Thanks for your analysis Jamie, based on your comments we will replace
it with netcat if viable.
Thanks!
** Changed in: socat (Ubuntu)
Status: Confirmed = Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to socat in
I'll answer my own question, from nova/virt/libvirt/connection.py:
def get_pty_for_instance(instance_name):
virt_dom = self._lookup_by_name(instance_name)
xml = virt_dom.XMLDesc(0)
dom = minidom.parseString(xml)
for serial in
Security team review:
- handy tool
- lot's of overlap with netcat
- code is quite old (first packaged in Debian in 2004), code itself is even
older and uses coding conventions that are not defensive
- spot checking buffers, not a lot of input validation. Many are static
buffers, which if
I should mention that performing input validation on
get_pty_for_instance() and dropping privileges would be enough to
'solve' the immediate issues with nova's use of socat, but the other
suggestions are for future-proofing against the new (and presumably
rapidly changing) nova codebase and for
** Changed in: socat (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) = Jamie Strandboge
(jdstrand)
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to socat in Ubuntu.
https://bugs.launchpad.net/bugs/829234
Title:
[MIR]
I'm still reviewing this, but there is a lot of overlap between socat
and netcat, and I wonder what specific features of socat are required
over netcat.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to socat in Ubuntu.
** Changed in: socat (Ubuntu)
Assignee: Canonical Security Team (canonical-security) = Ubuntu Security
Team (ubuntu-security)
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to socat in Ubuntu.
https://bugs.launchpad.net/bugs/829234