Bug 917904 (CVE-2013-1815)

Summary: CVE-2013-1815 OpenStack packstack: answerfile creation permissions issue
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aortega, apevec, cpelland, derekh, jlieskov, markmc, mmagr, rbryant, security-response-team, ykaul
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20130226,reported=20130303,source=redhat,cvss2=4.4/AV:L/AC:M/Au:N/C:P/I:P/A:P,openstack-2.1/openstack-packstack=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-04-08 13:53:35 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 917905    
Bug Blocks: 917906    

Description Kurt Seifried 2013-03-05 00:03:59 EST
Derek Higgins (derekh@redhat.com) of Red Hat reports:

packstack creates a answerfile containing configuration details for an 
openstack deployment. But after a recent comment in 
https://bugzilla.redhat.com/show_bug.cgi?id=906410 [Open URL] comment 4, I 
reviewed the code on how it is generated.

The file was being opened, written to and then the mode was being changed to 
600:

https://github.com/stackforge/packstack/blob/07a7897038bee143630fd84e95b3a4f5c89a5b47/packstack/installer/run_setup.py

def generateAnswerFile(outputFile, overrides={}):
    sep = os.linesep
    fmt = ("%(comment)s%(separator)s%(conf_name)s=%(default_value)s"
           "%(separator)s")
    outputFile = os.path.expanduser(outputFile)
    with open(outputFile, "w") as ans_file:
...
    os.chmod(outputFile, 0600)

and the answer path is provided by:

def _getanswerfilepath():
    path = None
    msg = "Could not find a suitable path on which to create the answerfile"

    # We'll use the first path with
    # write permissions. Order matters.
    for p in ["./", "~/", "/tmp"]:
        if os.access(p, os.W_OK):
            path = os.path.abspath(

The current directory "./" may be accessible to an attacker, and "/tmp" is 
definitely accessible to attackers. The file permissions should also be set
securely prior to placing the information in it.
Comment 2 Derek Higgins 2013-03-05 04:24:54 EST
Fix merged upstream 
https://review.openstack.org/#/c/22986/
Comment 3 Murray McAllister 2013-03-19 00:50:43 EDT
Acknowledgements:

This issue was discovered by Derek Higgins of the Red Hat OpenStack team.
Comment 4 errata-xmlrpc 2013-03-21 14:24:25 EDT
This issue has been addressed in following products:

  OpenStack Folsom for RHEL 6

Via RHSA-2013:0671 https://rhn.redhat.com/errata/RHSA-2013-0671.html