Bug 835985 - (CVE-2012-3366) CVE-2012-3366 bcfg2: arbitrary code execution flaw in Trigger plugin
CVE-2012-3366 bcfg2: arbitrary code execution flaw in Trigger plugin
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 835987 835988
  Show dependency treegraph
Reported: 2012-06-27 14:24 EDT by Vincent Danen
Modified: 2012-12-20 12:50 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-12-20 12:50:51 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2012-06-27 14:24:59 EDT
Quoting the upstream announcement [1]:

"We have found a major security flaw in the Trigger plugin that would 
allow a malicious user who has root access to a Bcfg2 client to run 
arbitrary commands on the server as the user the bcfg2-server process is 
running as by passing a malformed UUID.

This is very similar to a flaw discovered last year in a large number of 
other plugins; this instance was not fixed at that time because Trigger 
uses a different method to invoke external shell commands, and because 
Trigger previously hid all errors from trigger scripts, so tests did not 
find the issue.  As a side effect of this change, Trigger will begin 
reporting errors from triggered scripts.

This only affects the Trigger plugin; if you are not using Trigger, you 
are not affected by this flaw.  As a workaround, you can disable Trigger 
until you are able to upgrade."

This has been corrected in git [2] which will be included in the future 1.2.3 release (currently not available).

EPEL5 is using 1.1.3, for which there is no patch, so the upstream patch will need to be backported or EPEL5 will need to be upgraded to 1.2.x and patched.  Debian does have a backported patch for their 1.0.1 package which may be applicable (haven't checked if it applies) [3].

[1] http://permalink.gmane.org/gmane.comp.sysutils.bcfg2.devel/4539
[2] http://trac.mcs.anl.gov/projects/bcfg2/changeset/a524967e8d5c4c22e49cd619aed20c87a316c0be
[3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=679272
Comment 1 Vincent Danen 2012-06-27 14:26:38 EDT
Created bcfg2 tracking bugs for this issue

Affects: fedora-all [bug 835987]
Affects: epel-all [bug 835988]
Comment 2 Kurt Seifried 2012-06-27 20:28:31 EDT
Added CVE as per http://www.openwall.com/lists/oss-security/2012/06/28/1

Note You need to log in before you can comment on or make changes to this bug.