A code injection flaw was found in the way Cobbler processed templates for kickstart files. A remote authenticated user, that has the Configuration Administrator role privilege, could use this flaw to create a specially-crafted kickstart template file containing embedded Python code, that could, when processed by the Cheetah template processing engine, execute arbitrary code with the privileges of the privileged system user (root) on the Red Hat Network Satellite Server host. References: [1] https://fedorahosted.org/cobbler/wiki/KickstartTemplating Acknowledgements: Red Hat would like to thank Doug Knight of University of Alaska for reporting this issue.
This issue affects the v5.3.0 version of the Red Hat Network Satellite. This issue did NOT affect the previous versions (v3.7.0, v4.0.0, v4.1.0, v4.2.0, v5.0.0, v5.1.0, v5.2.0) of the Red Hat Network Satellite.
This issue has been assigned CVE-2010-2235.
This issue has been addressed in following products: Red Hat Network Satellite Server v 5.3 Via RHSA-2010:0775 https://rhn.redhat.com/errata/RHSA-2010-0775.html
Created cobbler tracking bugs for this issue Affects: fedora-all [bug 643900]
Which upstream version of Cobbler has this fix? Does 2.0.7 have the fix? I can't seem to find the information that would tell me where this fix landed upstream. Does anyone know?
2.0.7 in koji contains the patch. shenson hasn't had a chance to do a release yet.
Thanks, Doug. Would that be this part of the upstream changelog then? - Oct 18 2010 - 2.0.7 - (BUGF) Disabled certain undesirable behavior of cheetah I think it might be, but there is no reference to the CVE name or this bug, so hard to tell by looking at the CHANGELOG file.
I would have to assume so; that's the only log message that looks plausible. I pulled down the koji build and confirmed that template_api.py does include the patch, but as you said, the CVE and bug are not mentioned anywhere. shenson might have more information if you still have questions.
Yeah, double-checked that with a few other folks and it is fixed in 2.0.7, as noted above. Thanks!