Arto Jantunen <vi...@debian.org> writes: > Package: bcfg2-server > Version: 1.0.1-3+squeeze1 > Severity: critical > Tags: security, patch, pending > > Quoting the upstream announcement (written by Chris St. Pierre): > > "We have found a major security flaw in the Trigger plugin that would allow a > malicious user who has root access to a Bcfg2 client to run arbitrary commands > on the server as the user the bcfg2-server process is running as by passing a > malformed UUID. > > This is very similar to a flaw discovered last year in a large number of other > plugins; this instance was not fixed at that time because Trigger uses a > different method to invoke external shell commands, and because Trigger > previously hid all errors from trigger scripts, so tests did not find the > issue. As a side effect of this change, Trigger will begin reporting errors > from triggered scripts. > > This only affects the Trigger plugin; if you are not using Trigger, you are > not affected by this flaw. As a workaround, you can disable Trigger until you > are able to upgrade." > > In Debian (and all other distros I know of) the bcfg2 server runs as > root, so in practice this is a remote root hole (limited to attackers > who can connect to the bcfg2 server (protected by a password and/or an > ssl key)).
.dsc and .debian.tar.gz for a fixed package are attached. I'll upload the fix to unstable next. -- Arto Jantunen
pgpINkzijARrL.pgp
Description: PGP signature
bcfg2_1.0.1-3+squeeze2.dsc
Description: dsc
bcfg2_1.0.1-3+squeeze2.debian.tar.gz
Description: debian.tar.gz
