Your message dated Sat, 30 Jun 2012 09:47:13 +0000
with message-id <e1skugn-0001mr...@franck.debian.org>
and subject line Bug#679272: fixed in bcfg2 1.0.1-3+squeeze2
has caused the Debian Bug report #679272,
regarding bcfg2-server: unescaped shell command issues in the Trigger plugin
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
679272: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=679272
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: bcfg2-server
Version: 1.0.1-3+squeeze1
Severity: critical
Tags: security, patch, pending
Quoting the upstream announcement (written by Chris St. Pierre):
"We have found a major security flaw in the Trigger plugin that would allow a
malicious user who has root access to a Bcfg2 client to run arbitrary commands
on the server as the user the bcfg2-server process is running as by passing a
malformed UUID.
This is very similar to a flaw discovered last year in a large number of other
plugins; this instance was not fixed at that time because Trigger uses a
different method to invoke external shell commands, and because Trigger
previously hid all errors from trigger scripts, so tests did not find the
issue. As a side effect of this change, Trigger will begin reporting errors
from triggered scripts.
This only affects the Trigger plugin; if you are not using Trigger, you are
not affected by this flaw. As a workaround, you can disable Trigger until you
are able to upgrade."
In Debian (and all other distros I know of) the bcfg2 server runs as
root, so in practice this is a remote root hole (limited to attackers
who can connect to the bcfg2 server (protected by a password and/or an
ssl key)).
--
Arto Jantunen
commit 8b0a5c5fc3ca99f6a2a8c393cedd02be66e6a846 (HEAD, squeeze-security)
Author: Arto Jantunen <vi...@debian.org>
Date: Wed Jun 27 12:00:08 2012 +0300
Backport upstream patch to fix unescaped shell command issues in the Trigger plugin
diff --git a/debian/patches/0005-Fix-unescaped-shell-commands-in-the-Trigger-plugin.patch b/debian/patches/0005-Fix-unescaped-shell-commands-in-the-Trigger-plugin.patch
new file mode 100644
index 0000000..fd58e79
--- /dev/null
+++ b/debian/patches/0005-Fix-unescaped-shell-commands-in-the-Trigger-plugin.patch
@@ -0,0 +1,69 @@
+From: Chris St. Pierre <chris.a.st.pie...@gmail.com>
+Date: Tue, 12 Jun 2012 09:20:10 -0400
+Subject: [PATCH] Fix unescaped shell commands in the Trigger plugin
+
+---
+ src/lib/Server/Plugins/Trigger.py | 42 ++++++++++++++++++++++++------------
+ 1 files changed, 28 insertions(+), 14 deletions(-)
+
+diff --git a/src/lib/Server/Plugins/Trigger.py b/src/lib/Server/Plugins/Trigger.py
+index b457431..5e6007e 100644
+--- a/src/lib/Server/Plugins/Trigger.py
++++ b/src/lib/Server/Plugins/Trigger.py
+@@ -1,17 +1,7 @@
+ import os
++import pipes
+ import Bcfg2.Server.Plugin
+-
+-
+-def async_run(prog, args):
+- pid = os.fork()
+- if pid:
+- os.waitpid(pid, 0)
+- else:
+- dpid = os.fork()
+- if not dpid:
+- os.system(" ".join([prog] + args))
+- os._exit(0)
+-
++from subprocess import Popen, PIPE
+
+ class Trigger(Bcfg2.Server.Plugin.Plugin,
+ Bcfg2.Server.Plugin.Statistics):
+@@ -27,9 +17,33 @@ class Trigger(Bcfg2.Server.Plugin.Plugin,
+ self.logger.error("Trigger: spool directory %s does not exist; unloading" % self.data)
+ raise Bcfg2.Server.Plugin.PluginInitError
+
++ def async_run(self, args):
++ pid = os.fork()
++ if pid:
++ os.waitpid(pid, 0)
++ else:
++ dpid = os.fork()
++ if not dpid:
++ self.debug_log("Running %s" % " ".join(pipes.quote(a)
++ for a in args))
++ proc = Popen(args, stdin=PIPE, stdout=PIPE, stderr=PIPE)
++ (out, err) = proc.communicate()
