Agreed, opening so that we can fix those in the open.
** Information type changed from Private Security to Public
** Changed in: ossa
Status: Incomplete => Won't Fix
** Tags added: security
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1192971
Title:
Command execution cases need to be strengthened
Status in Cinder:
Confirmed
Status in OpenStack Compute (Nova):
Confirmed
Status in OpenStack Security Advisories:
Won't Fix
Bug description:
Grant Murphy from Red Hat Product Security Team reports the following
potential vulnerability:
For the most part OpenStack seems to do command execution safely using
subprocess.Popen. There are two instances where things become a little
dubious. The first is when shell=True is used with subprocess. This
doesn't prevent arguments being supplied that allow for multiple
commands to be executed. e.g. '; cat /etc/passwd'. The second case is
where commands are made to an external ssh host.
See attached file for a lit of potential injections: we should double-
check them (even if I expect most of them to turn false positive)
To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1192971/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
