Bug 824460 (CVE-2012-2395)

Summary: CVE-2012-2395 cobbler: command injection flaw in the power management XML-RPC API
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: awood, cperry, dgoodwin, jimi, jpazdziora, rcvalle, scott, sherr, vanmeeuwen+fedora
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-09-20 02:11:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 824461, 824462, 830662    
Bug Blocks: 811959    

Description Jan Lieskovsky 2012-05-23 14:02:28 UTC 
It was found that Cobbler, a network install server, did not properly sanitize input provided to the power() method. A remote attacker could inject a specially-crafted string into the correspondent Cobbler's XML-RPC API method, possibly leading to their ability to execute arbitrary code with the privileges of the privileged system user (root).

Upstream ticket:
[1] https://github.com/cobbler/cobbler/issues/141

Relevant upstream patch:
[2] https://github.com/cobbler/cobbler/commit/6d9167e5da44eca56bdf42b5776097a6779aaadf

CVE Request:
[3] http://www.openwall.com/lists/oss-security/2012/05/23/4

References:
[4] https://bugs.launchpad.net/ubuntu/+source/cobbler/+bug/978999
Comment 1 Jan Lieskovsky 2012-05-23 14:05:37 UTC 
This issue affects the versions of the cobbler package, as shipped with Fedora release of 15 and 16. Please schedule an update.

--

This issue affects the versions of the cobbler package, as shipped with Fedora EPEL 5 and Fedora EPEL 6. Please schedule an update.
Comment 2 Jan Lieskovsky 2012-05-23 14:08:26 UTC 
Created cobbler tracking bugs for this issue

Affects: fedora-all [bug 824461]
Affects: epel-all [bug 824462]
Comment 4 Jan Lieskovsky 2012-05-23 14:16:22 UTC 
Reproducer from Ubuntu bugzilla above ([4]):

[1] To verify that this is the case you test it out -->
>>> import subprocess
>>> subprocess.Popen(["/bin/sh", "-c", "echo lol && /bin/sh"], shell=False)
<subprocess.Popen object at 0x7f0ecaa92b50>
>>> lol
Comment 5 Jan Pazdziora 2012-05-23 15:16:22 UTC 
(In reply to comment #1)
> This issue affects the versions of the cobbler package, as shipped with
> Fedora release of 15 and 16. Please schedule an update.
> 
> --
> 
> This issue affects the versions of the cobbler package, as shipped with
> Fedora EPEL 5 and Fedora EPEL 6. Please schedule an update.

Which cobbler version(s?) are these exactly?
Comment 6 Jan Lieskovsky 2012-05-23 15:35:08 UTC 
(In reply to comment #5)
> Which cobbler version(s?) are these exactly?

Fedora-15: cobbler-2.2.2-1.fc15
Fedora-16: cobbler-2.2.2-1.fc16
Fedora-17: cobbler-2.2.2-1.fc17
Fedora-Rawhide: cobbler-2.2.2-1.fc18
EPEL-5: cobbler-2.2.2-1.el5
EPEL-6: cobbler-2.2.2-1.el6
Comment 7 Kurt Seifried 2012-05-23 18:37:38 UTC 
Assigned CVE as per http://www.openwall.com/lists/oss-security/2012/05/23/18
Comment 15 Jan Lieskovsky 2012-06-18 17:10:45 UTC 
Statement:

This issue did not affect the version of cobbler as shipped with Red Hat Network Satellite Server 5.3.0, as it did not include the upstream commit 0e5f6f2d50d460f4c6b0c9f62cfed0ff5c546906 that introduced this flaw. This issue affects the version of cobbler as shipped with Red Hat Network Satellite Server 5.4.0.
Comment 27 errata-xmlrpc 2012-07-09 16:35:15 UTC 
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.4

Via RHSA-2012:1060 https://rhn.redhat.com/errata/RHSA-2012-1060.html