Bug 607662 (CVE-2010-2235)

Summary: CVE-2010-2235 RHN Satellite (cobbler): Code injection flaw (ACE as root) by processing of a specially-crafted kickstart template file
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: cperry, doug.knight, jpazdziora, jsherril, mjc, mmraka, msuchy, mzazrivec, rcvalle, security-response-team, slukasik, smithj, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-06 10:14:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 607340, 623837, 643900    
Bug Blocks:    

Description Jan Lieskovsky 2010-06-24 14:30:00 UTC 
A code injection flaw was found in the way Cobbler processed
templates for kickstart files. A remote authenticated user, that
has the Configuration Administrator role privilege, could use this
flaw to create a specially-crafted kickstart template file containing
embedded Python code, that could, when processed by the Cheetah template
processing engine, execute arbitrary code with the privileges of the
privileged system user (root) on the Red Hat Network Satellite Server host.

References:
  [1] https://fedorahosted.org/cobbler/wiki/KickstartTemplating

Acknowledgements:

Red Hat would like to thank Doug Knight of University of Alaska for reporting this issue.
Comment 2 Jan Lieskovsky 2010-06-24 15:03:33 UTC 
This issue affects the v5.3.0 version of the Red Hat Network Satellite.

This issue did NOT affect the previous versions (v3.7.0, v4.0.0, v4.1.0,
v4.2.0, v5.0.0, v5.1.0, v5.2.0) of the Red Hat Network Satellite.
Comment 4 Vincent Danen 2010-06-24 15:35:53 UTC 
This issue has been assigned CVE-2010-2235.
Comment 10 errata-xmlrpc 2010-10-18 13:20:59 UTC 
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.3

Via RHSA-2010:0775 https://rhn.redhat.com/errata/RHSA-2010-0775.html
Comment 11 Jan Lieskovsky 2010-10-18 13:28:06 UTC 
Created cobbler tracking bugs for this issue

Affects: fedora-all [bug 643900]
Comment 12 Vincent Danen 2010-10-21 15:20:32 UTC 
Which upstream version of Cobbler has this fix?  Does 2.0.7 have the fix?  I can't seem to find the information that would tell me where this fix landed upstream.

Does anyone know?
Comment 13 Doug Knight 2010-10-21 19:27:36 UTC 
2.0.7 in koji contains the patch.  shenson hasn't had a chance to do a release yet.
Comment 14 Vincent Danen 2010-10-21 19:43:24 UTC 
Thanks, Doug.  Would that be this part of the upstream changelog then?

- Oct 18 2010 - 2.0.7
- (BUGF) Disabled certain undesirable behavior of cheetah

I think it might be, but there is no reference to the CVE name or this bug, so hard to tell by looking at the CHANGELOG file.
Comment 15 Doug Knight 2010-10-22 00:08:32 UTC 
I would have to assume so; that's the only log message that looks plausible.  I pulled down the koji build and confirmed that template_api.py does include the patch, but as you said, the CVE and bug are not mentioned anywhere.  shenson might have more information if you still have questions.
Comment 16 Vincent Danen 2010-10-25 15:29:27 UTC 
Yeah, double-checked that with a few other folks and it is fixed in 2.0.7, as noted above.  Thanks!