Wednesday, 2014-09-24

*** salv-orlando has quit IRC00:16
*** _amrith_ is now known as amrith00:17
*** bpokorny_ has quit IRC00:47
*** amrith is now known as _amrith_00:59
openstackgerritOpenStack Proposal Bot proposed a change to openstack/security-doc: Imported Translations from Transifex
openstackgerritA change was merged to openstack/security-doc: Imported Translations from Transifex
*** modicasio has joined #openstack-security07:43
*** modicasio has quit IRC07:51
*** salv-orlando has joined #openstack-security09:10
*** openstack has joined #openstack-security09:23
*** _amrith_ is now known as amrith12:51
*** deepsa_ has joined #openstack-security12:57
openstackgerritAbu Shohel Ahmed proposed a change to openstack/security-doc: Adds a new OpenStack Security Notes
*** lismore_hp has joined #openstack-security13:24
*** bknudson has joined #openstack-security13:30
*** deepsa_ has quit IRC13:55
*** voodookid has joined #openstack-security14:14
*** edmondsw has joined #openstack-security14:24
openstackgerritNathan Kinder proposed a change to openstack/security-doc: Add OSSN-0024 - Sensitive data exposure in logfiles
*** lismore_hp has quit IRC16:09
openstackgerritNathan Kinder proposed a change to openstack/security-doc: Correct a typo in OSSN-0029
nkinder_tmcpeak: could you give a quick review to ^^^ ?16:26
nkinder_tmcpeak: I'm OK with bypassing the review requirements since this is a typo correction, but I'd like one other +1 at least16:26
nkinder_tmcpeak: once this is corrected, I can publish 002916:30
tmcpeaknkinder_: sure16:31
nkinder_tmcpeak: thanks!16:32
nkinder_I also took a pass of cleaning up some small things in 0024 for Shohel16:32
nkinder_That one is really close.  A review of that would be great.16:32
*** openstackgerrit has quit IRC16:35
*** jamielenz has joined #openstack-security16:53
*** jamielenz is now known as jamielennox16:53
*** openstackgerrit has joined #openstack-security17:24
*** openstackgerrit has quit IRC17:51
*** openstackgerrit has joined #openstack-security17:51
openstackgerritA change was merged to openstack/security-doc: Correct a typo in OSSN-0029
*** edmondsw has quit IRC17:59
*** bpokorny has joined #openstack-security18:08
*** bpokorny has quit IRC18:24
*** bdpayne has joined #openstack-security18:27
bdpayneSo... CVE-2014-6271... good times, eh?18:30
chair6good times!18:31
bdpaynehas anyone considered using bandit to see if any openstack services use an environment variable in an unsafe way (i.e., in a way that would make it vulnerable to this cve)?18:34
bdpaynechair6 and/or tmcpeak ^^18:50
tmcpeaklol yeah, good times18:52
tmcpeakbdpayne: we've been considering such things, but it's pretty difficult to automate the analysis18:53
bdpayneI wonder if we should craft an OSSN on this one18:53
tmcpeakbdpayne: yeah, I'm thinking the same18:53
bdpaynethe thing is, it would be nice to be able to say something meaningful about the vulnerability (or lack thereof) of the openstack services to this18:53
bdpaynewhich is a lot of analysis18:54
bdpaynealthough, something that I suspect people are doing anyway18:54
nkinder_I'm not really sure what we can say without analysis except "upgrade bash"18:54
nkinder_...which falls into underlying system security updates18:54
tmcpeakcouldn't we just say "update bash.  No seriously guys, update it"18:56
*** bpokorny has joined #openstack-security18:57
bdpaynesort of?18:57
bdpayneturns out that some people don't like updating unless they really need to18:57
bdpaynerisk and such18:57
voodookidbdpayne: those same people tend to have non-existant patch testing and deployment processes. Increasing their risk.18:58
bdpaynewell, anyway... if people aren't interested that's fine... just thought I'd check18:59
*** bpokorny_ has joined #openstack-security19:00
*** bpokorny has quit IRC19:02
nkinder_bdpayne: I'm sort of interested, and also sort of don't want to make OSSNs start covering all sorts of underlying system vulnerabilities that may or may not affect OpenStack.19:03
nkinder_bdpayne: it's a fuzzy line for sure19:04
