Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1216073 - (CVE-2015-3156) CVE-2015-3156 openstack-trove: multiple insecure /tmp file usage issues
CVE-2015-3156 openstack-trove: multiple insecure /tmp file usage issues
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20141222,reported=2...
: Security
Depends On: 1247447 1247448
Blocks: 1216080
  Show dependency treegraph
 
Reported: 2015-04-28 08:51 EDT by Vasyl Kaigorodov
Modified: 2016-04-26 10:12 EDT (History)
19 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-07-27 23:12:27 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Vasyl Kaigorodov 2015-04-28 08:51:03 EDT 
Michael Scherer of Red Hat reported multiple issues in OpenStack Trove where temporary files are used in an insecure way in different modules:

  trove: MongoDB datastore module in guestagent insecure /tmp file usage in _write_config()
  https://github.com/openstack/trove/blob/master/trove/guestagent/datastore/experimental/mongodb/service.py#L176

  trove: PostgreSQL datastore module in guestagent insecure /tmp file usage in reset_configuration()
  https://github.com/openstack/trove/blob/master/trove/guestagent/datastore/experimental/postgresql/service/config.py#L70

  trove: Redis datastore module in guestagent insecure /tmp file usage in write_config()
  https://github.com/openstack/trove/blob/master/trove/guestagent/datastore/experimental/redis/service.py#L236

  trove: MySQL datastore module in guestagent insecure /tmp file usage in _write_mycnf()
  https://github.com/openstack/trove/blob/master/trove/guestagent/datastore/mysql/service.py#L790

  trove: MySQL restore strategy in guestagent insecure /tmp file usage in InnoBackupEx::_run_prepare()
  https://github.com/openstack/trove/blob/master/trove/guestagent/strategies/restore/mysql_impl.py#L194

  trove: MySQL backup strategy in guestagent insecure /tmp file usage in InnoBackupEx::cmd()
  https://github.com/openstack/trove/blob/master/trove/guestagent/strategies/backup/mysql_impl.py#L55

  trove: MySQL backup strategy in guestagent insecure /tmp file usage in MySQLDump::cmd()
  https://github.com/openstack/trove/blob/master/trove/guestagent/strategies/backup/mysql_impl.py#L36

  trove: MySQL backup strategy in guestagent insecure /tmp file usage in InnoBackupExIncremental::cmd()
  https://github.com/openstack/trove/blob/master/trove/guestagent/strategies/backup/mysql_impl.py#L110

  trove: Cassandra datastore module insecure /tmp file usage in _get_actual_db_status()
  https://github.com/openstack/trove/blob/master/trove/guestagent/datastore/experimental/cassandra/system.py#L33
  https://github.com/openstack/trove/blob/master/trove/guestagent/datastore/experimental/cassandra/service.py#L230

  trove: Couchbase backup strategy insecure /tmp file usage in multiple class CbBackup methods
  https://github.com/openstack/trove/blob/master/trove/guestagent/strategies/backup/experimental/couchbase_impl.py#L30
Comment 1 Vasyl Kaigorodov 2015-04-30 10:54:54 EDT 
Upstream does not consider this as a security issue, from https://bugs.launchpad.net/trove/+bug/1398195 :

Due to the need for access to the instance filesystem and the limited exposure (basically anyone with shell access to a Trove instance is going to be the administrator of the infrastructure on which it's running) along with the fact that it's only slated to be fixed in the master branch for inclusion in the upcoming Kilo release, the VMT will not be publishing a security advisory nor requesting a CVE for this bug.
Comment 3 Garth Mollett 2015-07-27 23:11:47 EDT 
Created openstack-trove tracking bugs for this issue:

Affects: fedora-all [bug 1247447]
Affects: openstack-rdo [bug 1247448]
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.