Friday, 2023-04-14

SvenKieskehey there, I did reanalyze https://bugs.launchpad.net/kolla/+bug/1990432 which is CVE-2007-4559, and I think the fixes in openstack are incomplete as they only protect relative path attacks, not symlink attacks. however why I'm writing here, is, that it's unclear if there is even a trust boundary crossed and afaik this affects multiple openstack projects.07:55
SvenKieskeso I'd like to hand this off here, as I really don't want to debate trust boundaries in multiple openstack projects, a fix would be to use os.path.realpath instead of os.path.abspath. but I put a relatively detailed description of the issue in the bugreport so feel free to reply/read there for all the details.07:56
SvenKieskeso the kolla stance is, that you should not use untrusted tar files, which I tend to agree with, but I don't know where else in openstack similar code is used to maybe use untrusted tar files, there seems to be no tracking bug for cve-2007-4559 across openstack projects? anyway I'm not spending more time on this, except to answer any questions.07:58
SvenKieskealso I always have a feeling some user _will_ use untrusted tar files, no matter what the docs say, so it might still be good to patch this as a hardening option.08:16
fungiSvenKieske: https://codesearch.opendev.org/ is a quick way to keyword search in all the projects hosted in openstack, though i think clarkb did that already when he opened bugs like 1990432, so he may have some additional suggestions. for projects like kolla it's best to take it up with the project maintainers, though if you have confirmed exploitable conditions in (non-test-specific12:14
fungicodepaths for) any of the repositories listed at https://security.openstack.org/repos-overseen.html i'm happy to help coordinate those as part of the vulnerability management team12:14
fungithough i've been travelling on vacation all this week, so won't be able to give things a proper look until next week12:16

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!