At several places in the file guestagent/pkg.py, there are shell
  injection vulnerabilities:

  https://github.com/openstack/trove/blob/master/trove/guestagent/pkg.py#L209

  In this line, the cmd_list is being built parameterized, but then it
  is just combined into one big string and called directly on a shell
  through the command getstatusoutput, which does a popen.  If package
  name is set maliciously, the command will execute arbitrary code with
  the privilege of the trove process.

  The same is true on this line,
  https://github.com/openstack/trove/blob/master/trove/guestagent/pkg.py#L258
  , where a package named something like "abc; rm -rf /etc" will cause
  all files in /etc which Trove has permissions for, to be deleted.

  Again, on this line:
  https://github.com/openstack/trove/blob/master/trove/guestagent/pkg.py#L371
  , a malicious package name will cause arbitrary code injection with
  the privileges of the Trove process.

  I'm not nearly familiar enough with the Trove code and uses to know
  all the ways that package names for this code can be set, but these
  commands should be parameterized.

  Finally, os.popen is a deprecated function.  The subprocess module
  should be used instead.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ossa/+bug/1434545/+subscriptions