A flaw was found in Cockpit. Deleting a sosreport with a crafted name via the Cockpit web interface can lead to a command injection vulnerability, resulting in privilege escalation. Reference: https://github.com/cockpit-project/cockpit/commit/ee8f946df39779ee37071006d1d4826317f25c9a Upstream patch: https://github.com/cockpit-project/cockpit/commit/9c4cc9b6df632082538b53bdc8ee9ec1c5cad4da
Precise pointer to the flaw: https://github.com/cockpit-project/cockpit/commit/ee8f946df39779ee37071006d1d4826317f25c9a#diff-62c94c14cb8793bb67e4f27c6c067095648a9d3f185c66f0d0dde300219e9bd1R232 Adding Marius. I quickly discussed that issue with him. My main concern was about the purpose of that glob, as it's not obvious why it's even there. Seems it's really just to also cover the sosreport*.gpg signature. So a proper fix would look something like this: cockpit.file(path, { superuser: true }).replace(null); cockpit.file(path + ".gpg", { superuser: true }).replace(null); Plus strengthening the integration test [1] to make sure that no /var/tmp/{base_report}* files are present (ironically, *that* place should use a glob :-) ), i.e. that we clean up all files just in case there is or ever will be something else than just *.gpg. Marius, WDYT? (Please note: no pushing fixes anywhere, just discussing in this issue until the embargo gets lifted) [1] https://github.com/cockpit-project/cockpit/commit/ee8f946df39779ee37071006d1d4826317f25c9a#diff-a5be77b91c9305612a9dd01559e56d53c7802281fd6bc8df606a63020117e1d1R115
Created cockpit tracking bugs for this issue: Affects: fedora-all [bug 2271815]
Upstream fix: https://github.com/cockpit-project/cockpit/pull/20232
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:3667 https://access.redhat.com/errata/RHSA-2024:3667
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:3843 https://access.redhat.com/errata/RHSA-2024:3843