Red Hat Bugzilla – Bug 835985
CVE-2012-3366 bcfg2: arbitrary code execution flaw in Trigger plugin
Last modified: 2012-12-20 12:50:51 EST
Quoting the upstream announcement :
"We have found a major security flaw in the Trigger plugin that would
allow a malicious user who has root access to a Bcfg2 client to run
arbitrary commands on the server as the user the bcfg2-server process is
running as by passing a malformed UUID.
This is very similar to a flaw discovered last year in a large number of
other plugins; this instance was not fixed at that time because Trigger
uses a different method to invoke external shell commands, and because
Trigger previously hid all errors from trigger scripts, so tests did not
find the issue. As a side effect of this change, Trigger will begin
reporting errors from triggered scripts.
This only affects the Trigger plugin; if you are not using Trigger, you
are not affected by this flaw. As a workaround, you can disable Trigger
until you are able to upgrade."
This has been corrected in git  which will be included in the future 1.2.3 release (currently not available).
EPEL5 is using 1.1.3, for which there is no patch, so the upstream patch will need to be backported or EPEL5 will need to be upgraded to 1.2.x and patched. Debian does have a backported patch for their 1.0.1 package which may be applicable (haven't checked if it applies) .
Created bcfg2 tracking bugs for this issue
Affects: fedora-all [bug 835987]
Affects: epel-all [bug 835988]
Added CVE as per http://www.openwall.com/lists/oss-security/2012/06/28/1