openstack-trove: CVE-2015-3156: multiple insecure /tmp file usage issues

Debian Bug report logs - #787654
openstack-trove: CVE-2015-3156: multiple insecure /tmp file usage issues

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: openstack-trove: CVE-2015-3156: multiple insecure /tmp file usage issues

Date: Wed, 03 Jun 2015 22:17:18 +0200

Source: openstack-trove
Version: 2015.1.0-1
Severity: normal
Tags: security upstream

Hi,

the following vulnerability was published for openstack-trove.

CVE-2015-3156[0]:
multiple insecure /tmp file usage issues

More information can be found in the Red Hat bugzilla[1], but at the
time of writing this bugreport here are no upstream patches (since
upstream seem to disagree with downstreams).

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2015-3156
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1216073
[2] https://bugzilla.novell.com/show_bug.cgi?id=929535
[3] http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-3156.html

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 787654@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 787654@bugs.debian.org

Subject: Re: Bug#787654: openstack-trove: CVE-2015-3156: multiple insecure /tmp file usage issues

Date: Wed, 3 Jun 2015 22:25:16 +0200

Hi,

Note that this as least seem partially addressed, namely in the
cassandra part. I have not checked all remeaining occurences.

Regards,
Salvatore

Message #15 received at 787654@bugs.debian.org (full text, mbox, reply):

From: László Böszörményi (GCS) <gcs@debian.org>

To: 787654@bugs.debian.org

Cc: Debian Security Team <team@security.debian.org>

Subject: Re: [PKG-Openstack-devel] Bug#787654: openstack-trove: CVE-2015-3156: multiple insecure /tmp file usage issues

Date: Wed, 3 Jun 2015 23:19:37 +0200

Control: fixed -1 2015.1~rc2-1

Hi Salvatore,

On Wed, Jun 3, 2015 at 10:25 PM, Salvatore Bonaccorso <carnil@debian.org> wrote:
> Note that this as least seem partially addressed, namely in the
> cassandra part. I have not checked all remeaining occurences.
 Yes, the Cassandra part is fixed last year[1]. The fixing path also
available[2]. Other parts are not fixed, keep reading.
One of the developers, Nikhil Manchanda states[3]:
"The impact of this is pretty minimal. From a deployment perspective,
datastores are deployed so that file access is not allowed. Coupling
that with the fact that SSH access to the Trove instance is also
restricted, this vulnerability seems very hard to exploit. However,
regardless of these mitigations, we're planning on having a fix for
this in Trove during kilo."
Later Jeremy Stanley, a member of the OpenStack Vulnerability
Management Team states[4]:
"Due to the need for access to the instance filesystem and the limited
exposure (basically anyone with shell access to a Trove instance is
going to be the administrator of the infrastructure on which it's
running) along with the fact that it's only slated to be fixed in the
master branch for inclusion in the upcoming Kilo release, the VMT will
not be publishing a security advisory nor requesting a CVE for this
bug."

Then it was reviewed and merged to master back on 21st of January[5].
Thus the fix is part of 2015.1.0rc2 which was tagged on 23rd of
April[6] and was uploaded to Sid on 29th of April[7]. Marking the bug
accordingly.

Regards,
Laszlo/GCS
[1] https://git.openstack.org/cgit/openstack/trove/patch/?id=61774984aa2bacfe89867fc39a402a6a4cfb8f33
[2] https://review.openstack.org/#/c/138719/
[3] https://bugs.launchpad.net/trove/+bug/1398195/comments/7
[4] https://bugs.launchpad.net/trove/+bug/1398195/comments/8
[5] https://git.openstack.org/cgit/openstack/trove/commit/?id=61774984aa2bacfe89867fc39a402a6a4cfb8f33
[6] https://git.openstack.org/cgit/openstack/trove/tag/?id=2015.1.0rc2
[7] https://packages.qa.debian.org/o/openstack-trove/news/20150429T164344Z.html

Message #22 received at 787654@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>

To: 787654@bugs.debian.org

Cc: Debian Security Team <team@security.debian.org>

Subject: Re: [PKG-Openstack-devel] Bug#787654: Bug#787654: openstack-trove: CVE-2015-3156: multiple insecure /tmp file usage issues

Date: Thu, 04 Jun 2015 09:25:56 +0200

On 06/03/2015 11:19 PM, László Böszörményi (GCS) wrote:
> Control: fixed -1 2015.1~rc2-1
> 
> Hi Salvatore,
> 
> On Wed, Jun 3, 2015 at 10:25 PM, Salvatore Bonaccorso <carnil@debian.org> wrote:
>> Note that this as least seem partially addressed, namely in the
>> cassandra part. I have not checked all remeaining occurences.
>  Yes, the Cassandra part is fixed last year[1]. The fixing path also
> available[2]. Other parts are not fixed, keep reading.
> One of the developers, Nikhil Manchanda states[3]:
> "The impact of this is pretty minimal. From a deployment perspective,
> datastores are deployed so that file access is not allowed. Coupling
> that with the fact that SSH access to the Trove instance is also
> restricted, this vulnerability seems very hard to exploit. However,
> regardless of these mitigations, we're planning on having a fix for
> this in Trove during kilo."
> Later Jeremy Stanley, a member of the OpenStack Vulnerability
> Management Team states[4]:
> "Due to the need for access to the instance filesystem and the limited
> exposure (basically anyone with shell access to a Trove instance is
> going to be the administrator of the infrastructure on which it's
> running) along with the fact that it's only slated to be fixed in the
> master branch for inclusion in the upcoming Kilo release, the VMT will
> not be publishing a security advisory nor requesting a CVE for this
> bug."
> 
> Then it was reviewed and merged to master back on 21st of January[5].
> Thus the fix is part of 2015.1.0rc2 which was tagged on 23rd of
> April[6] and was uploaded to Sid on 29th of April[7]. Marking the bug
> accordingly.
> 
> Regards,
> Laszlo/GCS

FWIW, I agree with Jeremy Stanley view. I don't see how one would
exploit the issue, if there's one at all.

I see that the issue is marked as very low in the tracker, I agree with
that. I'm even tempted to tag the Debian bug with +wontfix (note: the
attached patch in launchpad only fixes the issue for Cassandra, and
doesn't even apply on top of Icehouse (ie: 2014.1.3) in Jessie).

Your thoughts?

Cheers,

Thomas Goirand (zigo)

Message #27 received at 787654@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Thomas Goirand <zigo@debian.org>, 787654@bugs.debian.org

Cc: Debian Security Team <team@security.debian.org>

Subject: Re: Bug#787654: [PKG-Openstack-devel] Bug#787654: Bug#787654: openstack-trove: CVE-2015-3156: multiple insecure /tmp file usage issues

Date: Thu, 4 Jun 2015 20:09:40 +0200

Hi Thomas, hi László,

On Thu, Jun 04, 2015 at 09:25:56AM +0200, Thomas Goirand wrote:
> On 06/03/2015 11:19 PM, László Böszörményi (GCS) wrote:
> > Control: fixed -1 2015.1~rc2-1
> > 
> > Hi Salvatore,
> > 
> > On Wed, Jun 3, 2015 at 10:25 PM, Salvatore Bonaccorso <carnil@debian.org> wrote:
> >> Note that this as least seem partially addressed, namely in the
> >> cassandra part. I have not checked all remeaining occurences.
> >  Yes, the Cassandra part is fixed last year[1]. The fixing path also
> > available[2]. Other parts are not fixed, keep reading.
> > One of the developers, Nikhil Manchanda states[3]:
> > "The impact of this is pretty minimal. From a deployment perspective,
> > datastores are deployed so that file access is not allowed. Coupling
> > that with the fact that SSH access to the Trove instance is also
> > restricted, this vulnerability seems very hard to exploit. However,
> > regardless of these mitigations, we're planning on having a fix for
> > this in Trove during kilo."
> > Later Jeremy Stanley, a member of the OpenStack Vulnerability
> > Management Team states[4]:
> > "Due to the need for access to the instance filesystem and the limited
> > exposure (basically anyone with shell access to a Trove instance is
> > going to be the administrator of the infrastructure on which it's
> > running) along with the fact that it's only slated to be fixed in the
> > master branch for inclusion in the upcoming Kilo release, the VMT will
> > not be publishing a security advisory nor requesting a CVE for this
> > bug."
> > 
> > Then it was reviewed and merged to master back on 21st of January[5].
> > Thus the fix is part of 2015.1.0rc2 which was tagged on 23rd of
> > April[6] and was uploaded to Sid on 29th of April[7]. Marking the bug
> > accordingly.
> > 
> > Regards,
> > Laszlo/GCS
> 
> FWIW, I agree with Jeremy Stanley view. I don't see how one would
> exploit the issue, if there's one at all.
> 
> I see that the issue is marked as very low in the tracker, I agree with
> that. I'm even tempted to tag the Debian bug with +wontfix (note: the
> attached patch in launchpad only fixes the issue for Cassandra, and
> doesn't even apply on top of Icehouse (ie: 2014.1.3) in Jessie).

Yes, I agree that the severity is rather low (we marked the issue as
well as no-dsa, btw). I think we can just reevaluate later kilo
releases if upstream has fixed all the occurences for CVE-2015-3156
and don't need an extraordinary/immediate action on this bug but just
follow when upstream fixes them.

