Quoting the upstream announcement [1]: "We have found a major security flaw in the Trigger plugin that would allow a malicious user who has root access to a Bcfg2 client to run arbitrary commands on the server as the user the bcfg2-server process is running as by passing a malformed UUID. This is very similar to a flaw discovered last year in a large number of other plugins; this instance was not fixed at that time because Trigger uses a different method to invoke external shell commands, and because Trigger previously hid all errors from trigger scripts, so tests did not find the issue. As a side effect of this change, Trigger will begin reporting errors from triggered scripts. This only affects the Trigger plugin; if you are not using Trigger, you are not affected by this flaw. As a workaround, you can disable Trigger until you are able to upgrade." This has been corrected in git [2] which will be included in the future 1.2.3 release (currently not available). EPEL5 is using 1.1.3, for which there is no patch, so the upstream patch will need to be backported or EPEL5 will need to be upgraded to 1.2.x and patched. Debian does have a backported patch for their 1.0.1 package which may be applicable (haven't checked if it applies) [3]. [1] http://permalink.gmane.org/gmane.comp.sysutils.bcfg2.devel/4539 [2] http://trac.mcs.anl.gov/projects/bcfg2/changeset/a524967e8d5c4c22e49cd619aed20c87a316c0be [3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=679272
Created bcfg2 tracking bugs for this issue Affects: fedora-all [bug 835987] Affects: epel-all [bug 835988]
Added CVE as per http://www.openwall.com/lists/oss-security/2012/06/28/1