cobbler-enlist is not checking for return codes enough

Bug #862558 reported by Jamie Strandboge
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cobbler-enlist (Ubuntu)
Invalid
High
Adam Gandelman
Oneiric
Won't Fix
High
Ubuntu Server
Precise
Invalid
High
Adam Gandelman

Bug Description

In performing the MIR audit for cobbler-enlist (bug #860492), I discovred:

- PROBLEM: most xmlrpc_* calls are not doing any error checking, but should be based on looking at code of xmlrpc-c.
- RECOMMENDATION: create utility function wrappers for the common xmlrpc-c comamnds, have the cobbler-enlist code use the wrappers, and have the wrappers do all the error checking. Eg: all current uses of xmlrpc_array_new(...) should be changed to use ce_xmlrpc_array_new(...), then ce_xmlrpc_array_new() calls xmlrpc_array_new() and does the necessary error checking and fails. This should be done everywhere that an xmlrpc function is used a lot, and for those things that are used only once, simply do it inline (eg for xmlrpc_server_info_new()).

This needs to get fixed so that cobbler-enlist is defensively coded. This must happen before 12.04 and I think it would also be good for SRU.

security vulnerability: yes → no
visibility: private → public
Changed in cobbler-enlist (Ubuntu):
assignee: nobody → Canonical Server Team (canonical-server)
importance: Undecided → High
status: New → Triaged
Changed in cobbler-enlist (Ubuntu Oneiric):
milestone: none → oneiric-updates
Dave Walker (davewalker)
Changed in cobbler-enlist (Ubuntu Oneiric):
assignee: Canonical Server Team (canonical-server) → Ubuntu Server Team (ubuntu-server)
tags: added: rls-mgr-o-tracking
tags: added: rls-mgr-p-tracking
removed: rls-mgr-o-tracking
Dave Walker (davewalker)
Changed in cobbler-enlist (Ubuntu Precise):
milestone: none → precise-alpha-1
Dave Walker (davewalker)
Changed in cobbler-enlist (Ubuntu Precise):
assignee: Ubuntu Server Team (ubuntu-server) → Adam Gandelman (gandelman-a)
Dave Walker (davewalker)
Changed in cobbler-enlist (Ubuntu):
milestone: precise-alpha-1 → precise-alpha-2
Revision history for this message
Adam Gandelman (gandelman-a) wrote :

Marking Invalid since we'll be moving forward with a rewrite of the utility.

Changed in cobbler-enlist (Ubuntu Precise):
status: Triaged → Invalid
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Umm, a total rewrite invalidates the security audit I performed for bug #860492. Why is this being done?

Revision history for this message
Rolf Leggewie (r0lf) wrote :

oneiric has seen the end of its life and is no longer receiving any updates. Marking the oneiric task for this ticket as "Won't Fix".

Changed in cobbler-enlist (Ubuntu Oneiric):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.