bdpayneI'm viewing this as something being potentially on the level of heartbleed19:04
bdpaynewhich we did issue an OSSN for19:04
bdpaynebut, it is also true that we aren't a distro19:05
tmcpeakbdpayne, nkinder: yeah I agree.  I'm seeing it on the same sort of level as heartbleed19:06
nkinder_bdpayne: Yeah.  If someone wants to write up an OSSN for this, I'm not going to stand in it's way. :)19:06
tmcpeakI'd for sure do it, but I'm going away for a couple of weeks19:16
tmcpeakyou'll have to carry on without me19:16
nkinder_tmcpeak: ah, is it that time?19:20
tmcpeaknkinder_: it is!19:20
nkinder_tmcpeak: awesome.  Early congrats!19:23
tmcpeaknkinder_: thank you sir :)19:23
bknudsonbdpayne: so I don't think openstack does anything that would expose the bash issue...19:38
bknudsonI think it would require taking user input and sticking it into an env var and then execing bash with it19:38
bdpaynebknudson, you may be right... I'm exploring it now19:38
bdpaynebknudson that would be one way19:38
bdpayneI don't think you'd need to exec bash explicitly though19:39
bknudsonif the error is in bash, then you'd have to get bash involved somehow19:40
bdpaynewe're exploring the extent of this now19:41
*** openstackgerrit has quit IRC19:46
*** openstackgerrit has joined #openstack-security19:47
*** bpokorny has joined #openstack-security20:00
*** bpokorny_ has quit IRC20:03
*** paulmo has quit IRC20:53
*** bpokorny_ has joined #openstack-security20:57
*** bpokorny has quit IRC21:00
*** tmcpeak has quit IRC21:29
nkinder_fyi, OSSN-0029 made it through review without a +1 from a neutron core -
nkinder_we need to be careful of that22:09
nkinder_the note is technically correct AFAIK, but it fails to mention that FWaaS is still "experimental", which would have been nice to point out22:10
*** salv-orlando_ has joined #openstack-security22:32
*** salv-orlando has quit IRC22:35
*** salv-orlando_ is now known as salv-orlando22:35
*** bknudson has quit IRC22:36
*** openstackgerrit has quit IRC22:47
*** openstackgerrit_ has joined #openstack-security22:47
*** openstackgerrit_ is now known as openstackgerrit22:48
chair6bdpayne - did you come up with anything at the openstack level?22:56
chair6i've got a bandit test now that flags usage of Popen and equivalent functions with the 'env' arg22:57
chair6not sure that could even be an exploitable angle but figured it could be interesting..22:57
bdpaynechair6 the openstack pieces I looked at actually looked good23:01
bdpayneand, perhaps more to the point, I learned today that Debian-based systems are using dash as the default shell23:01
bdpaynewhich helps quite a bit too23:01
chair6heh, yep23:07
*** voodookid has quit IRC23:09
chair6well across all of barbican,cinder,glance,heat,horizon,ironic,keystone,keystonemiddleware,neutron,nova,swift,trove23:10
chair6codebases, i only see three instances where a Popen call is passed a named 'env' argument23:10
chair6one of those the arg is populated from os.environ.copy()23:13
chair6two of them are helper functions, so i gotta go look for usage of that helper function23:13
bdpaynecool, that's nice to hear chair623:29
chair6turns out it wasn't a full picture, due to xargs splitting output23:34
chair6revised numbers - 8 helper functions that call Popen with an env var, so need to track those backwards23:35
chair61 other fn where the arg is populated straight from os.environ.copy(), and 1 (a selenium driver) where env is passed but does not appear to be open to include user input23:36
*** bknudson has joined #openstack-security23:36
*** bknudson has quit IRC23:36
chair6not seeing any glaringly obvious holes where user input might make its way to an evironment variable and to bash though23:37
*** paulmo has joined #openstack-security23:37
*** bknudson has joined #openstack-security23:39
*** amrith is now known as _amrith_23:41
*** openstack has joined #openstack-security23:56
*** bknudson has quit IRC23:56
*** bknudson has joined #openstack-security23:58

Generated by 2.14.0 by Marius Gedminas - find it at!