Bug#679272: marked as done (bcfg2-server: unescaped shell command issues in the Trigger plugin)

Wed, 27 Jun 2012 14:21:26 -0700 

Your message dated Wed, 27 Jun 2012 21:18:45 +0000
with message-id <e1sjzdn-00022u...@franck.debian.org>
and subject line Bug#679272: fixed in bcfg2 1.2.2-2
has caused the Debian Bug report #679272,
regarding bcfg2-server: unescaped shell command issues in the Trigger plugin
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
679272: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=679272
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: bcfg2-server
Version: 1.0.1-3+squeeze1
Severity: critical
Tags: security, patch, pending

Quoting the upstream announcement (written by Chris St. Pierre):

"We have found a major security flaw in the Trigger plugin that would allow a
malicious user who has root access to a Bcfg2 client to run arbitrary commands
on the server as the user the bcfg2-server process is running as by passing a
malformed UUID.

This is very similar to a flaw discovered last year in a large number of other
plugins; this instance was not fixed at that time because Trigger uses a
different method to invoke external shell commands, and because Trigger
previously hid all errors from trigger scripts, so tests did not find the
issue.  As a side effect of this change, Trigger will begin reporting errors
from triggered scripts.

This only affects the Trigger plugin; if you are not using Trigger, you are
not affected by this flaw.  As a workaround, you can disable Trigger until you
are able to upgrade."

In Debian (and all other distros I know of) the bcfg2 server runs as
root, so in practice this is a remote root hole (limited to attackers
who can connect to the bcfg2 server (protected by a password and/or an
ssl key)).

-- 
Arto Jantunen


commit 8b0a5c5fc3ca99f6a2a8c393cedd02be66e6a846 (HEAD, squeeze-security)
Author: Arto Jantunen <vi...@debian.org>
Date:   Wed Jun 27 12:00:08 2012 +0300

    Backport upstream patch to fix unescaped shell command issues in the Trigger plugin

diff --git a/debian/patches/0005-Fix-unescaped-shell-commands-in-the-Trigger-plugin.patch b/debian/patches/0005-Fix-unescaped-shell-commands-in-the-Trigger-plugin.patch
new file mode 100644
index 0000000..fd58e79
--- /dev/null
+++ b/debian/patches/0005-Fix-unescaped-shell-commands-in-the-Trigger-plugin.patch
@@ -0,0 +1,69 @@
+From: Chris St. Pierre <chris.a.st.pie...@gmail.com>
+Date: Tue, 12 Jun 2012 09:20:10 -0400
+Subject: [PATCH] Fix unescaped shell commands in the Trigger plugin
+
+---
+ src/lib/Server/Plugins/Trigger.py |   42 ++++++++++++++++++++++++------------
+ 1 files changed, 28 insertions(+), 14 deletions(-)
+
+diff --git a/src/lib/Server/Plugins/Trigger.py b/src/lib/Server/Plugins/Trigger.py
+index b457431..5e6007e 100644
+--- a/src/lib/Server/Plugins/Trigger.py
++++ b/src/lib/Server/Plugins/Trigger.py
+@@ -1,17 +1,7 @@
+ import os
++import pipes
+ import Bcfg2.Server.Plugin
+-
+-
+-def async_run(prog, args):
+-    pid = os.fork()
+-    if pid:
+-        os.waitpid(pid, 0)
+-    else:
+-        dpid = os.fork()
+-        if not dpid:
+-            os.system(" ".join([prog] + args))
+-        os._exit(0)
+-
++from subprocess import Popen, PIPE
+ 
+ class Trigger(Bcfg2.Server.Plugin.Plugin,
+               Bcfg2.Server.Plugin.Statistics):
+@@ -27,9 +17,33 @@ class Trigger(Bcfg2.Server.Plugin.Plugin,
+             self.logger.error("Trigger: spool directory %s does not exist; unloading" % self.data)
+             raise Bcfg2.Server.Plugin.PluginInitError
+ 
++    def async_run(self, args):
++        pid = os.fork()
++        if pid:
++            os.waitpid(pid, 0)
++        else:
++            dpid = os.fork()
++            if not dpid:
++                self.debug_log("Running %s" % " ".join(pipes.quote(a)
++                                                       for a in args))
++                proc = Popen(args, stdin=PIPE, stdout=PIPE, stderr=PIPE)
++                (out, err) = proc.communicate()
++                rv = proc.wait()
++                if rv != 0:
++                    self.logger.error("Trigger: Error running %s (%s): %s" %
++                                      (args[0], rv, err))
++                elif err:
++                    self.debug_log("Trigger: Error: %s" % err)
++            os._exit(0)
++
+     def process_statistics(self, metadata, _):
+         args = [metadata.hostname, '-p', metadata.profile, '-g',
+                 ':'.join([g for g in metadata.groups])]
+         for notifier in os.listdir(self.data):
+-            n = self.data + '/' + notifier
+-            async_run(n, args)
++            if ((notifier[-1] == '~') or
++                (notifier[:2] == '.#') or
++                (notifier[-4:] == '.swp') or
++                (notifier in ['SCCS', '.svn', '4913'])):
++                continue
++            npath = os.path.join(self.data, notifier)
++            self.async_run([npath] + args)
+-- 
diff --git a/debian/patches/series b/debian/patches/series
index 4086f4e..6b4ca70 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@
 0002-apt-deprecation-warnings.patch
 0003-agent-in-manpage.patch
 0004-unescaped-shell-command-fixes.patch
+0005-Fix-unescaped-shell-commands-in-the-Trigger-plugin.patch
\ No newline at end of file

