Bug 1410293 (CVE-2016-9590)

Summary: CVE-2016-9590 puppet-swift: installs config file with world readable permissions
Product: [Other] Security Response Reporter: Summer Long <slong>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: akarlsso, aortega, apevec, aschultz, ayoung, carnil, chrisw, cvsbot-xmlrpc, emacchi, jjoyce, jschluet, kbasil, lhh, lpeer, markmc, rbryant, sclewis, security-response-team, slinaber, slong, srevivo, tdecacqu, tvignaud
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: puppet-swift 8.2.1, puppet-swift 9.4.4 Doc Type: If docs needed, set a value
Doc Text:
An information-disclosure flaw was discovered in Red Hat OpenStack Platform director's installation of Object Storage (swift). During installation, the Puppet script responsible for deploying the service incorrectly removes and recreates the proxy-server.conf file with world-readable permissions.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-03-01 23:55:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1410298, 1410299, 1412837, 1412844, 1412845    
Bug Blocks: 1405284    
Attachments:
Description Flags
CVE-2016-9590 patch for puppet-swift none

Description Summer Long 2017-01-05 02:21:39 UTC 
The openstack-swift package itself installs the file with the correct permissions, however a puppet script that runs as part of the install incorrectly removes and recreates the file with world-readable permissions.
Comment 2 Summer Long 2017-01-11 23:44:01 UTC 
Acknowledgments:

Name: Hans Feldt (Ericsson)
Comment 4 Alex Schultz 2017-01-12 16:18:30 UTC 
Created attachment 1240008 [details]
CVE-2016-9590 patch for puppet-swift
Comment 6 Alex Schultz 2017-01-12 17:25:10 UTC 
It should be noted that openstack-11 is not affected as upstream landed a change[0] in how these configuration files are updated.  That being said, OSP8,OSP9 are affected via openstack-puppet-modules[1][2]. OSP7 should not be affected as it still had the permissions[3]

[0] https://review.openstack.org/#/c/378950/
[1] https://github.com/redhat-openstack/openstack-puppet-modules/blob/stable/mitaka/swift/manifests/proxy.pp#L182-L186
[2] https://github.com/redhat-openstack/openstack-puppet-modules/blob/stable/liberty/swift/manifests/proxy.pp#L184-L188
[3] https://github.com/redhat-openstack/openstack-puppet-modules/blob/stable/kilo/swift/manifests/proxy.pp#L176-L181
Comment 7 Summer Long 2017-01-12 22:56:00 UTC 
Created puppet-swift tracking bugs for this issue:

Affects: openstack-rdo [bug 1412837]
Comment 10 errata-xmlrpc 2017-01-26 16:42:21 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 (Newton)

Via RHSA-2017:0200 https://rhn.redhat.com/errata/RHSA-2017-0200.html
Comment 11 errata-xmlrpc 2017-03-01 13:34:20 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 8.0 (Liberty)

Via RHSA-2017:0361 https://rhn.redhat.com/errata/RHSA-2017-0361.html
Comment 12 errata-xmlrpc 2017-03-01 13:34:56 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 9.0 (Mitaka)

Via RHSA-2017:0359 https://rhn.redhat.com/errata/RHSA-2017-0359.html