2271614 – (CVE-2024-2947) CVE-2024-2947 cockpit: command injection when deleting a sosreport with a crafted name

Bug 2271614 (CVE-2024-2947) - CVE-2024-2947 cockpit: command injection when deleting a sosreport with a crafted name

Summary: CVE-2024-2947 cockpit: command injection when deleting a sosreport with a cra...

Keywords:
Status:	NEW
Alias:	CVE-2024-2947
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2271815
Blocks:	2243651
TreeView+	depends on / blocked

Reported:	2024-03-26 14:25 UTC by Guilherme de Almeida Suckevicz
Modified:	2024-04-02 11:21 UTC (History)
CC List:	4 users (show)
Fixed In Version:	cockpit 314
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in Cockpit. Deleting a sosreport with a crafted name via the Cockpit web interface can lead to a command injection vulnerability, resulting in privilege escalation. This issue affects Cockpit versions 270 and newer.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	cockpit-project cockpit pull 20232	0	None	open	sosreport: Fix command injection with crafted report names [CVE-2024-2947]	2024-03-27 14:01:21 UTC

Description Guilherme de Almeida Suckevicz 2024-03-26 14:25:02 UTC

A flaw was found in Cockpit. Deleting a sosreport with a crafted name via the Cockpit web interface can lead to a command injection vulnerability, resulting in privilege escalation.

Reference:
https://github.com/cockpit-project/cockpit/commit/ee8f946df39779ee37071006d1d4826317f25c9a

Upstream patch:
https://github.com/cockpit-project/cockpit/commit/9c4cc9b6df632082538b53bdc8ee9ec1c5cad4da

Comment 3 Martin Pitt 2024-03-27 05:22:58 UTC

Precise pointer to the flaw: https://github.com/cockpit-project/cockpit/commit/ee8f946df39779ee37071006d1d4826317f25c9a#diff-62c94c14cb8793bb67e4f27c6c067095648a9d3f185c66f0d0dde300219e9bd1R232

Adding Marius. I quickly discussed that issue with him. My main concern was about the purpose of that glob, as it's not obvious why it's even there. Seems it's really just to also cover the sosreport*.gpg signature. So a proper fix would look something like this:

  cockpit.file(path, { superuser: true }).replace(null);
  cockpit.file(path + ".gpg", { superuser: true }).replace(null);

Plus strengthening the integration test [1] to make sure that no /var/tmp/{base_report}* files are present (ironically, *that* place should use a glob :-) ), i.e. that we clean up all files just in case there is or ever will be something else than just *.gpg.

Marius, WDYT? (Please note: no pushing fixes anywhere, just discussing in this issue until the embargo gets lifted)

[1] https://github.com/cockpit-project/cockpit/commit/ee8f946df39779ee37071006d1d4826317f25c9a#diff-a5be77b91c9305612a9dd01559e56d53c7802281fd6bc8df606a63020117e1d1R115

Comment 4 Guilherme de Almeida Suckevicz 2024-03-27 12:54:45 UTC

Created cockpit tracking bugs for this issue:

Affects: fedora-all [bug 2271815]

Comment 5 Martin Pitt 2024-03-27 14:01:21 UTC

Upstream fix: https://github.com/cockpit-project/cockpit/pull/20232

Note You need to log in before you can comment on or make changes to this bug.