[PKG-Openstack-devel] Bug#787654: Bug#787654: Bug#787654: openstack-trove: CVE-2015-3156: multiple insecure /tmp file usage issues

Thomas Goirand zigo at debian.org
Thu Jun 4 07:25:56 UTC 2015 

On 06/03/2015 11:19 PM, László Böszörményi (GCS) wrote:
> Control: fixed -1 2015.1~rc2-1
> 
> Hi Salvatore,
> 
> On Wed, Jun 3, 2015 at 10:25 PM, Salvatore Bonaccorso <carnil at debian.org> wrote:
>> Note that this as least seem partially addressed, namely in the
>> cassandra part. I have not checked all remeaining occurences.
>  Yes, the Cassandra part is fixed last year[1]. The fixing path also
> available[2]. Other parts are not fixed, keep reading.
> One of the developers, Nikhil Manchanda states[3]:
> "The impact of this is pretty minimal. From a deployment perspective,
> datastores are deployed so that file access is not allowed. Coupling
> that with the fact that SSH access to the Trove instance is also
> restricted, this vulnerability seems very hard to exploit. However,
> regardless of these mitigations, we're planning on having a fix for
> this in Trove during kilo."
> Later Jeremy Stanley, a member of the OpenStack Vulnerability
> Management Team states[4]:
> "Due to the need for access to the instance filesystem and the limited
> exposure (basically anyone with shell access to a Trove instance is
> going to be the administrator of the infrastructure on which it's
> running) along with the fact that it's only slated to be fixed in the
> master branch for inclusion in the upcoming Kilo release, the VMT will
> not be publishing a security advisory nor requesting a CVE for this
> bug."
> 
> Then it was reviewed and merged to master back on 21st of January[5].
> Thus the fix is part of 2015.1.0rc2 which was tagged on 23rd of
> April[6] and was uploaded to Sid on 29th of April[7]. Marking the bug
> accordingly.
> 
> Regards,
> Laszlo/GCS

FWIW, I agree with Jeremy Stanley view. I don't see how one would
exploit the issue, if there's one at all.

I see that the issue is marked as very low in the tracker, I agree with
that. I'm even tempted to tag the Debian bug with +wontfix (note: the
attached patch in launchpad only fixes the issue for Cassandra, and
doesn't even apply on top of Icehouse (ie: 2014.1.3) in Jessie).

Your thoughts?

Cheers,

Thomas Goirand (zigo)

More information about the Openstack-devel mailing list