Bug 607662 (CVE-2010-2235) - CVE-2010-2235 RHN Satellite (cobbler): Code injection flaw (ACE as root) by processing of a specially-crafted kickstart template file
Summary: CVE-2010-2235 RHN Satellite (cobbler): Code injection flaw (ACE as root) by p...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2010-2235
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 607340 623837 643900
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-06-24 14:30 UTC by Jan Lieskovsky
Modified: 2023-05-11 14:56 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-03-06 10:14:05 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0775 0 normal SHIPPED_LIVE Important: cobbler security update 2010-10-18 13:20:52 UTC

Description Jan Lieskovsky 2010-06-24 14:30:00 UTC 
A code injection flaw was found in the way Cobbler processed
templates for kickstart files. A remote authenticated user, that
has the Configuration Administrator role privilege, could use this
flaw to create a specially-crafted kickstart template file containing
embedded Python code, that could, when processed by the Cheetah template
processing engine, execute arbitrary code with the privileges of the
privileged system user (root) on the Red Hat Network Satellite Server host.

References:
  [1] https://fedorahosted.org/cobbler/wiki/KickstartTemplating

Acknowledgements:

Red Hat would like to thank Doug Knight of University of Alaska for reporting this issue.
Comment 2 Jan Lieskovsky 2010-06-24 15:03:33 UTC 
This issue affects the v5.3.0 version of the Red Hat Network Satellite.

This issue did NOT affect the previous versions (v3.7.0, v4.0.0, v4.1.0,
v4.2.0, v5.0.0, v5.1.0, v5.2.0) of the Red Hat Network Satellite.
Comment 4 Vincent Danen 2010-06-24 15:35:53 UTC 
This issue has been assigned CVE-2010-2235.
Comment 10 errata-xmlrpc 2010-10-18 13:20:59 UTC 
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.3

Via RHSA-2010:0775 https://rhn.redhat.com/errata/RHSA-2010-0775.html
Comment 11 Jan Lieskovsky 2010-10-18 13:28:06 UTC 
Created cobbler tracking bugs for this issue

Affects: fedora-all [bug 643900]
Comment 12 Vincent Danen 2010-10-21 15:20:32 UTC 
Which upstream version of Cobbler has this fix?  Does 2.0.7 have the fix?  I can't seem to find the information that would tell me where this fix landed upstream.

Does anyone know?
Comment 13 Doug Knight 2010-10-21 19:27:36 UTC 
2.0.7 in koji contains the patch.  shenson hasn't had a chance to do a release yet.
Comment 14 Vincent Danen 2010-10-21 19:43:24 UTC 
Thanks, Doug.  Would that be this part of the upstream changelog then?

- Oct 18 2010 - 2.0.7
- (BUGF) Disabled certain undesirable behavior of cheetah

I think it might be, but there is no reference to the CVE name or this bug, so hard to tell by looking at the CHANGELOG file.
Comment 15 Doug Knight 2010-10-22 00:08:32 UTC 
I would have to assume so; that's the only log message that looks plausible.  I pulled down the koji build and confirmed that template_api.py does include the patch, but as you said, the CVE and bug are not mentioned anywhere.  shenson might have more information if you still have questions.
Comment 16 Vincent Danen 2010-10-25 15:29:27 UTC 
Yeah, double-checked that with a few other folks and it is fixed in 2.0.7, as noted above.  Thanks!
Note You need to log in before you can comment on or make changes to this bug.