It was found that Cobbler, a network install server, did not properly sanitize input provided to the power() method. A remote attacker could inject a specially-crafted string into the correspondent Cobbler's XML-RPC API method, possibly leading to their ability to execute arbitrary code with the privileges of the privileged system user (root). Upstream ticket: [1] https://github.com/cobbler/cobbler/issues/141 Relevant upstream patch: [2] https://github.com/cobbler/cobbler/commit/6d9167e5da44eca56bdf42b5776097a6779aaadf CVE Request: [3] http://www.openwall.com/lists/oss-security/2012/05/23/4 References: [4] https://bugs.launchpad.net/ubuntu/+source/cobbler/+bug/978999
This issue affects the versions of the cobbler package, as shipped with Fedora release of 15 and 16. Please schedule an update. -- This issue affects the versions of the cobbler package, as shipped with Fedora EPEL 5 and Fedora EPEL 6. Please schedule an update.
Created cobbler tracking bugs for this issue Affects: fedora-all [bug 824461] Affects: epel-all [bug 824462]
Reproducer from Ubuntu bugzilla above ([4]): [1] To verify that this is the case you test it out --> >>> import subprocess >>> subprocess.Popen(["/bin/sh", "-c", "echo lol && /bin/sh"], shell=False) <subprocess.Popen object at 0x7f0ecaa92b50> >>> lol
(In reply to comment #1) > This issue affects the versions of the cobbler package, as shipped with > Fedora release of 15 and 16. Please schedule an update. > > -- > > This issue affects the versions of the cobbler package, as shipped with > Fedora EPEL 5 and Fedora EPEL 6. Please schedule an update. Which cobbler version(s?) are these exactly?
(In reply to comment #5) > Which cobbler version(s?) are these exactly? Fedora-15: cobbler-2.2.2-1.fc15 Fedora-16: cobbler-2.2.2-1.fc16 Fedora-17: cobbler-2.2.2-1.fc17 Fedora-Rawhide: cobbler-2.2.2-1.fc18 EPEL-5: cobbler-2.2.2-1.el5 EPEL-6: cobbler-2.2.2-1.el6
Assigned CVE as per http://www.openwall.com/lists/oss-security/2012/05/23/18
Statement: This issue did not affect the version of cobbler as shipped with Red Hat Network Satellite Server 5.3.0, as it did not include the upstream commit 0e5f6f2d50d460f4c6b0c9f62cfed0ff5c546906 that introduced this flaw. This issue affects the version of cobbler as shipped with Red Hat Network Satellite Server 5.4.0.
This issue has been addressed in following products: Red Hat Network Satellite Server v 5.4 Via RHSA-2012:1060 https://rhn.redhat.com/errata/RHSA-2012-1060.html