nova-powervm

PowerVM config drive path is not secure

Bug #1771538 reported by Andrey Volkov
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Medium
Matthew Edmonds
nova-powervm
Fix Released
Undecided
Unassigned

Bug Description

This report is based on the Bandit scanner results and code review.

1)
On https://git.openstack.org/cgit/openstack/nova/tree/nova/virt/powervm/media.py?h=refs/heads/master#n44

43 _VOPT_SIZE_GB = 1
44 _VOPT_TMPDIR = '/tmp/cfgdrv/'
45

We have hardcoded tmp dir that could be cleaned up after compute node reboot.
As mentioned in todo it might be good to use conf option.

2)
On https://git.openstack.org/cgit/openstack/nova/tree/nova/virt/powervm/media.py?h=refs/heads/master#n116
Predictable file name based on a user input is used:
116 file_name = pvm_util.sanitize_file_name_for_api(
117 instance.name, prefix='cfg_', suffix='.iso',
118 max_len=pvm_const.MaxLen.VOPT_NAME)
Probably we could use instance.uuid for that.

Tags: powervm
Revision history for this message
Andrey Volkov (avolkov) wrote :

https://security.openstack.org/guidelines/dg_using-temporary-files-securely.html

Balazs Gibizer (balazs-gibizer)
tags: added: powervm
Revision history for this message
Matthew Edmonds (edmondsw) wrote :

I don't think we need to worry about the TMPDIR getting cleaned up, but we shouldn't be using predictable temp dir/file names.

Changed in nova:
status: New → Confirmed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/610174

Changed in nova:
assignee: nobody → Matthew Edmonds (edmondsw)
status: Confirmed → In Progress
melanie witt (melwitt)
Changed in nova:
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/610174
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=4afe8ea5a19e236b485da3132d66064017a479ec
Submitter: Zuul
Branch: master

commit 4afe8ea5a19e236b485da3132d66064017a479ec
Author: Matthew Edmonds <email address hidden>
Date: Fri Oct 12 17:26:29 2018 -0400

    Use tempfile for powervm config drive

    There are potential security issues with using predictable temp
    directories or files, so use python's tempfile module to do this
    safely.

    Change-Id: Ia067236785882ad3acca23a425ea1333b247d8c6
    Closes-Bug: #1771538

Changed in nova:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova-powervm (master)

Reviewed: https://review.openstack.org/613342
Committed: https://git.openstack.org/cgit/openstack/nova-powervm/commit/?id=54e501481de97d600f4c8757dc4cdac80ba5ab54
Submitter: Zuul
Branch: master

commit 54e501481de97d600f4c8757dc4cdac80ba5ab54
Author: Matthew Edmonds <email address hidden>
Date: Thu Oct 25 10:45:47 2018 -0400

    Use tempfile for powervm config drive

    There are potential security issues with using predictable temp
    directories or files, so use python's tempfile module to do this
    safely.

    Change-Id: I5e23933af71180da1d55950fcf49e39b0b800ef5
    Closes-Bug: #1771538

Changed in nova-powervm:
status: New → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/nova-powervm 8.0.0.0rc1

This issue was fixed in the openstack/nova-powervm 8.0.0.0rc1 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/nova 19.0.0.0rc1

This issue was fixed in the openstack/nova 19.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.