[OSSA 2014-012] Remote Code Execution in Sheepdog backend (CVE-2014-0162)
Bug #1298698 reported by
Paul McMillan
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Glance |
Fix Released
|
Critical
|
Zhi Yan Liu | ||
Havana |
Fix Committed
|
Undecided
|
Zhi Yan Liu | ||
OpenStack Security Advisory |
Fix Released
|
High
|
Tristan Cacqueray |
Bug Description
The Sheepdog backend for Glance appears to allow an attacker to remotely execute arbitrary code as the glance user.
This code should be reworked so that it doesn't need shell=True. As it currently stands, it appears that an admin can insert or modify an image with a specially crafted id, which would trigger code execution. I don't immediately see a way for a non-admin user to trigger the injection, but the possibility does exist.
CVE References
Changed in glance: | |
importance: | Undecided → High |
status: | New → Confirmed |
Changed in ossa: | |
importance: | Undecided → High |
Changed in ossa: | |
status: | New → Confirmed |
Changed in glance: | |
importance: | High → Critical |
tags: | added: icehouse-rc-potential |
Changed in glance: | |
assignee: | nobody → Zhi Yan Liu (lzy-dev) |
summary: |
- Remote Code Execution in Sheepdog backend + Remote Code Execution in Sheepdog backend (CVE-2014-0162) |
Changed in ossa: | |
status: | Confirmed → In Progress |
Changed in glance: | |
milestone: | none → icehouse-rc2 |
tags: | removed: icehouse-rc-potential |
information type: | Private Security → Public Security |
summary: |
- Remote Code Execution in Sheepdog backend (CVE-2014-0162) + [OSSA 2014-012] Remote Code Execution in Sheepdog backend + (CVE-2014-0162) |
Changed in glance: | |
status: | Confirmed → In Progress |
Changed in ossa: | |
status: | Fix Committed → Fix Released |
status: | Fix Released → Fix Committed |
Changed in glance: | |
status: | In Progress → Fix Committed |
Changed in glance: | |
status: | Fix Committed → Fix Released |
Changed in ossa: | |
status: | Fix Committed → Fix Released |
Changed in glance: | |
milestone: | icehouse-rc2 → 2014.1 |
To post a comment you must log in.
The current version of the patch looks good.
You don't need the map in this line:
cmd.extend( map(str, params))
cmd.extend( params)
It can just be like this:
Since the helper function already does that here: /github. com/openstack/ glance/ blob/master/ glance/ openstack/ common/ processutils. py#L137
https:/
Otherwise, this looks like a very good solution to the problem.