Based on the above discussion, I'm reclassifying this as "E: not a vulnerability" http://security.openstack.org/vmt-process.html#incident- report-taxonomy but have tagged it "security" since it might present a strengthening opportunity (albeit a very minimal one).
** Information type changed from Private Security to Public ** Tags added: security ** Changed in: ossa Status: Incomplete => Won't Fix -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1450798 Title: Multiple command injection vulns in schema_diff tool Status in OpenStack Compute (Nova): New Status in OpenStack Security Advisories: Won't Fix Bug description: These lines in the latest Nova (as of May 1, 2015) are vulnerable to command injection https://github.com/openstack/nova/blob/master/tools/db/schema_diff.py#L86 https://github.com/openstack/nova/blob/master/tools/db/schema_diff.py#L103 https://github.com/openstack/nova/blob/master/tools/db/schema_diff.py#L117 In this case (https://github.com/openstack/nova/blob/master/tools/db/schema_diff.py#L86 ), if a malicious filename such as "; rm -rf /etc" is provided, the /etc directory will be removed with the privileges of the user running this script. In this case (https://github.com/openstack/nova/blob/master/tools/db/schema_diff.py#L103), if either a malicious name or filename are provided, the command will be executed with the privileges of the running user. In this case(https://github.com/openstack/nova/blob/master/tools/db/schema_diff.py#L117), if either a malicious name or filename are provided, the command will be executed with the privileges of the running user. I'm not familiar enough with the usage of this module to know all of the places these inputs can come from, but presumably it can be used in automation, potentially with elevated privileges. I'm sure the idea of this script is to allow certain functionality, not unrestricted commands. The way this has been developed allows unrestricted command execution by tampering with any of the above mentioned inputs. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1450798/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp