heat-cfntools

Predictable /tmp filenames used in SourcesHandler

Bug #1166323 reported by Clint Byrum
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
heat-cfntools
Fix Released
Critical
Clint Byrum
heat-cfntools v1.2.3

Bug Description

The use of /tmp without randomization in filename is a generally bad security practice. If the host has a non-root malicious user present they can use a local DNS cache poison and predict these filenames and create their own symlink to a root owned file such as /etc/shadow, thus gaining root access. This is a theoretical vulnerability.

Clint Byrum (clint-fewbar)
Changed in heat-cfntools:
assignee: nobody → Clint Byrum (clint-fewbar)
Clint Byrum (clint-fewbar)
Changed in heat-cfntools:
status: New → In Progress
Revision history for this message
Clint Byrum (clint-fewbar) wrote :
Revision history for this message
Clint Byrum (clint-fewbar) wrote :

Attaching a patch, instead of using gerrit, until it is deemed safe to make this bug report public.

Revision history for this message
Steve Baker (steve-stevebaker) wrote :

Patch applied and test ran locally.

Changed in heat-cfntools:
milestone: none → v1.3.0
importance: Undecided → Critical
Revision history for this message
Thierry Carrez (ttx) wrote :

heat-cfntools (or Heat/Grizzly) are not covered by the vulnerability management policy yet, so feel free to release this in your preferred way, as we won't be releasing an official OSSA (openstack security advisory) for it.

My suggestion would be to send a message to the openstack general ML once the patch makes it to the repo. Alternatively you can ask for a CVE and try to coordinate fixes with affected distros, if any.

Revision history for this message
Clint Byrum (clint-fewbar) wrote : Re: [Bug 1166323] Re: Predictable /tmp filenames used in SourcesHandler

Excerpts from Thierry Carrez's message of 2013-04-09 08:38:08 UTC:
> heat-cfntools (or Heat/Grizzly) are not covered by the vulnerability
> management policy yet, so feel free to release this in your preferred
> way, as we won't be releasing an official OSSA (openstack security
> advisory) for it.
>
> My suggestion would be to send a message to the openstack general ML
> once the patch makes it to the repo. Alternatively you can ask for a CVE
> and try to coordinate fixes with affected distros, if any.
>

Thanks Thierry! We'll figure it out, soon I hope. :)

Revision history for this message
Steve Baker (steve-stevebaker) wrote :

I'm testing this on a running instance, I'm getting this in the log:
DEBUG [2013-04-10 00:16:25,669] Running command: wget -O /tmp/tmpsonobf/StarCluster-master.tar.gz https://github.com/mza/StarCluster/tarball/master
DEBUG [2013-04-10 00:16:34,465] Running command: tar -C /home/ec2-user/starcluster -xzf /tmp/tmpsonobf/StarCluster-master.tar.gz
DEBUG [2013-04-10 00:16:36,527] Return code of 2 after executing: '['su', 'root', '-c', u'tar -C /home/ec2-user/starcluster -xzf /tmp/tmpsonobf/StarCluster-master.tar.gz']'

and /home/ec2-user/starcluster exists but is empty.

Running the tar command manually results in /home/ec2-user/starcluster being populated.

What is needed here? running sync after wget?

Revision history for this message
Steve Baker (steve-stevebaker) wrote :

Sync after wget didn't help.

Clint Byrum (clint-fewbar)
information type: Private Security → Public Security
Changed in heat-cfntools:
status: In Progress → Fix Committed
Clint Byrum (clint-fewbar)
Changed in heat-cfntools:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.