Bug 735237

Summary: bcfg2: unescaped shell commands can lead to arbitrary code execution
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED DUPLICATE QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: jeff, mail
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-09-07 21:46:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 735238, 735239    
Bug Blocks:    

Description Vincent Danen 2011-09-01 21:34:29 UTC
A number of cases of unescaped client data used in shell commands were fixed in bcfg2 [1],[2].  The SSHbase plugin has been confirmed as being exploitable, which would allow a remote attacker to execute arbitrary code on the bcfg2 server if the SSHbase plugin were enabled and the attacker had control of a bcfg2 client machine.

Fixes in the 1.2 pre-release series [1] and a backport to the 1.1 series [2] are available.

[1] https://github.com/solj/bcfg2/commit/f4a35efec1b6a1e54d61cf1b8bfc83dd1d89eef7
[2] https://github.com/solj/bcfg2/commit/46795ae451ca6ede55a0edeb726978aef4684b53

Comment 1 Vincent Danen 2011-09-01 21:35:31 UTC
Created bcfg2 tracking bugs for this issue

Affects: fedora-all [bug 735238]
Affects: epel-all [bug 735239]

Comment 2 Fabian Affolter 2011-09-07 21:46:49 UTC

*** This bug has been marked as a duplicate of bug 736279 ***