Would you concur with this?

Regards,
Salvatore

Message #32 received at 787654@bugs.debian.org (full text, mbox, reply):

From: László Böszörményi (GCS) <gcs@debian.org>

To: 787654@bugs.debian.org

Cc: Debian Security Team <team@security.debian.org>

Subject: Re: [PKG-Openstack-devel] Bug#787654: Bug#787654: Bug#787654: openstack-trove: CVE-2015-3156: multiple insecure /tmp file usage issues

Date: Thu, 4 Jun 2015 21:18:33 +0200

On Thu, Jun 4, 2015 at 8:09 PM, Salvatore Bonaccorso <carnil@debian.org> wrote:
> On Thu, Jun 04, 2015 at 09:25:56AM +0200, Thomas Goirand wrote:
>> On 06/03/2015 11:19 PM, László Böszörményi (GCS) wrote:
>> > Control: fixed -1 2015.1~rc2-1
 The version set for being vulnerable is wrong by the way, but I don't
know which was the first version that contains these bugs.

>> > On Wed, Jun 3, 2015 at 10:25 PM, Salvatore Bonaccorso <carnil@debian.org> wrote:
>> >> Note that this as least seem partially addressed, namely in the
>> >> cassandra part. I have not checked all remeaining occurences.
[...]
> Yes, I agree that the severity is rather low (we marked the issue as
> well as no-dsa, btw). I think we can just reevaluate later kilo
> releases if upstream has fixed all the occurences for CVE-2015-3156
> and don't need an extraordinary/immediate action on this bug but just
> follow when upstream fixes them.
>
> Would you concur with this?
 If you ask me, I have doubts upstream will take further steps with
this CVE. Their vulnerability team said they don't ask for a CVE
number as the impact is very low if even possible to utilize it. As
the 'bugs' are found last December and only the Cassandra part is
fixed for six months and that's already part of Stretch I say this bug
can be closed as fixed after setting the correct 'found' version.

Cheers,
Laszlo/GCS

Message #37 received at 787654-done@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <thomas@goirand.fr>

To: 787654-done@bugs.debian.org

Cc: Debian Security Team <team@security.debian.org>

Subject: Re: [PKG-Openstack-devel] Bug#787654: Bug#787654: Bug#787654: Bug#787654: openstack-trove: CVE-2015-3156: multiple insecure /tmp file usage issues

Date: Fri, 05 Jun 2015 01:27:20 +0200

On 06/04/2015 09:18 PM, László Böszörményi (GCS) wrote:
> On Thu, Jun 4, 2015 at 8:09 PM, Salvatore Bonaccorso <carnil@debian.org> wrote:
>> On Thu, Jun 04, 2015 at 09:25:56AM +0200, Thomas Goirand wrote:
>>> On 06/03/2015 11:19 PM, László Böszörményi (GCS) wrote:
>>>> Control: fixed -1 2015.1~rc2-1
>  The version set for being vulnerable is wrong by the way, but I don't
> know which was the first version that contains these bugs.
> 
>>>> On Wed, Jun 3, 2015 at 10:25 PM, Salvatore Bonaccorso <carnil@debian.org> wrote:
>>>>> Note that this as least seem partially addressed, namely in the
>>>>> cassandra part. I have not checked all remeaining occurences.
> [...]
>> Yes, I agree that the severity is rather low (we marked the issue as
>> well as no-dsa, btw). I think we can just reevaluate later kilo
>> releases if upstream has fixed all the occurences for CVE-2015-3156
>> and don't need an extraordinary/immediate action on this bug but just
>> follow when upstream fixes them.
>>
>> Would you concur with this?
>  If you ask me, I have doubts upstream will take further steps with
> this CVE. Their vulnerability team said they don't ask for a CVE
> number as the impact is very low if even possible to utilize it. As
> the 'bugs' are found last December and only the Cassandra part is
> fixed for six months and that's already part of Stretch I say this bug
> can be closed as fixed after setting the correct 'found' version.
> 
> Cheers,
> Laszlo/GCS

I fully agree.

Thomas

Message #42 received at 787654@bugs.debian.org (full text, mbox, reply):

From: Andreas Beckmann <anbe@debian.org>

To: 787654@bugs.debian.org

Subject: Re: Bug#787654: openstack-trove: CVE-2015-3156: multiple insecure /tmp file usage issues

Date: Sun, 10 Jul 2016 23:45:09 +0200

Hi,

could you please fix up the found/fixed versions - right now the found
version is later than the fixed one. Or reopen the bug.

Thanks


Andreas

Send a report that this bug log contains spam.