OpenStackKeyring's encryption code does not provide confidentiality

python-openstackclient is not an official project nor is it supported by the OpenStack Vulnerability Management Team, so this won't result in a OSSA. This still very much needs to be fixed, though ! (especially as openstackclient would like to become official, and therefore probably supported, one day)

Is anyone presently working on a patch (and if not, do people generally agree with my analysis that this code should just be deleted?); and will a CVE be obtained for this?

Agreed that the correct resolution is to just remove the capability and not set false user expectations.

For what it's worth, I tried to use it at one point and was never able to even get the keyring to work in plaintext mode much less encrypted. If the feature's nonfunctional, then there's probably no need for the python-openstackclient authors to issue an advisory, obtain a CVE or even keep this bug private since it wouldn't be exploitable anyway.

On the basis of this, I've filed a public review to remove the code: https://review.openstack.org/#/c/104344/

I recommend switching the bug to public (not even public security, since there's no vulnerability given that the insecure feature also seems to be entirely nonfunctional).

Reviewed: https://review.openstack.org/104344
Committed: https://git.openstack.org/cgit/openstack/python-openstackclient/commit/?id=b8f534df011fd3b16a182d25f627876aeecfee07
Submitter: Jenkins
Branch: master

commit b8f534df011fd3b16a182d25f627876aeecfee07
Author: Alex Gaynor <email address hidden>
Date: Wed Jul 2 14:12:44 2014 -0700

    Remove keyring support from openstackclient

    * The encryption it purports to offer is completely insecure.
    * It also appears to be broken.

    Closes-Bug: #1319381
    Change-Id: Id15ecfbbfd15f142b14c125bfd85afd5032699ac