oss-sec mailing list archives
Re: TMP flaw in rackspace jclouds?
From: Ignasi Barrera <nacx () apache org>
Date: Thu, 19 Jun 2014 09:32:25 +0200
Take into account that the "statement" list will be rendered to a String, composed with other script fragments into a final bash script, uploaded to a node, and executed there locally as a bash script. That code won't be executed in the machine running jclouds, but as a bash script in the provisioned node, so the name of the temporal directory should better be generated in the script itself. A good approach would be to directly use the "mktemp"command. El 19/06/2014 06:36, "Andrew Gaul" <gaul () apache org> escribió:
Kurt, thank you for bringing this flaw to my attention and I will address it tomorrow. I do not have a security background; can you estimate the severity and whether we can continue discussion on the public bug tracker? For now I have bcc the Apache jclouds private mailing list. Also note that jclouds is an Apache project not a Rackspace project and the canonical URLs are: https://github.com/jclouds/jclouds https://issues.apache.org/jira/browse/JCLOUDS On Wed, Jun 18, 2014 at 08:52:59PM -0600, Kurt Seifried wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 https://github.com/rackspace/jclouds/ So CC'ing Andrew, he's a consistent contributor, I can't file an issue in Github (no link to it) so posting here and CC'ing him.https://github.com/rackspace/jclouds/blob/master/scriptbuilder/src/main/java/org/jclouds/scriptbuilder/domain/Statements.javapublic static Statement extractTargzAndFlattenIntoDirectory(URI tgz, String dest) { return new StatementList(ImmutableSet.<Statement> builder() .add(exec("mkdir /tmp/$$")) .add(extractTargzIntoDirectory(tgz, "/tmp/$$")) .add(exec("mkdir -p " + dest)) .add(exec("mv /tmp/$$/*/* " + dest)) .add(exec("rm -rf /tmp/$$")).build()); } This is insecure, $$ == PID == predictable http://kurt.seifried.org/2012/03/14/creating-temporary-files-securely/ use java.io.File.createTempFile() ? some interesting info athttp://www.veracode.com/blog/2009/01/how-boring-flaws-become-interesting/for directories there is a helpful posting athttp://stackoverflow.com/questions/617414/create-a-temporary-directory-in-javaThanks. - -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTolCLAAoJEBYNRVNeJnmTrVYQAJ5glkD/0Ha5+F99Qj9ioNmm ZnO4G6TqKctfiqW/X02wMocKLMRV8q5WI/nvs71hCoK5HaVmbtNrV71wE0omHLjB smzFz6d8qZaTcOHdvgbSlWEGPjcVnESo0F3K0vgK2L/LtB5mgny6pHDn+c/cqrgt Er4n+U3oXlkon/ksW+drWpKOpmGOhn7c4fbE45ci6KnzDbbGpGHF0fZL3lSEfJR0 0D/HQzKIAJpI7VvZU8+/d/MHasndgJoAHmUCkTBYU55Vf5eYsm+xWZ1Mt46IyAap crMTCHHE1GVUAexYbMxy+lohHbpl+pB/d////LzesJjByRSv87r+1oLhdwank3P9 Fz1h3sq57JyLFQIcpm4TS7xh3TaByFGCiA5G/mR+CkuS6sZEapSkviu/x7ygmOdG cJKM+5CogeE1P1PWsoQ41JcSwfuWAfc5IODvkjLb3MfyoXJRaKcBVdVcdHBUK4BA 7xcD9SbDsujxHOJLknFaO22uTtlrDS4yXJaNal6L9P7DCsSSrxG1PmmE+t5qrtYw HQoz+RuOMhY/2FWJqOxa7ru99rIQmxxpWgoknUlT+yYJRfoub0kpibyJLBLy2SEx xmdqe/i9nHCsGAworK4bEL2vLvsNBiJgdSHlzg7E5POI1tbveE12fIUmSgrgV+zO WjPZ/O4oOj0FVWoeyQUN =SUf5 -----END PGP SIGNATURE------- Andrew Gaul http://gaul.org/
Current thread:
- TMP flaw in rackspace jclouds? Kurt Seifried (Jun 18)
- Re: TMP flaw in rackspace jclouds? Alex Gaynor (Jun 18)
- Re: TMP flaw in rackspace jclouds? Andrew Gaul (Jun 18)
- Re: Re: TMP flaw in rackspace jclouds? Kurt Seifried (Jun 18)
- Re: TMP flaw in rackspace jclouds? Ignasi Barrera (Jun 19)
- Re: TMP flaw in rackspace jclouds? Andrew Gaul (Jun 19)
- Re: TMP flaw in rackspace jclouds? Ignasi Barrera (Jun 20)
- Re: TMP flaw in rackspace jclouds? Ignasi Barrera (Jun 20)
- Re: TMP flaw in rackspace jclouds? Andrew Gaul (Jun 23)