[Openstack-security] [Bug 1434545] Re: Several command injection vulnerabilities in guestagent/pkg
** Changed in: trove
Assignee: Amrith Kumar (amrith) => (unassigned)
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
Several command injection vulnerabilities in guestagent/pkg
Status in OpenStack Security Advisory:
Status in OpenStack DBaaS (Trove):
At several places in the file guestagent/pkg.py, there are shell
In this line, the cmd_list is being built parameterized, but then it
is just combined into one big string and called directly on a shell
through the command getstatusoutput, which does a popen. If package
name is set maliciously, the command will execute arbitrary code with
the privilege of the trove process.
The same is true on this line,
, where a package named something like "abc; rm -rf /etc" will cause
all files in /etc which Trove has permissions for, to be deleted.
Again, on this line:
, a malicious package name will cause arbitrary code injection with
the privileges of the Trove process.
I'm not nearly familiar enough with the Trove code and uses to know
all the ways that package names for this code can be set, but these
commands should be parameterized.
Finally, os.popen is a deprecated function. The subprocess module
should be used instead.
To manage notifications about this bug go to: