Evgeni Golov of Red Hat reports: It was found that katello-debug.sh uses static, perfectly guessable paths in /tmp for its temporary files, which can lead to symlink attacks on /tmp/tasks_export.log and /tmp/pulp_running_tasks.js leading to overwritten files anywhere on the system (as katello-debug is run via sos as root), or code execution inside of mongo via /tmp/pulp_running_tasks.js if $user pre-creates that file and overwrites the file after command is echoed there, modifying it at his own will before calling mongo on it. Product bug: https://bugzilla.redhat.com/show_bug.cgi?id=1405387
Created attachment 1255095 [details] patch for the issue.
Acknowledgments: Name: Evgeni Golov (Red Hat)
This issue has been addressed in the following products: Red Hat Satellite 6.3 for RHEL 7 Via RHSA-2018:0336 https://access.redhat.com/errata/RHSA-2018:0336