Bug 1422281

Summary: CVE-2017-2627 openstack-tripleo-common: sudoers file is too permissive [openstack-rdo]
Product: [Community] RDO Reporter: Garth Mollett <gmollett>
Component: openstack-tripleoAssignee: James Slagle <jslagle>
Status: CLOSED EOL QA Contact: Shai Revivo <srevivo>
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: apevec, chris.brown, chrisw, cvsbot-xmlrpc, gmollett, jjoyce, jschluet, lhh, lpeer, markmc, rbryant, sclewis, srevivo, tdecacqu
Target Milestone: ---Keywords: Security, SecurityTracking
Target Release: trunk   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Release Note
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-08-18 19:27:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1421917    

Description Garth Mollett 2017-02-14 23:47:42 UTC 
This is an automatically created tracking bug!  It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of openstack-rdo.

For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.

For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs

When submitting as an update, use the fedpkg template provided in the next
comment(s).  This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.

Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Comment 1 Christopher Brown 2017-08-14 11:35:38 UTC 
Whats the status of this please?

The launchpad bug link in the linked bug isn't correct I think.
Comment 2 Garth Mollett 2017-08-15 06:28:53 UTC 
(In reply to Christopher Brown from comment #1)
> Whats the status of this please?
> 
> The launchpad bug link in the linked bug isn't correct I think.

There has been a couple of proposed fixes in the form of changes to the sudoers file but they have had issues. My understanding is the current plan is to change the code to use rootwrap or privsep rather than having complex sudoers file.

I believe the launchpad link is correct, but it shows a 404 page because it's set to private (I can't view it either).

Sorry I don't have more information, but I am just the reporter. I don't actually work on this code.