OpenStack Compute (nova)

  1. Bug #1074087
  2. Activity log

Activity log for bug #1074087

Date Who What changed Old value New value Message
2012-11-01 17:49:33 Erica Windisch bug added bug
2012-11-01 20:46:07 Russell Bryant nova: importance Undecided Critical
2012-11-01 20:46:11 Russell Bryant nova: status New Incomplete
2012-11-01 20:47:18 Russell Bryant bug added subscriber OpenStack Vulnerability Management team
2012-11-02 20:12:40 Russell Bryant nova: importance Critical Medium
2012-11-02 20:12:43 Russell Bryant nova: status Incomplete Confirmed
2012-11-02 20:13:17 Russell Bryant tags security
2012-11-02 20:13:55 Russell Bryant information type Private Security Public
2012-11-08 14:21:44 Thierry Carrez removed subscriber OpenStack Vulnerability Management team
2013-03-12 15:22:16 Michael Still nova: status Confirmed Invalid
2013-03-12 15:22:20 Michael Still nova: importance Medium Undecided
2013-03-12 15:43:21 Erica Windisch nova: status Invalid New
2013-03-12 16:03:23 Alvaro Lopez summary Xen migration driver should use execvp XenApi migration driver should use execvp
2013-03-12 16:04:17 Alvaro Lopez description The Xen drivers split a string to create an array for subprocess.Popen, rather than passing an array directly. This invites the potential for command injection / manipulation. There is no clearly valid reason to use string splitting here when arguments can be passed, as elsewhere, directly into Popen. The behavior here is present in current Trunk, Folsom, and Essex. Per Trunk and Folsom, _rsync_vhds calls plugins.utils.subprocess to perform the splitting. In Essex, this behaviorism was present directly in migration/transfer_vhd.py, rather than in utils.py. Earlier releases have not been evaluated. I am not certain if this is directly exploitable. The user field is inserted into the generated strings used for command-line execution, and it does seem that Keystone allows usernames to contain arbitrary tokens/characters such as spaces. It is not clear to me if the user field directly matches that in Keystone, if the user field is otherwise validated in the API, etc. Other fields inserted into the command string seem to be internally generated. The XenApi drivers split a string to create an array for subprocess.Popen, rather than passing an array directly. This invites the potential for command injection / manipulation. There is no clearly valid reason to use string splitting here when arguments can be passed, as elsewhere, directly into Popen. The behavior here is present in current Trunk, Folsom, and Essex. Per Trunk and Folsom, _rsync_vhds calls plugins.utils.subprocess to perform the splitting. In Essex, this behaviorism was present directly in migration/transfer_vhd.py, rather than in utils.py. Earlier releases have not been evaluated. I am not certain if this is directly exploitable. The user field is inserted into the generated strings used for command-line execution, and it does seem that Keystone allows usernames to contain arbitrary tokens/characters such as spaces. It is not clear to me if the user field directly matches that in Keystone, if the user field is otherwise validated in the API, etc. Other fields inserted into the command string seem to be internally generated.
2013-03-18 13:48:37 Chuck Short nova: status New Triaged
2013-05-22 11:22:16 John Garbutt tags security security xenserver
2013-05-22 11:26:10 John Garbutt nova: importance Undecided Medium
2013-06-24 14:20:41 Euan Harris nova: assignee Euan Harris (euanh)
2013-06-24 14:22:22 Euan Harris summary XenApi migration driver should use execvp XenApi migration driver should not use shell=True with Popen
2013-06-24 16:05:37 Euan Harris nova: status Triaged In Progress
2013-07-09 15:20:21 OpenStack Infra nova: status In Progress Fix Committed
2013-07-17 12:18:38 Thierry Carrez nova: status Fix Committed Fix Released
2013-07-17 12:18:38 Thierry Carrez nova: milestone havana-2
2013-10-17 11:47:41 Thierry Carrez nova: milestone havana-2 2013.2