Comment 60 for bug 1496277
Revision history for this message
| Tristan Cacqueray (tristan-cacqueray) wrote Re: template-validate may read server local files (CVE-2015-5295) | #60 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
35a32c5
(Get the code!)
Trying to reproduce using this sequence quickly consumes all system memory and crashed my setup:
cat > bad_template.yaml << EOF
heat_template_
description": "a"
resources: {"my_instance": {"type": "file:/
EOF
heat stack-create --template-file ./bad_template.yaml test_bad
I propose to add this Note to the advisory:
- Until the python-heatclient get updated, this bug also reproduces on the client side, users should only launch template from trusted sources.