--- End Message ---
--- Begin Message --- 
Source: bcfg2
Source-Version: 1.2.2-2

We believe that the bug you reported is fixed in the latest version of
bcfg2, which is due to be installed in the Debian FTP archive:

bcfg2-server_1.2.2-2_all.deb
  to main/b/bcfg2/bcfg2-server_1.2.2-2_all.deb
bcfg2-web_1.2.2-2_all.deb
  to main/b/bcfg2/bcfg2-web_1.2.2-2_all.deb
bcfg2_1.2.2-2.debian.tar.gz
  to main/b/bcfg2/bcfg2_1.2.2-2.debian.tar.gz
bcfg2_1.2.2-2.dsc
  to main/b/bcfg2/bcfg2_1.2.2-2.dsc
bcfg2_1.2.2-2_all.deb
  to main/b/bcfg2/bcfg2_1.2.2-2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 679...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Arto Jantunen <vi...@debian.org> (supplier of updated bcfg2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 27 Jun 2012 21:25:43 +0300
Source: bcfg2
Binary: bcfg2 bcfg2-server bcfg2-web
Architecture: source all
Version: 1.2.2-2
Distribution: unstable
Urgency: high
Maintainer: Arto Jantunen <vi...@debian.org>
Changed-By: Arto Jantunen <vi...@debian.org>
Description: 
 bcfg2      - Configuration management client
 bcfg2-server - Configuration management server
 bcfg2-web  - Configuration management web interface
Closes: 679272
Changes: 
 bcfg2 (1.2.2-2) unstable; urgency=high
 .
   * Urgency=high due to security fix
   * Apply patch from Chris St. Pierre to fix an unescaped shell command
     vulnerability in the Trigger plugin (Closes: #679272)
Checksums-Sha1: 
 8bfab50f23bac4b281941b4f5581762221720703 1293 bcfg2_1.2.2-2.dsc
 799d5a15e22b029769ce4c5857b61224889c1fd3 14423 bcfg2_1.2.2-2.debian.tar.gz
 d953d96fab5d7613be84d70f3066cda035306d0a 108052 bcfg2_1.2.2-2_all.deb
 9c024f4ebbd73f642183d4fb7be4422b9e58f687 232626 bcfg2-server_1.2.2-2_all.deb
 19d87495a270e351154e9b60346d2c283125d9d4 58300 bcfg2-web_1.2.2-2_all.deb
Checksums-Sha256: 
 03a51b178b06a5487d2a9b1982810deedc9b3f58842e20451b83e3435343abc0 1293 
bcfg2_1.2.2-2.dsc
 bfa7726c3c5748a6bb77527936b85126009fd949d4fcce2a6e619e9ac06eaefd 14423 
bcfg2_1.2.2-2.debian.tar.gz
 f60e3457d01ff4745d1b244c60fbfd5d2cc0cc24875295f51dbae5083b4c46c2 108052 
bcfg2_1.2.2-2_all.deb
 b4eac46ea093865a9639394360d56e5c3495eb1408fa1d17e2d1b99cde5aa028 232626 
bcfg2-server_1.2.2-2_all.deb
 f4f87904abecd95d88f44d0ecf09e04d10f7ecc43c8c87a3d012ccd4173d61f3 58300 
bcfg2-web_1.2.2-2_all.deb
Files: 
 a84056bfe8df3d8ff62f63ad2c413e47 1293 admin optional bcfg2_1.2.2-2.dsc
 e26df9e3dd62b98a7b29041c78bedb5b 14423 admin optional 
bcfg2_1.2.2-2.debian.tar.gz
 e3455a9be55a3cd5a84ec1f26fea38bd 108052 admin optional bcfg2_1.2.2-2_all.deb
 3503f68e31268ddcc29947282bc7eb5b 232626 admin optional 
bcfg2-server_1.2.2-2_all.deb
 f0b642641c7ff251589d57c3897fdb87 58300 admin optional bcfg2-web_1.2.2-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAk/rVSAACgkQQ9/iJIjcFnqp3QCffzH1zOpFNRwKHb5FG0rqWzxU
GSoAn3ucLVUJjQKyFDkd11cSgYnmc6D5
=wmAH
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to