Comment 19 for bug 1489111
Revision history for this message
| Salvatore Orlando (salvatore-orlando) wrote Re: IP, MAC, and DHCP spoofing rules can by bypassed by changing device_owner (CVE-2015-5240) | #19 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
demo site
(Get the code!)
I verified the patch fixes the security issue. I ran several tests trying to find other the way to exploit the same issue, for instance by re-using system created network ports. Nova does not allow one to boot instances on such ports as nova will return a 409 when attempting to boot on a port with an already-populated device_owner attribute.
The patch is also resilient to white space padding (eg: " network:" is accepted but won't cause the port_security_
I have minor observations on the code changes:
- the policy change works but it seems weird as it's an or condition and is acting as a "and". Perhaps the policy engine is not operating as expected here. This is unrelated to this patch however.
- Having to prepend ~ to say it's a regex is fine by me. Alternatively one could treat everything as a regex, adding automatically ^ and $ for doing exact matches. But then you'll have to document that regex evaluation will always match on the whole string.
On the CVE it is worth probably stating that as far as we know only affects the ML2 plugin. The logic where the vulnerability is introduced is specific indeed to that plugin. Other plugins might be affected too if they adopted similar logic for determining whether spoofing protections should be installed, but I think it's up to the plugin maintainers to verify that and fix if necessary.
Summarizing: the patch looks good to me, and there's no need of further revisions.