Package: bcfg2-server
Version: 1.0.1-3+squeeze1
Severity: critical
Tags: security, patch, pending
Quoting the upstream announcement (written by Chris St. Pierre):
"We have found a major security flaw in the Trigger plugin that would allow a
malicious user who has root access to a Bcfg2 client to run arbitrary commands
on the server as the user the bcfg2-server process is running as by passing a
malformed UUID.
This is very similar to a flaw discovered last year in a large number of other
plugins; this instance was not fixed at that time because Trigger uses a
different method to invoke external shell commands, and because Trigger
previously hid all errors from trigger scripts, so tests did not find the
issue. As a side effect of this change, Trigger will begin reporting errors
from triggered scripts.
This only affects the Trigger plugin; if you are not using Trigger, you are
not affected by this flaw. As a workaround, you can disable Trigger until you
are able to upgrade."
In Debian (and all other distros I know of) the bcfg2 server runs as
root, so in practice this is a remote root hole (limited to attackers
who can connect to the bcfg2 server (protected by a password and/or an
ssl key)).
--
Arto Jantunen
commit 8b0a5c5fc3ca99f6a2a8c393cedd02be66e6a846 (HEAD, squeeze-security)
Author: Arto Jantunen <vi...@debian.org>
Date: Wed Jun 27 12:00:08 2012 +0300
Backport upstream patch to fix unescaped shell command issues in the Trigger plugin
diff --git a/debian/patches/0005-Fix-unescaped-shell-commands-in-the-Trigger-plugin.patch b/debian/patches/0005-Fix-unescaped-shell-commands-in-the-Trigger-plugin.patch
new file mode 100644
index 0000000..fd58e79
--- /dev/null
+++ b/debian/patches/0005-Fix-unescaped-shell-commands-in-the-Trigger-plugin.patch
@@ -0,0 +1,69 @@
+From: Chris St. Pierre <chris.a.st.pie...@gmail.com>
+Date: Tue, 12 Jun 2012 09:20:10 -0400
+Subject: [PATCH] Fix unescaped shell commands in the Trigger plugin
+
+---
+ src/lib/Server/Plugins/Trigger.py | 42 ++++++++++++++++++++++++------------
+ 1 files changed, 28 insertions(+), 14 deletions(-)
+
+diff --git a/src/lib/Server/Plugins/Trigger.py b/src/lib/Server/Plugins/Trigger.py
+index b457431..5e6007e 100644
+--- a/src/lib/Server/Plugins/Trigger.py
++++ b/src/lib/Server/Plugins/Trigger.py
+@@ -1,17 +1,7 @@
+ import os
++import pipes
+ import Bcfg2.Server.Plugin
+-
+-
+-def async_run(prog, args):
+- pid = os.fork()
+- if pid:
+- os.waitpid(pid, 0)
+- else:
+- dpid = os.fork()
+- if not dpid:
+- os.system(" ".join([prog] + args))
+- os._exit(0)
+-
++from subprocess import Popen, PIPE
+
+ class Trigger(Bcfg2.Server.Plugin.Plugin,
+ Bcfg2.Server.Plugin.Statistics):
+@@ -27,9 +17,33 @@ class Trigger(Bcfg2.Server.Plugin.Plugin,
+ self.logger.error("Trigger: spool directory %s does not exist; unloading" % self.data)
+ raise Bcfg2.Server.Plugin.PluginInitError
+
++ def async_run(self, args):
++ pid = os.fork()
++ if pid:
++ os.waitpid(pid, 0)
++ else:
++ dpid = os.fork()
++ if not dpid:
++ self.debug_log("Running %s" % " ".join(pipes.quote(a)
++ for a in args))
++ proc = Popen(args, stdin=PIPE, stdout=PIPE, stderr=PIPE)
++ (out, err) = proc.communicate()
++ rv = proc.wait()
++ if rv != 0:
++ self.logger.error("Trigger: Error running %s (%s): %s" %
++ (args[0], rv, err))
++ elif err:
++ self.debug_log("Trigger: Error: %s" % err)
++ os._exit(0)
++
+ def process_statistics(self, metadata, _):
+ args = [metadata.hostname, '-p', metadata.profile, '-g',
+ ':'.join([g for g in metadata.groups])]
+ for notifier in os.listdir(self.data):
+- n = self.data + '/' + notifier
+- async_run(n, args)
++ if ((notifier[-1] == '~') or
++ (notifier[:2] == '.#') or
++ (notifier[-4:] == '.swp') or
++ (notifier in ['SCCS', '.svn', '4913'])):
++ continue
++ npath = os.path.join(self.data, notifier)
++ self.async_run([npath] + args)
+--
diff --git a/debian/patches/series b/debian/patches/series
index 4086f4e..6b4ca70 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@
0002-apt-deprecation-warnings.patch
0003-agent-in-manpage.patch
0004-unescaped-shell-command-fixes.patch
+0005-Fix-unescaped-shell-commands-in-the-Trigger-plugin.patch
\ No newline at end of file
