Kurt Seifried of Red Hat reports: ./packstack/installer/basedefs.py ============ VAR_DIR = os.path.join("/var/tmp/packstack", datetime.datetime.now().strftime('%Y%m%d-%H%M')) DIR_LOG = VAR_DIR PUPPET_MANIFEST_DIR = os.path.join(VAR_DIR, "manifests") ============ ./packstack/modules/ospluginutils.py ============ def appendManifestFile(manifest_name, data, marker=''): if not os.path.exists(basedefs.PUPPET_MANIFEST_DIR): os.mkdir(basedefs.PUPPET_MANIFEST_DIR) manifestfile = os.path.join(basedefs.PUPPET_MANIFEST_DIR, manifest_name) manifestfiles.addFile(manifestfile, marker) with open(manifestfile, 'a') as fp: fp.write("\n") fp.write(data) ============ So we have several failures here: 1) not setting safe permissions (we don't set permissions/use os.umask/etc.) which means attackers can read the data, possibly modify it/etc. 2) not creating directories safely, there is a potential gap between "if not os.path.exists" and the "os.mkdir" amongst other problems This can be used to modify manifest files at creation time for example.
Acknowledgements: This issue was discovered by Kurt Seifried of the Red Hat Security Response Team.
This issue has been addressed in following products: OpenStack Folsom for RHEL 6 Via RHSA-2013:0595 https://rhn.redhat.com/errata/RHSA-2013-0595.html