Bug 828512 (CVE-2011-5092)

Summary: CVE-2011-5092 rt3: remote arbitrary code execution and privilege elevation flaw
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: mmahut, perl-devel, rc040203, tremble, xavier
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-24 15:55:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 828517    
Bug Blocks:    

Description Vincent Danen 2012-06-04 20:09:12 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-5092 to
the following vulnerability:

Name: CVE-2011-5092
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5092
Assigned: 20120604
Reference: http://lists.bestpractical.com/pipermail/rt-announce/2012-May/000203.html
Reference: http://lists.bestpractical.com/pipermail/rt-announce/2012-May/000204.html
Reference: http://lists.bestpractical.com/pipermail/rt-announce/2012-May/000202.html

Best Practical Solutions RT 3.8.x before 3.8.12 and 4.x before 4.0.6
allows remote attackers to execute arbitrary code and gain privileges
via unspecified vectors, a different vulnerability than CVE-2011-4458
and CVE-2011-5093.


Current Fedora has 3.8.12 (3.8.13 in testing), however EPEL6 currently provides 3.8.10 and requires an update.  It's not specified as to whether 3.6.x is affected (which is what is shipped in EPEL5).
Comment 1 Vincent Danen 2012-06-04 20:14:00 UTC 
Created rt3 tracking bugs for this issue

Affects: epel-6 [bug 828517]
Comment 2 Fedora Update System 2012-07-31 16:58:25 UTC 
rt3-3.8.13-1.el6.2 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 3 Tomas Hoger 2014-08-08 15:24:38 UTC 
(In reply to Vincent Danen from comment #0)
> It's not specified as to whether 3.6.x is affected (which is what is
> shipped in EPEL5).

This CVE is not mentioned in upstream announcements at all, andis apparently a split off from CVE-2011-4458 mentioned by upstream:

  RT versions 3.6.1 and above are vulnerable to a remote execution of code
  vulnerability if the optional VERP configuration options ($VERPPrefix
  and $VERPDomain) are enabled.  RT 3.8.0 and higher are vulnerable to a
  limited remote execution of code which can be leveraged for privilege
  escalation.  RT 4.0.0 and above contain a vulnerability in the global
  $DisallowExecuteCode option, allowing sufficiently privileged users to
  still execute code even if RT was configured to not allow it.
  CVE-2011-4458 is assigned to this set of vulnerabilities.

As CVE-2011-4458 was used for 3 separate issues, each affecting different versions, it got split by Mitre as:

- CVE-2011-4458 for the VERP issue, affecting 3.6.1+
- CVE-2011-5092 for the limited code execution issue in 3.8.0+
- CVE-2011-5093 for the DisallowExecuteCode issue in 4.0.0+

Hence this CVE-2011-5092 should not apply to 3.6.x in EPEL-5, but the CVE-2011-4458 (bug 824082) should, and remains unfixed.