Bug 824460 - (CVE-2012-2395) CVE-2012-2395 cobbler: command injection flaw in the power management XML-RPC API
CVE-2012-2395 cobbler: command injection flaw in the power management XML-RPC...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20120423,repo...
: Security
Depends On: 824461 824462 830662
Blocks: 811959
  Show dependency treegraph
 
Reported: 2012-05-23 10:02 EDT by Jan Lieskovsky
Modified: 2015-07-31 02:51 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-09-19 22:11:33 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2012-05-23 10:02:28 EDT
It was found that Cobbler, a network install server, did not properly sanitize input provided to the power() method. A remote attacker could inject a specially-crafted string into the correspondent Cobbler's XML-RPC API method, possibly leading to their ability to execute arbitrary code with the privileges of the privileged system user (root).

Upstream ticket:
[1] https://github.com/cobbler/cobbler/issues/141

Relevant upstream patch:
[2] https://github.com/cobbler/cobbler/commit/6d9167e5da44eca56bdf42b5776097a6779aaadf

CVE Request:
[3] http://www.openwall.com/lists/oss-security/2012/05/23/4

References:
[4] https://bugs.launchpad.net/ubuntu/+source/cobbler/+bug/978999
Comment 1 Jan Lieskovsky 2012-05-23 10:05:37 EDT
This issue affects the versions of the cobbler package, as shipped with Fedora release of 15 and 16. Please schedule an update.

--

This issue affects the versions of the cobbler package, as shipped with Fedora EPEL 5 and Fedora EPEL 6. Please schedule an update.
Comment 2 Jan Lieskovsky 2012-05-23 10:08:26 EDT
Created cobbler tracking bugs for this issue

Affects: fedora-all [bug 824461]
Affects: epel-all [bug 824462]
Comment 4 Jan Lieskovsky 2012-05-23 10:16:22 EDT
Reproducer from Ubuntu bugzilla above ([4]):

[1] To verify that this is the case you test it out -->
>>> import subprocess
>>> subprocess.Popen(["/bin/sh", "-c", "echo lol && /bin/sh"], shell=False)
<subprocess.Popen object at 0x7f0ecaa92b50>
>>> lol
Comment 5 Jan Pazdziora 2012-05-23 11:16:22 EDT
(In reply to comment #1)
> This issue affects the versions of the cobbler package, as shipped with
> Fedora release of 15 and 16. Please schedule an update.
> 
> --
> 
> This issue affects the versions of the cobbler package, as shipped with
> Fedora EPEL 5 and Fedora EPEL 6. Please schedule an update.

Which cobbler version(s?) are these exactly?
Comment 6 Jan Lieskovsky 2012-05-23 11:35:08 EDT
(In reply to comment #5)
> Which cobbler version(s?) are these exactly?

Fedora-15: cobbler-2.2.2-1.fc15
Fedora-16: cobbler-2.2.2-1.fc16
Fedora-17: cobbler-2.2.2-1.fc17
Fedora-Rawhide: cobbler-2.2.2-1.fc18
EPEL-5: cobbler-2.2.2-1.el5
EPEL-6: cobbler-2.2.2-1.el6
Comment 7 Kurt Seifried 2012-05-23 14:37:38 EDT
Assigned CVE as per http://www.openwall.com/lists/oss-security/2012/05/23/18
Comment 15 Jan Lieskovsky 2012-06-18 13:10:45 EDT
Statement:

This issue did not affect the version of cobbler as shipped with Red Hat Network Satellite Server 5.3.0, as it did not include the upstream commit 0e5f6f2d50d460f4c6b0c9f62cfed0ff5c546906 that introduced this flaw. This issue affects the version of cobbler as shipped with Red Hat Network Satellite Server 5.4.0.
Comment 27 errata-xmlrpc 2012-07-09 12:35:15 EDT
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.4

Via RHSA-2012:1060 https://rhn.redhat.com/errata/RHSA-2012-1060.html

Note You need to log in before you can comment on or make changes to this bug.