Bugzilla – Bug 779215
VUL-0: CVE-2012-4406: openstack-swift: code execution by deserialization
Last modified: 2013-08-16 11:55:02 UTC
is public, via oss-sec CVE-2012-4406 Subject: [oss-security] CVE-Request: openstack pickle de-serialization From: Sebastian Krahmer <krahmer@suse.de> Hi, During openstack review we found that some parts of openstack used pickle to de-serialize data. This could be used to execute arbitrary code. Please check here: https://bugs.launchpad.net/swift/+bug/1006414 Can someone please assign a CVE, for completeness? thx, Sebastian
My fix for this was reviewed only recently, so we didn't have the fix in our packages. It's easy to push the fix now that it's public, though. Where do you want me to submit it?
bugbot adjusting priority
I've committed the fix to Devel:Cloud. Before we push this as a security update, I'd like to see some jenkins run with the patch. For Factory, I've submitted sr#133427. For 12.2... The patch doesn't apply cleanly. It's low priority for me right now, so I might take a look later.
(In reply to comment #4) > I've committed the fix to Devel:Cloud. Before we push this as a security > update, I'd like to see some jenkins run with the patch. Submitted to SUSE:SLE-11-SP2:Update:Test: sr#21677. We're discussing inside the team how the openstack packages are maintained for openSUSE. So not sure if we'll release a 12.2 update right now. (Note that the bug is actually not too critical -- a proper openstack deployment would have that part of swift isolated on a different network)
Sounds good to me. Closing this bug fixed, as the package has been checked in. swamp process running.
Update released for: openstack-swift, openstack-swift-account, openstack-swift-container, openstack-swift-doc, openstack-swift-object, openstack-swift-proxy, openstack-swift-test, python-swift Products: SUSE-CLOUD 1.0 (x86_64)