[Yahoo-eng-team] [Bug 1414530] Re: cwd might be set incorrectly when exceptions are thrown
Fixed in:
https://review.openstack.org/#/c/155847/
** Changed in: oslo.concurrency
Status: In Progress = Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1414530
Title:
cwd might be set incorrectly when exceptions are thrown
Status in OpenStack Compute (Nova):
Fix Released
Status in Oslo Concurrency Library:
Fix Released
Bug description:
CWD might be set incorrectly when exceptions are thrown
The call to utils.execute ends up in /opt/stack/nova/nova/utils.py which
ultimately calls processutils.execute() in the oslo_concurrency module.
If there's an error when executing the command which calls an bash script
then an exception ProcessExecutionError will be raised at #1. This means that
the code at #2 will never be reached resulting in the Exception being
propagated
up to the call-stack but now one is still stuck with the wrong working
directory which can lead to problems. One should catch the Exception and make
sure
that in all cases the working directory is reset to the original one.
/opt/stack/nova/nova/crypto.py
def ensure_ca_filesystem():
Ensure the CA filesystem exists.
ca_dir = ca_folder()
if not os.path.exists(ca_path()):
genrootca_sh_path = os.path.abspath(
os.path.join(os.path.dirname(__file__), 'CA',
'genrootca.sh'))
start = os.getcwd()
fileutils.ensure_tree(ca_dir)
os.chdir(ca_dir)
utils.execute(sh, genrootca_sh_path) --- #1
os.chdir(start)--- #2
One can see in
https://github.com/openstack/oslo.concurrency/blob/master/oslo_concurrency/processutils.py
that this Exception can indeed be thrown.
Analogously there's a similar issue also in the aforementioned file in
_ensure_project_folder.
def _ensure_project_folder(project_id):
if not os.path.exists(ca_path(project_id)):
geninter_sh_path = os.path.abspath(
os.path.join(os.path.dirname(__file__), 'CA',
'geninter.sh'))
start = os.getcwd()
os.chdir(ca_folder())
utils.execute('sh', geninter_sh_path, project_id,
_project_cert_subject(project_id))
os.chdir(start)
I'm not sure whether this has a potential security vulnerability impact or
not. The potential risk is definitely there but it remains to be seen whether
an attacker can actually reliably trigger this and then possibly gain something
else by having a different working directory. That's why I didn't tag it as a
security bug.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1414530/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1414530] Re: cwd might be set incorrectly when exceptions are thrown
** Changed in: nova
Status: Fix Committed = Fix Released
** Changed in: nova
Milestone: None = kilo-3
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1414530
Title:
cwd might be set incorrectly when exceptions are thrown
Status in OpenStack Compute (Nova):
Fix Released
Status in Oslo Concurrency Library:
In Progress
Bug description:
CWD might be set incorrectly when exceptions are thrown
The call to utils.execute ends up in /opt/stack/nova/nova/utils.py which
ultimately calls processutils.execute() in the oslo_concurrency module.
If there's an error when executing the command which calls an bash script
then an exception ProcessExecutionError will be raised at #1. This means that
the code at #2 will never be reached resulting in the Exception being
propagated
up to the call-stack but now one is still stuck with the wrong working
directory which can lead to problems. One should catch the Exception and make
sure
that in all cases the working directory is reset to the original one.
/opt/stack/nova/nova/crypto.py
def ensure_ca_filesystem():
Ensure the CA filesystem exists.
ca_dir = ca_folder()
if not os.path.exists(ca_path()):
genrootca_sh_path = os.path.abspath(
os.path.join(os.path.dirname(__file__), 'CA',
'genrootca.sh'))
start = os.getcwd()
fileutils.ensure_tree(ca_dir)
os.chdir(ca_dir)
utils.execute(sh, genrootca_sh_path) --- #1
os.chdir(start)--- #2
One can see in
https://github.com/openstack/oslo.concurrency/blob/master/oslo_concurrency/processutils.py
that this Exception can indeed be thrown.
Analogously there's a similar issue also in the aforementioned file in
_ensure_project_folder.
def _ensure_project_folder(project_id):
if not os.path.exists(ca_path(project_id)):
geninter_sh_path = os.path.abspath(
os.path.join(os.path.dirname(__file__), 'CA',
'geninter.sh'))
start = os.getcwd()
os.chdir(ca_folder())
utils.execute('sh', geninter_sh_path, project_id,
_project_cert_subject(project_id))
os.chdir(start)
I'm not sure whether this has a potential security vulnerability impact or
not. The potential risk is definitely there but it remains to be seen whether
an attacker can actually reliably trigger this and then possibly gain something
else by having a different working directory. That's why I didn't tag it as a
security bug.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1414530/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1414530] Re: cwd might be set incorrectly when exceptions are thrown
** Also affects: oslo.utils
Importance: Undecided
Status: New
** Project changed: oslo.utils = oslo.concurrency
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1414530
Title:
cwd might be set incorrectly when exceptions are thrown
Status in OpenStack Compute (Nova):
New
Status in Oslo Concurrency Library:
New
Bug description:
CWD might be set incorrectly when exceptions are thrown
The call to utils.execute ends up in /opt/stack/nova/nova/utils.py which
ultimately calls processutils.execute() in the oslo_concurrency module.
If there's an error when executing the command which calls an bash script
then an exception ProcessExecutionError will be raised at #1. This means that
the code at #2 will never be reached resulting in the Exception being
propagated
up to the call-stack but now one is still stuck with the wrong working
directory which can lead to problems. One should catch the Exception and make
sure
that in all cases the working directory is reset to the original one.
/opt/stack/nova/nova/crypto.py
def ensure_ca_filesystem():
Ensure the CA filesystem exists.
ca_dir = ca_folder()
if not os.path.exists(ca_path()):
genrootca_sh_path = os.path.abspath(
os.path.join(os.path.dirname(__file__), 'CA',
'genrootca.sh'))
start = os.getcwd()
fileutils.ensure_tree(ca_dir)
os.chdir(ca_dir)
utils.execute(sh, genrootca_sh_path) --- #1
os.chdir(start)--- #2
One can see in
https://github.com/openstack/oslo.concurrency/blob/master/oslo_concurrency/processutils.py
that this Exception can indeed be thrown.
Analogously there's a similar issue also in the aforementioned file in
_ensure_project_folder.
def _ensure_project_folder(project_id):
if not os.path.exists(ca_path(project_id)):
geninter_sh_path = os.path.abspath(
os.path.join(os.path.dirname(__file__), 'CA',
'geninter.sh'))
start = os.getcwd()
os.chdir(ca_folder())
utils.execute('sh', geninter_sh_path, project_id,
_project_cert_subject(project_id))
os.chdir(start)
I'm not sure whether this has a potential security vulnerability impact or
not. The potential risk is definitely there but it remains to be seen whether
an attacker can actually reliably trigger this and then possibly gain something
else by having a different working directory. That's why I didn't tag it as a
security bug.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1414530/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