++ rv = proc.wait()
++ if rv != 0:
++ self.logger.error("Trigger: Error running %s (%s): %s" %
++ (args[0], rv, err))
++ elif err:
++ self.debug_log("Trigger: Error: %s" % err)
++ os._exit(0)
++
+ def process_statistics(self, metadata, _):
+ args = [metadata.hostname, '-p', metadata.profile, '-g',
+ ':'.join([g for g in metadata.groups])]
+ for notifier in os.listdir(self.data):
+- n = self.data + '/' + notifier
+- async_run(n, args)
++ if ((notifier[-1] == '~') or
++ (notifier[:2] == '.#') or
++ (notifier[-4:] == '.swp') or
++ (notifier in ['SCCS', '.svn', '4913'])):
++ continue
++ npath = os.path.join(self.data, notifier)
++ self.async_run([npath] + args)
+--
diff --git a/debian/patches/series b/debian/patches/series
index 4086f4e..6b4ca70 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@
0002-apt-deprecation-warnings.patch
0003-agent-in-manpage.patch
0004-unescaped-shell-command-fixes.patch
+0005-Fix-unescaped-shell-commands-in-the-Trigger-plugin.patch
\ No newline at end of file
--- End Message ---
--- Begin Message ---
Source: bcfg2
Source-Version: 1.0.1-3+squeeze2
We believe that the bug you reported is fixed in the latest version of
bcfg2, which is due to be installed in the Debian FTP archive:
bcfg2-server_1.0.1-3+squeeze2_all.deb
to main/b/bcfg2/bcfg2-server_1.0.1-3+squeeze2_all.deb
bcfg2_1.0.1-3+squeeze2.debian.tar.gz
to main/b/bcfg2/bcfg2_1.0.1-3+squeeze2.debian.tar.gz
bcfg2_1.0.1-3+squeeze2.dsc
to main/b/bcfg2/bcfg2_1.0.1-3+squeeze2.dsc
bcfg2_1.0.1-3+squeeze2_all.deb
to main/b/bcfg2/bcfg2_1.0.1-3+squeeze2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 679...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Arto Jantunen <vi...@debian.org> (supplier of updated bcfg2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 27 Jun 2012 13:34:38 +0300
Source: bcfg2
Binary: bcfg2 bcfg2-server
Architecture: source all
Version: 1.0.1-3+squeeze2
Distribution: stable-security
Urgency: high
Maintainer: Arto Jantunen <vi...@debian.org>
Changed-By: Arto Jantunen <vi...@debian.org>
Description:
bcfg2 - Configuration management client
bcfg2-server - Configuration management server
Closes: 679272
Changes:
bcfg2 (1.0.1-3+squeeze2) stable-security; urgency=high
.
* Backport upstream patch to fix unescaped shell command issues in the
Trigger plugin (Closes: #679272)
Checksums-Sha1:
7092d6d8b0cfada5ef44fb079e0b829d5f7fc181 1139 bcfg2_1.0.1-3+squeeze2.dsc
0ed4023be8282f409e1c1e7250a564ced3386df9 16975
bcfg2_1.0.1-3+squeeze2.debian.tar.gz
45eb62e111486da0fd4bf1502af52ac46581616d 259528 bcfg2_1.0.1-3+squeeze2_all.deb
94d06c08c4f5bdc5427d7841b958e13a3f7da9f6 335144
bcfg2-server_1.0.1-3+squeeze2_all.deb
Checksums-Sha256:
924098ccc0f04cfe58b470cd5325882b5b139a646828b46a6c53692df3053910 1139
bcfg2_1.0.1-3+squeeze2.dsc
e9f387bbfc6a2ffff9f9f2da73dd8ed1f3e0f688e3a8d1d01d7e698b9248ae75 16975
bcfg2_1.0.1-3+squeeze2.debian.tar.gz
2d155c57af74cc47fb1c38f0ff2ae9d9370bb4d069898ae30da5fd3ba49a02f3 259528
bcfg2_1.0.1-3+squeeze2_all.deb
32383abbf336f914cfaab6dac714957489d9e280427712ed36ccd67d0264ebe4 335144
bcfg2-server_1.0.1-3+squeeze2_all.deb
Files:
1f9d1c5d7be7756201f3500b187fd79a 1139 admin optional bcfg2_1.0.1-3+squeeze2.dsc
42092ae49c83c97692917aade2ced209 16975 admin optional
bcfg2_1.0.1-3+squeeze2.debian.tar.gz
9b50b8fa82efde58dfceba5ce7bd3e3a 259528 admin optional
bcfg2_1.0.1-3+squeeze2_all.deb
55213e6a0ec55fe471b603056f3c0181 335144 admin optional
bcfg2-server_1.0.1-3+squeeze2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAk/sfeEACgkQQ9/iJIjcFnr8fwCgxT/2YfaDsyq6lOJgkYUSK1Gf
5voAnA0HnTBuWPpfrQh+9Py6I9fKpVTr
=1twI
-----END PGP SIGNATURE-----
--- End Message ---
