Bug 607662 - (CVE-2010-2235) CVE-2010-2235 RHN Satellite (cobbler): Code injection flaw (ACE as root) by processing of a specially-crafted kickstart template file
CVE-2010-2235 RHN Satellite (cobbler): Code injection flaw (ACE as root) by p...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
public=20101018,reported=20100623,sou...
: Security
Depends On: 607340 623837 643900
Blocks:
  Show dependency treegraph
 
Reported: 2010-06-24 10:30 EDT by Jan Lieskovsky
Modified: 2015-07-31 07:57 EDT (History)
13 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-03-06 05:14:05 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2010-06-24 10:30:00 EDT
A code injection flaw was found in the way Cobbler processed
templates for kickstart files. A remote authenticated user, that
has the Configuration Administrator role privilege, could use this
flaw to create a specially-crafted kickstart template file containing
embedded Python code, that could, when processed by the Cheetah template
processing engine, execute arbitrary code with the privileges of the
privileged system user (root) on the Red Hat Network Satellite Server host.

References:
  [1] https://fedorahosted.org/cobbler/wiki/KickstartTemplating

Acknowledgements:

Red Hat would like to thank Doug Knight of University of Alaska for reporting this issue.
Comment 2 Jan Lieskovsky 2010-06-24 11:03:33 EDT
This issue affects the v5.3.0 version of the Red Hat Network Satellite.

This issue did NOT affect the previous versions (v3.7.0, v4.0.0, v4.1.0,
v4.2.0, v5.0.0, v5.1.0, v5.2.0) of the Red Hat Network Satellite.
Comment 4 Vincent Danen 2010-06-24 11:35:53 EDT
This issue has been assigned CVE-2010-2235.
Comment 10 errata-xmlrpc 2010-10-18 09:20:59 EDT
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.3

Via RHSA-2010:0775 https://rhn.redhat.com/errata/RHSA-2010-0775.html
Comment 11 Jan Lieskovsky 2010-10-18 09:28:06 EDT
Created cobbler tracking bugs for this issue

Affects: fedora-all [bug 643900]
Comment 12 Vincent Danen 2010-10-21 11:20:32 EDT
Which upstream version of Cobbler has this fix?  Does 2.0.7 have the fix?  I can't seem to find the information that would tell me where this fix landed upstream.

Does anyone know?
Comment 13 Doug Knight 2010-10-21 15:27:36 EDT
2.0.7 in koji contains the patch.  shenson hasn't had a chance to do a release yet.
Comment 14 Vincent Danen 2010-10-21 15:43:24 EDT
Thanks, Doug.  Would that be this part of the upstream changelog then?

- Oct 18 2010 - 2.0.7
- (BUGF) Disabled certain undesirable behavior of cheetah

I think it might be, but there is no reference to the CVE name or this bug, so hard to tell by looking at the CHANGELOG file.
Comment 15 Doug Knight 2010-10-21 20:08:32 EDT
I would have to assume so; that's the only log message that looks plausible.  I pulled down the koji build and confirmed that template_api.py does include the patch, but as you said, the CVE and bug are not mentioned anywhere.  shenson might have more information if you still have questions.
Comment 16 Vincent Danen 2010-10-25 11:29:27 EDT
Yeah, double-checked that with a few other folks and it is fixed in 2.0.7, as noted above.  Thanks!

Note You need to log in before you can comment on or make changes to this bug.