Bug 1169800 – CVE-2014-8126 condor: mailx invocation enables code execution as condor user

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1169800 - (CVE-2014-8126) CVE-2014-8126 condor: mailx invocation enables code execution as condor user

Summary:	CVE-2014-8126 condor: mailx invocation enables code execution as condor user

Status:	CLOSED ERRATA

Aliases:	CVE-2014-8126

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	high Severity high
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=important,public=20150112,repo...
Keywords:	Security

Depends On:	1171136 1181291
Blocks:	1174797
	Show dependency tree / graph

Reported:	2014-12-02 08:26 EST by Florian Weimer
Modified:	2015-07-17 21:55 EDT (History)
CC List:	11 users (show)

See Also:
Fixed In Version:	condor 8.2.6
Doc Type:	Bug Fix
Doc Text:	The HTCondor scheduler can optionally notify a user of completed jobs by sending an email. Due to the way the daemon sent the email message, authenticated users able to submit jobs could execute arbitrary code with the privileges of the condor user.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2015-01-12 15:54:38 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
sendmail.patch (5.55 KB, patch) 2015-01-08 11:32 EST, Florian Weimer	no flags	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:0035	normal	SHIPPED_LIVE	Important: condor security update	2015-01-12 20:25:27 EST
Red Hat Product Errata	RHSA-2015:0036	normal	SHIPPED_LIVE	Important: condor security update	2015-01-12 20:14:51 EST

Groups: None (edit)

Description Florian Weimer 2014-12-02 08:26:03 EST

The HTCondor scheduler can optionally notify a user of completed jobs by sending an email. Due to the way the daemon sent the email message, authenticated users able to submit jobs could execute arbitrary code with the privileges of the condor user.

Acknowledgements:

This issue was discovered by Florian Weimer of Red Hat Product Security.

Comment 8 Vincent Danen 2015-01-08 11:25:39 EST

Upstream bug report:

https://htcondor-wiki.cs.wisc.edu/index.cgi/tktview?tn=4764

And upstream fix:

https://htcondor-wiki.cs.wisc.edu/index.cgi/chngview?cn=41878
https://github.com/htcondor/htcondor/commit/e891cea9970496aac74caf72604475a2b7e6a0ca.patch

Comment 9 Florian Weimer 2015-01-08 11:32:27 EST

Created attachment 977841 [details]
sendmail.patch

This patch also needs a configuration file change to set the SENDMAIL parameter.

Comment 10 Vincent Danen 2015-01-12 14:59:42 EST

Created condor tracking bugs for this issue:

Affects: fedora-all [bug 1181291]

Comment 11 errata-xmlrpc 2015-01-12 15:15:11 EST

This issue has been addressed in the following products:

  MRG for RHEL-5 v. 2

Via RHSA-2015:0036 https://rhn.redhat.com/errata/RHSA-2015-0036.html

Comment 12 errata-xmlrpc 2015-01-12 15:25:40 EST

This issue has been addressed in the following products:

  MRG for RHEL-6 v.2

Via RHSA-2015:0035 https://rhn.redhat.com/errata/RHSA-2015-0035.html

Comment 13 Fedora Update System 2015-07-17 21:55:43 EDT

condor-8.3.6-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.