Bug 2271614 (CVE-2024-2947) - CVE-2024-2947 cockpit: command injection when deleting a sosreport with a crafted name
Summary: CVE-2024-2947 cockpit: command injection when deleting a sosreport with a cra...
Keywords:
Status: MODIFIED
Alias: CVE-2024-2947
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2271815
Blocks: 2243651
TreeView+ depends on / blocked
 
Reported: 2024-03-26 14:25 UTC by Guilherme de Almeida Suckevicz
Modified: 2024-10-10 13:57 UTC (History)
4 users (show)

Fixed In Version: cockpit 314
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Cockpit. Deleting a sosreport with a crafted name via the Cockpit web interface can lead to a command injection vulnerability, resulting in privilege escalation. This issue affects Cockpit versions 270 and newer.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github cockpit-project cockpit pull 20232 0 None open sosreport: Fix command injection with crafted report names [CVE-2024-2947] 2024-03-27 14:01:21 UTC
Red Hat Product Errata RHSA-2024:3667 0 None None None 2024-06-06 08:42:36 UTC
Red Hat Product Errata RHSA-2024:3843 0 None None None 2024-06-11 19:25:59 UTC

Description Guilherme de Almeida Suckevicz 2024-03-26 14:25:02 UTC
A flaw was found in Cockpit. Deleting a sosreport with a crafted name via the Cockpit web interface can lead to a command injection vulnerability, resulting in privilege escalation.

Reference:
https://github.com/cockpit-project/cockpit/commit/ee8f946df39779ee37071006d1d4826317f25c9a

Upstream patch:
https://github.com/cockpit-project/cockpit/commit/9c4cc9b6df632082538b53bdc8ee9ec1c5cad4da

Comment 3 Martin Pitt 2024-03-27 05:22:58 UTC
Precise pointer to the flaw: https://github.com/cockpit-project/cockpit/commit/ee8f946df39779ee37071006d1d4826317f25c9a#diff-62c94c14cb8793bb67e4f27c6c067095648a9d3f185c66f0d0dde300219e9bd1R232

Adding Marius. I quickly discussed that issue with him. My main concern was about the purpose of that glob, as it's not obvious why it's even there. Seems it's really just to also cover the sosreport*.gpg signature. So a proper fix would look something like this:

  cockpit.file(path, { superuser: true }).replace(null);
  cockpit.file(path + ".gpg", { superuser: true }).replace(null);

Plus strengthening the integration test [1] to make sure that no /var/tmp/{base_report}* files are present (ironically, *that* place should use a glob :-) ), i.e. that we clean up all files just in case there is or ever will be something else than just *.gpg.

Marius, WDYT? (Please note: no pushing fixes anywhere, just discussing in this issue until the embargo gets lifted)

[1] https://github.com/cockpit-project/cockpit/commit/ee8f946df39779ee37071006d1d4826317f25c9a#diff-a5be77b91c9305612a9dd01559e56d53c7802281fd6bc8df606a63020117e1d1R115

Comment 4 Guilherme de Almeida Suckevicz 2024-03-27 12:54:45 UTC
Created cockpit tracking bugs for this issue:

Affects: fedora-all [bug 2271815]

Comment 5 Martin Pitt 2024-03-27 14:01:21 UTC
Upstream fix: https://github.com/cockpit-project/cockpit/pull/20232

Comment 6 errata-xmlrpc 2024-06-06 08:42:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:3667 https://access.redhat.com/errata/RHSA-2024:3667

Comment 7 errata-xmlrpc 2024-06-11 19:25:59 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:3843 https://access.redhat.com/errata/RHSA-2024:3843


Note You need to log in before you can comment on or make changes to this bug.