passlib failure to sanitize env variables PASSLIB_MAX_PASSWORD_SIZE
Bug #1175905 reported by
Kurt Seifried
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Low
|
Eric Brown |
Bug Description
Grant Murphy originally reported:
* Usage of passlib
The keystone server does not appear to sanitize the environment when
starting. This means that an unintended value can be set for
PASSLIB_
4096 and potentially cause an unhandled passlib.
We should ensure sensible defaults are applied here prior to loading passlib.
If this is exploitable it will need a CVE, if not we should still harden it so it can't be monkeyed with in the future.
information type: | Private Security → Public |
Changed in keystone: | |
status: | New → Triaged |
importance: | Undecided → Medium |
Changed in keystone: | |
assignee: | nobody → Li Ma (nick-ma-b) |
status: | Triaged → In Progress |
Changed in keystone: | |
assignee: | Li Ma (nick-ma-b) → nobody |
Changed in keystone: | |
status: | In Progress → Confirmed |
Changed in keystone: | |
status: | In Progress → Triaged |
assignee: | Morgan Fainberg (mdrnstm) → nobody |
Changed in keystone: | |
importance: | Medium → Low |
Changed in keystone: | |
milestone: | none → liberty-3 |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | liberty-3 → 8.0.0 |
To post a comment you must log in.
I don't see this as exploitable, as you'd have to locally control the environment for the keystone user, which means control of that user which means pretty much controlling Keystone anyway ?
Fully agree that we can strengthen that part to avoid it being monkeyed with in the future. With your permission, I'd open this bug publicly and let it be strengthened in public patches.