Bug 908101 (CVE-2013-0261)

Summary: CVE-2013-0261 OpenStack packstack: insecure use of /tmp in manifest creation
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aortega, apevec, bloch, cpelland, derekh, jkt, markmc, rbryant, rhos-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-08-09 04:31:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 908102, 908103    
Bug Blocks:    

Description Kurt Seifried 2013-02-05 21:41:30 UTC 
Kurt Seifried of Red Hat reports:

./packstack/installer/basedefs.py
============
VAR_DIR = os.path.join("/var/tmp/packstack",
datetime.datetime.now().strftime('%Y%m%d-%H%M'))
DIR_LOG = VAR_DIR
PUPPET_MANIFEST_DIR = os.path.join(VAR_DIR, "manifests")
============


./packstack/modules/ospluginutils.py
============
def appendManifestFile(manifest_name, data, marker=''):
    if not os.path.exists(basedefs.PUPPET_MANIFEST_DIR):
        os.mkdir(basedefs.PUPPET_MANIFEST_DIR)
    manifestfile = os.path.join(basedefs.PUPPET_MANIFEST_DIR,
manifest_name)
    manifestfiles.addFile(manifestfile, marker)
    with open(manifestfile, 'a') as fp:
        fp.write("\n")
        fp.write(data)
============

So we have several failures here:

1) not setting safe permissions (we don't set permissions/use
os.umask/etc.) which means attackers can read the data, possibly
modify it/etc.

2) not creating directories safely, there is a potential gap between
"if not os.path.exists" and the "os.mkdir" amongst other problems

This can be used to modify manifest files at creation time for example.
Comment 3 Murray McAllister 2013-02-22 03:24:17 UTC 
Acknowledgements:

This issue was discovered by Kurt Seifried of the Red Hat Security Response Team.
Comment 4 errata-xmlrpc 2013-03-05 21:03:24 UTC 
This issue has been addressed in following products:

  OpenStack Folsom for RHEL 6

Via RHSA-2013:0595 https://rhn.redhat.com/errata/RHSA-2013-0595.html