Bug 2271614 (CVE-2024-2947)

Summary: CVE-2024-2947 cockpit: command injection when deleting a sosreport with a crafted name
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: MODIFIED --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: gsuckevi, mpitt, mvollmer, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: cockpit 314 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Cockpit. Deleting a sosreport with a crafted name via the Cockpit web interface can lead to a command injection vulnerability, resulting in privilege escalation. This issue affects Cockpit versions 270 and newer.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2271815    
Bug Blocks: 2243651    

Description Guilherme de Almeida Suckevicz 2024-03-26 14:25:02 UTC 
A flaw was found in Cockpit. Deleting a sosreport with a crafted name via the Cockpit web interface can lead to a command injection vulnerability, resulting in privilege escalation.

Reference:
https://github.com/cockpit-project/cockpit/commit/ee8f946df39779ee37071006d1d4826317f25c9a

Upstream patch:
https://github.com/cockpit-project/cockpit/commit/9c4cc9b6df632082538b53bdc8ee9ec1c5cad4da
Comment 3 Martin Pitt 2024-03-27 05:22:58 UTC 
Precise pointer to the flaw: https://github.com/cockpit-project/cockpit/commit/ee8f946df39779ee37071006d1d4826317f25c9a#diff-62c94c14cb8793bb67e4f27c6c067095648a9d3f185c66f0d0dde300219e9bd1R232

Adding Marius. I quickly discussed that issue with him. My main concern was about the purpose of that glob, as it's not obvious why it's even there. Seems it's really just to also cover the sosreport*.gpg signature. So a proper fix would look something like this:

  cockpit.file(path, { superuser: true }).replace(null);
  cockpit.file(path + ".gpg", { superuser: true }).replace(null);

Plus strengthening the integration test [1] to make sure that no /var/tmp/{base_report}* files are present (ironically, *that* place should use a glob :-) ), i.e. that we clean up all files just in case there is or ever will be something else than just *.gpg.

Marius, WDYT? (Please note: no pushing fixes anywhere, just discussing in this issue until the embargo gets lifted)

[1] https://github.com/cockpit-project/cockpit/commit/ee8f946df39779ee37071006d1d4826317f25c9a#diff-a5be77b91c9305612a9dd01559e56d53c7802281fd6bc8df606a63020117e1d1R115
Comment 4 Guilherme de Almeida Suckevicz 2024-03-27 12:54:45 UTC 
Created cockpit tracking bugs for this issue:

Affects: fedora-all [bug 2271815]
Comment 5 Martin Pitt 2024-03-27 14:01:21 UTC 
Upstream fix: https://github.com/cockpit-project/cockpit/pull/20232
Comment 6 errata-xmlrpc 2024-06-06 08:42:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:3667 https://access.redhat.com/errata/RHSA-2024:3667
Comment 7 errata-xmlrpc 2024-06-11 19:25:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:3843 https://access.redhat.com/errata/RHSA-2024:3843