lshell component is not maintained and has pending CVEs
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
StarlingX |
Won't Fix
|
Low
|
Ken Young |
Bug Description
Folks,
As I was looking at the upstream patches, I looked into the status of lshell and noticed there was an existing open issue[0] which referenced
2 CVEs:
- CVE-2016-6902 - remote authenticated users can break out of a limited shell and execute arbitrary commands.
- CVE-2016-6903 - lshell 0.9.16 allows remote authenticated users to break out of a limited shell and execute arbitrary commands.
These are related, and there is a potential fix, but issue 150 [3] seems to indicate the patch is not complete. The maintainer has expressed that he not able to do anything about this as of May this year. Additionally lshell is python2 based and would need to be converted to python3.
I went so far as proposing a very simple change to their README.md to fix a bad link and it stalled in their travis tox check.
Sau!
Changed in starlingx: | |
importance: | Undecided → Low |
status: | New → Triaged |
assignee: | nobody → Ken Young (kenyis) |
information type: | Private Security → Public Security |
Email from Dean Troyer:
> What alternatives do we have for this functionality?
Alternatives in increasing levels of commitment to lshell:
* replace it
* fork the project and fix the CVEs and continue
* adopt the project and take over maintenance as a stand0-alone project should the existing maintainer be interested in doing so[0]
I am specifically not listing 'do nothing' as active CVEs must be addressed...
dt
[0] OpenStack has done this on occasion when a dependency goes dormant and the maintainer has no interest in continuing and the cost of converting outweighs the perceived cost of maintenance and ownership.