Several command injection vulnerabilities in guestagent/pkg

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

Does user have control over package name ?

In particular, since this code seems designed to run on Trove guests, I'm wondering if this could be used to execute commands somehow on a different guest. I'm not familiar enough with the architecture to know, but running malicious package names causing arbitrary code execution on a guest seems like an interesting vector.

^ Above statement wasn't clear, should have been more like "running these commands for malicious package names".

The commands is a deprecated and should not be used anyway. There are a number of cases there where they are using pexpect too that probably need to be examined.

FWIW both yum and dpkg have pretty good python bindings that might be a safer way of implementing this kind of thing.

I dug into this a bit today. I think the packages exist within the database and AFAICT don't seem to be something that be messed with by a malicious tenant. I am leaning towards a C1 or even D classification [1] for this bug. I suggest we fix this as security hardening and open the report up next Monday unless people find a practical exploit case before then.

1. Our vulnerability taxonomy is available here: https://wiki.openstack.org/wiki/Vulnerability_Management

As Grant mentions, I can confirm that the packages exist as a field in the datastore_versions table, and this can be set only by the Trove Administrator when he is registering a new datastore version with trove (using the trove-manage utility). This is not a user facing field, and cannot be set through an API. Given this mitigation, I agree with opening the report up, and fixing this as part of security hardening. At this point it's likely that this will be tackled sometime during the Liberty time frame in Trove.

Seems squarely within the class D security hardening arena to me, unless there's a reasonable expectation that Trove instances are in some way protected from malicious Trove administrators (which I don't think can be argued).

Ok then. Lets open this up!