Insecure tmp file creation in python-muranoclient

Bug #1378172 reported by Kurt Seifried
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fix Released
Dmytro Dovbii

Bug Description

./python-muranoclient/muranoclient/v1/ archive_name = args.output or tempfile.mktemp(prefix="murano_")

        if args.template:
            directory_path = hot_package.prepare_package(args)
            directory_path = mpl_package.prepare_package(args)

        archive_name = args.output or tempfile.mktemp(prefix="murano_")

        _make_archive(archive_name, directory_path)
        print("Application package is available at " +

this is highly insecure and allows an attacker to modify the contents of the archive, assuming no arg name was passed. This code does not appear to be used, but is still CVE worthy as the code may be used (ref: Exploitation of this vuln would appear to lead to code execution (e.g. modify the archive package which is then used while deploying systems).

Changed in python-muranoclient:
status: New → Confirmed
milestone: none → 0.6.0
importance: Undecided → Medium
Changed in python-muranoclient:
milestone: 0.6.0 → 0.6.1
tags: added: kilo-backport-potential
tags: added: security
Changed in python-muranoclient:
importance: Medium → High
Changed in python-muranoclient:
milestone: → next
Changed in python-muranoclient:
milestone: 0.7.0 → 0.7.1
no longer affects: python-muranoclient/kilo
Changed in python-muranoclient:
milestone: 0.7.1 → 0.8.0
information type: Private Security → Public
information type: Public → Private Security
Changed in python-muranoclient:
assignee: nobody → Dmytro Dovbii (ddovbii)
information type: Private Security → Public Security
Revision history for this message
Jeremy Stanley (fungi) wrote :

The offending code seems to have been replaced months ago as a side effect of (so fixed in 0.6.3), and was originally introduced in 8468a03 which first appeared in the 0.5.3 release.

Changed in python-muranoclient:
status: Confirmed → Fix Committed
Changed in python-muranoclient:
milestone: 0.8.0 → 0.6.3
Changed in python-muranoclient:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.