Cobbler command injection vulnerability (CVE-2017-1000469)

Bug #1742098 reported by Adam Heczko on 2018-01-09
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fuel for OpenStack
MOS Maintenance
MOS Maintenance
MOS Maintenance

Bug Description

Detailed bug description:

Cobbler version up to 2.8.2 is vulnerable to a command injection vulnerability in the "add repo" component resulting in arbitrary code execution as root user.

Fuel node ships with Cobbler used for cloud deployment purposes. Although Cobber API is not intended to use over the network in Fuel use case we need to provide updated Cobbler packages.

description: updated
description: updated
description: updated
Changed in fuel:
assignee: nobody → MOS Maintenance (mos-maintenance)
Alexander Rubtsov (arubtsov) wrote :

sla2 for 9.0-updates

tags: added: customer-found sla2
Changed in fuel:
milestone: 9.x-updates → 9.2-mu-5
status: New → Confirmed

Fix proposed to branch: 9.0
Change author: Denis V. Meltsaykin <email address hidden>

Submitter: Pkgs Jenkins <email address hidden>
Branch: 9.0

Commit: f56dde23ea494dc74aaef674b66e05a971974fc2
Author: Denis V. Meltsaykin <email address hidden>
Date: Tue Feb 6 16:19:47 2018

Fix for cve-2017-1000469

Since cobbler uses shell when calling external commands it's needed
to wrap arguments so shell doesn't treat them as separate commands.

Change-Id: I04f7438abcab12d77f04e697e20c49cb2d7d38b7
Closes-Bug: #1742098

Changed in fuel:
status: Confirmed → Fix Committed
Vladimir Jigulin (vjigulin) wrote :

Verified on 9.2-mu-5 (proposed):
/usr/lib/python2.7/site-packages/cobbler/ file patched

Changed in fuel:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers