Hi Bastian,
First of all, I'm really surprised to see the way you are submitting
this bug report. I normally send a "thank you for this bug report" as an
introduction to each bug sent against my package, but not in this case.
It seems that you believe there's root exploits here, and yet, you are
sending this as a public bug that everyone can see.
If you really think that there's some root exploit in any package, you
should contact the security team AND the upstream author (myself in this
case) *privately* to warn them about the issue, so a fix can be
published before disclosing. If you were from outside Debian, I would
understand that you don't know it. But as a DD for many years, I think
this is a quite non-responsible behavior to just send this as a public
bug. Please try to remember this next time.
On 02/01/2011 06:17 AM, Bastian Blank wrote:
> dtc-xen includes several command executions as root that uses unchecked
> user input in dtc-soap-server.
>
> | cmd = "/usr/sbin/dtc_kill_vps_disk %s %s" % (vpsname, imagetype)
> | output = commands.getstatusoutput(cmd)
>
> "imagetype" is the uncheck input and commands.getstatusoutput
> effectively does "sh -c '{ $cmd } 2>&1'".
>
> Bastian
In the logic behind DTC and DTC-Xen, you shouldn't grant access to the
SOAP daemon to a user you do not trust. In other words, nobody should be
able to do what you write above. Parameters consistency checks are made
on the web interface side. So I wont consider what you reported above as
a security issue and RC bug.
Now, I can see that adding further checking on the Python dtc-xen SOAP
server might enhance security as well, so I will write such checks
anyway, and make it available in the next version of DTC-Xen.
Thanks anyway for this report,
Thomas Goirand
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
