Bug 824460 (CVE-2012-2395) - CVE-2012-2395 cobbler: command injection flaw in the power management XML-RPC API
Summary: CVE-2012-2395 cobbler: command injection flaw in the power management XML-RPC...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2012-2395
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 824461 824462 830662
Blocks: 811959
TreeView+ depends on / blocked
 
Reported: 2012-05-23 14:02 UTC by Jan Lieskovsky
Modified: 2021-02-23 14:43 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-09-20 02:11:33 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2012:1060 0 normal SHIPPED_LIVE Moderate: cobbler security update 2012-07-09 20:33:54 UTC

Description Jan Lieskovsky 2012-05-23 14:02:28 UTC 
It was found that Cobbler, a network install server, did not properly sanitize input provided to the power() method. A remote attacker could inject a specially-crafted string into the correspondent Cobbler's XML-RPC API method, possibly leading to their ability to execute arbitrary code with the privileges of the privileged system user (root).

Upstream ticket:
[1] https://github.com/cobbler/cobbler/issues/141

Relevant upstream patch:
[2] https://github.com/cobbler/cobbler/commit/6d9167e5da44eca56bdf42b5776097a6779aaadf

CVE Request:
[3] http://www.openwall.com/lists/oss-security/2012/05/23/4

References:
[4] https://bugs.launchpad.net/ubuntu/+source/cobbler/+bug/978999
Comment 1 Jan Lieskovsky 2012-05-23 14:05:37 UTC 
This issue affects the versions of the cobbler package, as shipped with Fedora release of 15 and 16. Please schedule an update.

--

This issue affects the versions of the cobbler package, as shipped with Fedora EPEL 5 and Fedora EPEL 6. Please schedule an update.
Comment 2 Jan Lieskovsky 2012-05-23 14:08:26 UTC 
Created cobbler tracking bugs for this issue

Affects: fedora-all [bug 824461]
Affects: epel-all [bug 824462]
Comment 4 Jan Lieskovsky 2012-05-23 14:16:22 UTC 
Reproducer from Ubuntu bugzilla above ([4]):

[1] To verify that this is the case you test it out -->
>>> import subprocess
>>> subprocess.Popen(["/bin/sh", "-c", "echo lol && /bin/sh"], shell=False)
<subprocess.Popen object at 0x7f0ecaa92b50>
>>> lol
Comment 5 Jan Pazdziora 2012-05-23 15:16:22 UTC 
(In reply to comment #1)
> This issue affects the versions of the cobbler package, as shipped with
> Fedora release of 15 and 16. Please schedule an update.
> 
> --
> 
> This issue affects the versions of the cobbler package, as shipped with
> Fedora EPEL 5 and Fedora EPEL 6. Please schedule an update.

Which cobbler version(s?) are these exactly?
Comment 6 Jan Lieskovsky 2012-05-23 15:35:08 UTC 
(In reply to comment #5)
> Which cobbler version(s?) are these exactly?

Fedora-15: cobbler-2.2.2-1.fc15
Fedora-16: cobbler-2.2.2-1.fc16
Fedora-17: cobbler-2.2.2-1.fc17
Fedora-Rawhide: cobbler-2.2.2-1.fc18
EPEL-5: cobbler-2.2.2-1.el5
EPEL-6: cobbler-2.2.2-1.el6
Comment 7 Kurt Seifried 2012-05-23 18:37:38 UTC 
Assigned CVE as per http://www.openwall.com/lists/oss-security/2012/05/23/18
Comment 15 Jan Lieskovsky 2012-06-18 17:10:45 UTC 
Statement:

This issue did not affect the version of cobbler as shipped with Red Hat Network Satellite Server 5.3.0, as it did not include the upstream commit 0e5f6f2d50d460f4c6b0c9f62cfed0ff5c546906 that introduced this flaw. This issue affects the version of cobbler as shipped with Red Hat Network Satellite Server 5.4.0.
Comment 27 errata-xmlrpc 2012-07-09 16:35:15 UTC 
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.4

Via RHSA-2012:1060 https://rhn.redhat.com/errata/RHSA-2012-1060.html
Note You need to log in before you can comment on or make changes to this bug.