Glance

feedback our modification and performance after modification

Bug #1889512 reported by yuhsiang lin on 2020-07-30

8

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Glance	Won't Fix	Undecided	Unassigned
	OpenStack Security Advisory	Won't Fix	Undecided	Unassigned

Bug Description

Hi, when I re-scan against a current stable branch, I find some High risk about Command Injection.
This risk is in \glance\glance\tests\utils.py so I try to solve this risk.

Tags:

Revision history for this message

yuhsiang lin (willylin) wrote on 2020-07-30:

#1

Scanning result.docx : description about risk. utils.py:modification code located from line 363 to 374 Edit (225.6 KiB, text/plain)

Revision history for this message

Jeremy Stanley (fungi) wrote on 2020-07-30:

#2

Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security
reviewers for the affected project or projects confirm the bug and
discuss the scope of any vulnerability along with potential
solutions.

description:	updated
Changed in ossa:
status:	New → Incomplete

Revision history for this message

Jeremy Stanley (fungi) wrote on 2020-07-30:

#3

Given that the problems you've identified are in Glance's unit tests, I don't think this needs to be discussed in private under embargo. This is at worst a cladd B3 report per the OpenStack Vulnerability Management Team's taxonomy: https://security.openstack.org/vmt-process.html#incident-report-taxonomy

If one of the Glance reviewers can confirm this is safe to discuss in the open, I'm happy to switch the bug state to public immediately.

Revision history for this message

Brian Rosmaita (brian-rosmaita) wrote on 2020-07-30:

#4

I agree with Jeremy's assessment, this would be at worst B3. It would be useful if the reporter could outline the attack scenario they see here.

Revision history for this message

Jeremy Stanley (fungi) wrote on 2020-07-30:

#5

Thanks for confirming, Brian. I've ended the embargo and switched this to public. No advisory expected, class B3 report.

description:	updated
information type:	Private Security → Public
tags:	removed: private
Changed in ossa:
status:	Incomplete → Won't Fix

Erno Kuvaja (jokke) on 2021-02-02

Changed in glance:
status:	New → Incomplete

Cyril Roelandt (cyril-roelandt) on 2023-04-11

Changed in glance:
status:	Incomplete → Won't Fix

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Scanning result.docx : description about risk. utils.py:modification code located from line 363 to 374 Edit

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.