python-muranoclient

Insecure tmp file creation in python-muranoclient

Bug #1378172 reported by Kurt Seifried on 2014-10-07

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	python-muranoclient	Fix Released	High	Dmytro Dovbii	python-muranoclient 0.6.3

Bug Description

./python-muranoclient/muranoclient/v1/shell.py:258: archive_name = args.output or tempfile.mktemp(prefix="murano_")

    try:
        if args.template:
            directory_path = hot_package.prepare_package(args)
        else:
            directory_path = mpl_package.prepare_package(args)

archive_name = args.output or tempfile.mktemp(prefix="murano_")

        _make_archive(archive_name, directory_path)
        print("Application package is available at " +
              os.path.abspath(archive_name))

this is highly insecure and allows an attacker to modify the contents of the archive, assuming no arg name was passed. This code does not appear to be used, but is still CVE worthy as the code may be used (ref: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1692). Exploitation of this vuln would appear to lead to code execution (e.g. modify the archive package which is then used while deploying systems).

Tags:

Ekaterina Chernova (efedorova) on 2015-05-15

Changed in python-muranoclient:
status:	New → Confirmed
milestone:	none → 0.6.0
importance:	Undecided → Medium

Serg Melikyan (smelikyan) on 2015-06-02

Changed in python-muranoclient:
milestone:	0.6.0 → 0.6.1

Kirill Zaitsev (kzaitsev) on 2015-06-10

tags:	added: kilo-backport-potential
tags:	added: security

Kirill Zaitsev (kzaitsev) on 2015-07-09

Changed in python-muranoclient:
importance:	Medium → High

Serg Melikyan (smelikyan) on 2015-07-21

Changed in python-muranoclient:
milestone:	0.6.1.0 → next

Serg Melikyan (smelikyan) on 2015-09-11

Changed in python-muranoclient:
milestone:	0.7.0 → 0.7.1

Serg Melikyan (smelikyan) on 2015-10-02

no longer affects:	python-muranoclient/kilo
Changed in python-muranoclient:
milestone:	0.7.1 → 0.8.0
information type:	Private Security → Public
information type:	Public → Private Security

Serg Melikyan (smelikyan) on 2015-10-02

Changed in python-muranoclient:
assignee:	nobody → Dmytro Dovbii (ddovbii)
information type:	Private Security → Public Security

Revision history for this message

Jeremy Stanley (fungi) wrote on 2015-10-02:

The offending code seems to have been replaced months ago as a side effect of https://review.openstack.org/204048 (so fixed in 0.6.3), and was originally introduced in 8468a03 which first appeared in the 0.5.3 release.

Kirill Zaitsev (kzaitsev) on 2015-10-02

Changed in python-muranoclient:
status:	Confirmed → Fix Committed

Serg Melikyan (smelikyan) on 2015-10-03

Changed in python-muranoclient:
milestone:	0.8.0 → 0.6.3

Kirill Zaitsev (kzaitsev) on 2015-12-03

Changed in python-muranoclient:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.