[Bug 1975493] Re: [MIR] manila

Mark Esler 1975493 at bugs.launchpad.net
Fri Aug 12 20:20:22 UTC 2022 

I reviewed manila 1:14.0.0+git2022071414.193784308-0ubuntu1 as checked
into kinetic. This shouldn't be considered a full audit but rather a
quick gauge of maintainability.

Highlighted issues:
- Dangerous use of eval(), exec(), and other shell commands
  - manila/cmd/manage.py ShellCommands.script() exec() is dangerous
  - manila/utils.py wite_remove_file() possible shell injection
- Uncontrolled exceptions
  - IpRouteCommand.pullup_route() try assignment to subnet, if fails except: continue, and _as_root delete Null subnet
  - manila/service.py Service.stop() try to stop rpcserver and except: pass
- Trust of unknown hosts
  - manila/network/linux/ip_lib.py SSHPool.create() accepts unknown host keys
  - TLS/SSL verfication disabled
- Inappropriate defaults
  - manila/data/manager.py data_opts if mounted directly /tmp/ is an inappropriate default
  - manila/service.py WSGIService.host 0.0.0.0 and WSGIService.port 0 are inappropriate WSGI defaults

Security Team recommends that pylint flags hiding problems are removed,
open bugs are investigated (https://bugs.launchpad.net/manila), and a
line by line review is made. Past Manila CVEs are high impact.

Security Team NACK for promoting Manila to main.

** Changed in: manila (Ubuntu)
     Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)

** Changed in: manila (Ubuntu)
       Status: New => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to manila in Ubuntu.
https://bugs.launchpad.net/bugs/1975493

Title:
  [MIR] manila

Status in manila package in Ubuntu:
  Won't Fix

Bug description:
  [Availability]
  Currently in universe

  [Rationale]
  Manila is an OpenStack project that we're ready to support in main.

  [Security]
  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6519
  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27781
  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9543

  [Quality Assurance]
  Package works out of the box with no prompting. There are no major bugs in Ubuntu and there are no major bugs in Debian. Unit tests are run during build.

  [Dependencies]
  All are in main (see version 1:14.0.0-0ubuntu2 in kinetic)

  [Standards Compliance]
  FHS and Debian Policy compliant

  [Maintenance]
  Python package that the OpenStack Team will take care of

  [Background]
  Manila is an OpenStack project that provides Shared Filesystems as a service. It provides coordinated access to shared or distributed file systems. While the primary consumption of file shares would be across OpenStack Compute instances, the service is also intended to be accessible as an independent capability in line with the modular design established by other OpenStack services. Manila is extensible for multiple backends (to support vendor or file system specific nuances / capabilities) and accommodates any of a variety of shared or distributed file system types.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/manila/+bug/1975493/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list