[MIR] heat

Bug #1267557 reported by Chuck Short on 2014-01-09
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
heat (Ubuntu)
Medium
Chuck Short

Bug Description

Rationale: Apart of the openstack specification for trusty.
Security:
    - [0b1458a] [OSSA 2013-034] Heat CFN policy rules not all enforced
      (CVE-2013-6426) LP: 1256049
    - [8283db7] [OSSA 2013-035] Heat ReST API doesn't respect tenant scoping
      (CVE-2013-6428) LP: 1256983
    - [8283db7] [OSSA 2013-035] Heat ReST API doesn't respect tenant scoping
      (CVE-2013-6428) LP: 1256983
Quality Assurance: Package works out of the box with no prompting. There is no major bugs in Ubuntu and the is no major bugs in Debian.
Standards Compliance: FHS and Debian Policy compliant.
Maintenance: Simple python package that the Ubuntu Server Team will take care of.
Dependencies: All are in main

Related branches

CVE References

Michael Terry (mterry) on 2014-01-13
Changed in heat (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
James Page (james-page) on 2014-01-16
Changed in heat (Ubuntu):
importance: Undecided → Medium
Jamie Strandboge (jdstrand) wrote :

FYI, python-sendfile also needs a MIR.

Changed in py-sendfile (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
Chuck Short (zulcss) wrote :

Sendfile will be dropped in the next upload.

no longer affects: py-sendfile (Ubuntu)
Jamie Strandboge (jdstrand) wrote :

MIR review:
* Does it FTBFS currently? no
* Does it have a test suite? yes, though a handful of tests are skipped in debian/patches/skip-tests.patch
* Does it have a team bug subscriber? yes, ubuntu-server
* If it's a Python package, does it use dh_python? yes
* If it's a Python package going on the desktop CD, will it pull in Python 2? python2, but not desktop
* Does Ubuntu carry a delta? Ubuntu maintains its own OpenStack packages and is ahead of Debian
* Does it have a watch file? yes
* Is its update history slow or sporadic? it is updated with the rest of OpenStack (ie, Ubuntu and OpenStack release schedules are in sync)
* Is the current release packaged? yes
* Will entering main make it harder for the people currently keeping it up to date? no
* Lintian warnings: source and binaries have ignorable lintian issues
* Is debian/rules a mess? modern dh
* Errors/warnings during the build: quite a few DeprecationWarnings, but since this is py2 and there shouldn't be a py2.8, this shouldn't be a problem for maintenance

Would be nice to have a man page for /usr/bin/heat-manage, but this doesn't block the MIR
/etc/heat is 755 with files that may contain passwords. Should this be 0750 instead like with other OpenStack packages?

MIR team conditional ACK provided python-sendfile dependency is removed.

Jamie Strandboge (jdstrand) wrote :

Security review. This is only the highest level review and was not an in depth code audit.

The two CVEs are already fixed in trusty. CVE-2013-6426 was pretty extensive since it had to implement missing policy enforcement in CFN API. CVE-2013-6428 was much more reasonable. High level review shows that heat is supportable for main.

build_userdata() in ./heat/engine/resources/nova_utils.py is supposed to be used by cloud-init and in part sets up a user using something like this in boothook.sh:
useradd -m <instance_user>
echo -e '<instance_user>\tALL=(ALL)\tNOPASSWD: ALL' >> /etc/sudoers

Updating sudoers in this manner is not ideal. Better for Ubuntu systems is to update a file in /etc/sudoers.d/ (which is supported at least as far back as 12.04 LTS). Is heat on Ubuntu supposed to be capable of orchestrating non-Ubuntu servers? If not, should this be updated to use /etc/sudoers.d/heat-instance-user (or similar)?

Changed in heat (Ubuntu):
status: New → Incomplete
assignee: Jamie Strandboge (jdstrand) → Chuck Short (zulcss)
Jamie Strandboge (jdstrand) wrote :

Actually, this was meant to be in the security team portion of the review:

/etc/heat is 755 with files that may contain passwords. Should this be 0750 instead like with other OpenStack packages?

Jamie Strandboge (jdstrand) wrote :

Chuck and I discussed this on IRC. He is going to fix those issues. Marking as 'In Progress'.

Changed in heat (Ubuntu):
status: Incomplete → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package heat - 2014.1~rc2-0ubuntu3

---------------
heat (2014.1~rc2-0ubuntu3) trusty; urgency=medium

  * debian/heat-common.postinst: Fix failing autopkg test.
 -- Chuck Short <email address hidden> Mon, 14 Apr 2014 13:36:05 -0400

Changed in heat (Ubuntu):
status: In Progress → Fix Released
Dave Walker (davewalker) wrote :

@Jamie, I see Chuck has done an upload suppoaidly Closing this. Can you take another check to see if you are satisifed?

Thanks

Changed in heat (Ubuntu):
status: Fix Released → In Progress
Jamie Strandboge (jdstrand) wrote :

The chmod occurs before the mkdir. I pinged zul in IRC and he said it will be fixed in the next upload.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package heat - 2014.1-0ubuntu1

---------------
heat (2014.1-0ubuntu1) trusty; urgency=medium

  [ Chuck Short ]
  * New upstream release. (LP: #1299055)
  * debian/heat-common.postinst: Create directory before changing
    permissions. (LP: #1267557)

  [ Corey Bryant ]
  * New upstream release (LP: #1299055).
 -- Chuck Short <email address hidden> Thu, 17 Apr 2014 07:27:41 -0400

Changed in heat (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Related blueprints