OpenStack Heat

RandomString resource is using default Python RNG

Bug #1745931 reported by Pavlo Shchelokovskyy on 2018-01-29

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Heat	Fix Released	Medium	Pavlo Shchelokovskyy	OpenStack Heat queens-rc1

Bug Description

It might be theoretically possible to infer the state of Python RNG in a (long enough running) heat-engine process by creating many OS::Heat::RandomString resources and observing their generated values.

We should use SystemRandom instead which under the hood uses system's built-in RNG (like /dev/urandom on Linux).

Tags:

OpenStack Infra (hudson-openstack) on 2018-01-29

Changed in heat:
assignee:	nobody → Pavlo Shchelokovskyy (pshchelo)
status:	New → In Progress

Revision history for this message

Pavlo Shchelokovskyy (pshchelo) wrote on 2018-01-29:

Patch is proposed at https://review.openstack.org/#/c/536403/

Zane Bitter (zaneb) on 2018-01-30

Changed in heat:
importance:	Undecided → Medium
milestone:	none → queens-rc1

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-02-09: Fix merged to heat (master)

Reviewed: https://review.openstack.org/536403
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=41605aaac1ec9fb0020c663b703255ee2cf3615f
Submitter: Zuul
Branch: master

commit 41605aaac1ec9fb0020c663b703255ee2cf3615f
Author: Pavlo Shchelokovskyy <email address hidden>
Date: Mon Jan 22 18:17:37 2018 +0200

Replace random with SystemRandom for RandomString

    it might be theoretically possible to infer the state of
    standard Python's RNG in a long-running heat-engine service
    from multiple created RandomString resources.

Let's use the random.SystemRandom (and os.urandom) for
OS::Heat::RandomString instead.

Change-Id: Iac5c03176fc8bae95ada883621196bd9cb453be3
Closes-Bug: #1745931

Changed in heat:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-02-10: Fix included in openstack/heat 10.0.0.0rc1

This issue was fixed in the openstack/heat 10.0.0.0rc1 release candidate.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-03-23: Fix proposed to heat (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/555904

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-04-05: Fix proposed to heat (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/559187

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-04-18: Fix merged to heat (stable/pike)

Reviewed: https://review.openstack.org/555904
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=17550305883f41a8b917056864bef328ddb0954c
Submitter: Zuul
Branch: stable/pike

commit 17550305883f41a8b917056864bef328ddb0954c
Author: Pavlo Shchelokovskyy <email address hidden>
Date: Mon Jan 22 18:17:37 2018 +0200

Replace random with SystemRandom for RandomString

    it might be theoretically possible to infer the state of
    standard Python's RNG in a long-running heat-engine service
    from multiple created RandomString resources.

Let's use the random.SystemRandom (and os.urandom) for
OS::Heat::RandomString instead.

    Change-Id: Iac5c03176fc8bae95ada883621196bd9cb453be3
    Closes-Bug: #1745931
    (cherry picked from commit 41605aaac1ec9fb0020c663b703255ee2cf3615f)

tags:

added: in-stable-pike

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-04-30: Fix included in openstack/heat 9.0.4

This issue was fixed in the openstack/heat 9.0.4 release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-05-17: Fix merged to heat (stable/ocata)

Reviewed: https://review.openstack.org/559187
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=de568e036cf310338aeced0b9a34377f8a6280e4
Submitter: Zuul
Branch: stable/ocata

commit de568e036cf310338aeced0b9a34377f8a6280e4
Author: Pavlo Shchelokovskyy <email address hidden>
Date: Mon Jan 22 18:17:37 2018 +0200

Replace random with SystemRandom for RandomString

    it might be theoretically possible to infer the state of
    standard Python's RNG in a long-running heat-engine service
    from multiple created RandomString resources.

Let's use the random.SystemRandom (and os.urandom) for
OS::Heat::RandomString instead.

    Change-Id: Iac5c03176fc8bae95ada883621196bd9cb453be3
    Closes-Bug: #1745931
    (cherry picked from commit 41605aaac1ec9fb0020c663b703255ee2cf3615f)

tags:

added: in-stable-ocata

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-09-04: Fix included in openstack/heat 8.0.7

This issue was fixed in the openstack/heat 8.0.7 release.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.