Bug 835985 (CVE-2012-3366)

Summary: CVE-2012-3366 bcfg2: arbitrary code execution flaw in Trigger plugin
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: jeff, mail
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-12-20 17:50:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 835987, 835988    
Bug Blocks:    

Description Vincent Danen 2012-06-27 18:24:59 UTC 
Quoting the upstream announcement [1]:


"We have found a major security flaw in the Trigger plugin that would 
allow a malicious user who has root access to a Bcfg2 client to run 
arbitrary commands on the server as the user the bcfg2-server process is 
running as by passing a malformed UUID.

This is very similar to a flaw discovered last year in a large number of 
other plugins; this instance was not fixed at that time because Trigger 
uses a different method to invoke external shell commands, and because 
Trigger previously hid all errors from trigger scripts, so tests did not 
find the issue.  As a side effect of this change, Trigger will begin 
reporting errors from triggered scripts.

This only affects the Trigger plugin; if you are not using Trigger, you 
are not affected by this flaw.  As a workaround, you can disable Trigger 
until you are able to upgrade."


This has been corrected in git [2] which will be included in the future 1.2.3 release (currently not available).

EPEL5 is using 1.1.3, for which there is no patch, so the upstream patch will need to be backported or EPEL5 will need to be upgraded to 1.2.x and patched.  Debian does have a backported patch for their 1.0.1 package which may be applicable (haven't checked if it applies) [3].

[1] http://permalink.gmane.org/gmane.comp.sysutils.bcfg2.devel/4539
[2] http://trac.mcs.anl.gov/projects/bcfg2/changeset/a524967e8d5c4c22e49cd619aed20c87a316c0be
[3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=679272
Comment 1 Vincent Danen 2012-06-27 18:26:38 UTC 
Created bcfg2 tracking bugs for this issue

Affects: fedora-all [bug 835987]
Affects: epel-all [bug 835988]
Comment 2 Kurt Seifried 2012-06-28 00:28:31 UTC 
Added CVE as per http://www.openwall.com/lists/oss-security/2012/06/28/1