security groups remote_group fails with CIDR in address pairs

Fix is here. https://review.openstack.org/#/c/129253/

I've added an incomplete security advisory task while the bug report is analyzed by Neutron reviewers to determine the level of risk posed. Since you pushed a patch correcting this defect to our public code review system and mentioned this bug number in the commit message, I have switched it from private security to public security (the cat is already out of the bag, as they say).

Just to confirm the details of this report, you're saying that it's possible for someone who has permission to modify the security group configuration to break that security group... if so, I don't see how an attacker would actively leverage this bug to escalate permissions or cross any established trust boundary. Can you elaborate on what makes this bug a security vulnerability?

Yeah, this wouldn't be something that an attacker could leverage from what I can tell. The risk is that a user can unknowingly break their security groups.

Thanks Kevin. In that case I've tagged it as a security hardening opportunity (removes a foot-cannon), and switched the advisory task to won't-fix.

Is that the right classification? It sounds like that is reserved for a case where users are using something wrong. This is a bug in neutron and not a mistake on the user's part.

In this case the user is using address pairs in a completely legitimate way by specifying a CIDR. The neutron function that checks the address pairs when calculating members of security groups just breaks if it's a CIDR.

Reviewed: https://review.openstack.org/129253
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=a1e78b2e8836053d8ffb29bce0f862e8a5f19c2f
Submitter: Jenkins
Branch: master

commit a1e78b2e8836053d8ffb29bce0f862e8a5f19c2f
Author: Kevin Benton <email address hidden>
Date: Thu Oct 16 20:53:21 2014 -0700

    Fix handling of CIDR in allowed address pairs

    A CIDR in allowed address pairs would screw up
    the calculation of remote security group member
    IP addresses due to a call that assumed each entry
    was an IP. This patch fixes that an adds a remote
    security group reference to the address pairs SG
    test case to exercise this code-path.

    Closes-Bug: #1382562
    Change-Id: I2676f4b56bce7449579d67fb221b3edb7b885103

Fix proposed to branch: stable/juno
Review: https://review.openstack.org/137269

Reviewed: https://review.openstack.org/137269
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=93f2536be5fe6f136e24caa11a5cea2282fb332d
Submitter: Jenkins
Branch: stable/juno

commit 93f2536be5fe6f136e24caa11a5cea2282fb332d
Author: Kevin Benton <email address hidden>
Date: Thu Oct 16 20:53:21 2014 -0700

    Fix handling of CIDR in allowed address pairs

    A CIDR in allowed address pairs would screw up
    the calculation of remote security group member
    IP addresses due to a call that assumed each entry
    was an IP. This patch fixes that an adds a remote
    security group reference to the address pairs SG
    test case to exercise this code-path.

    Closes-Bug: #1382562
    Change-Id: I2676f4b56bce7449579d67fb221b3edb7b885103
    (cherry picked from commit a1e78b2e8836053d8ffb29bce0f862e8a5f19c2f)