"Management Parameters" (for example a system) which can be set in the web interface can result in arbitrary code execution on the host due to the use of yaml.loads instead of yaml.safe_loads in item.py on line 248:

Bug #858883 reported by David on 2011-09-25
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cobbler (Ubuntu)
High
Robie Basak
Oneiric
High
Robie Basak
Precise
High
Robie Basak

Bug Description

"Management Parameters" (for example a system) which can be set in the web interface can result in arbitrary code execution on the host due to the use of yaml.loads instead of yaml.safe_loads in item.py on line 248:

            data = yaml.load(mgmt_parameters)

which appears in the set_mgmt_parameters function.
Note: I have not checked if this can be triggered from the web interface. (This like #858875 should just be fixed regardless and should be a one line patch ).

Note: I installed cobbler as a result of installing ubuntu-orchestra. (cobbler version: 2.1.0+git20110602-0ubuntu25).

Related branches

David (d--) on 2011-09-28
visibility: private → public
Changed in cobbler (Ubuntu):
importance: Undecided → High
Dave Walker (davewalker) on 2011-10-16
Changed in cobbler (Ubuntu Oneiric):
importance: Undecided → High
milestone: none → oneiric-updates
Changed in cobbler (Ubuntu Precise):
milestone: none → precise-alpha-1
Changed in cobbler (Ubuntu Oneiric):
status: New → Triaged
Changed in cobbler (Ubuntu Precise):
status: New → Triaged
Robie Basak (racb) on 2011-10-25
Changed in cobbler (Ubuntu Oneiric):
assignee: nobody → Robie Basak (racb)
Changed in cobbler (Ubuntu Precise):
assignee: nobody → Robie Basak (racb)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cobbler - 2.2.2-0ubuntu1

---------------
cobbler (2.2.2-0ubuntu1) precise; urgency=low

  [Chuck Short]
  * New upstream release:
    + Use dh_python2 everywhere.
    + Folded debian/patches/49_ubuntu_add_arm_arch_support.patch
      and debian/patches/56_ubuntu_arm_generate_pxe_files.patch
      into one patch for easier upstreaming.
    + Dropped debian/patches/50_fix_cobbler_timezone.patch:
      Fix upstream.
    + Dropped debian/patches/47_ubuntu_add_oneiric_codename.patch
      in favor of debian/patches/47_ubuntu_add_codenames.patch:
      It adds "precise" and drops unsupported releases as well.
    + Dropped debian/patches/41_update_tree_path_with_arch.patch:
      No longer needed.
    + Dropped debian/patches/55_ubuntu_branding.patch: Will be moved
      to orchestra

   [Clint Byrum]
   * debian/cobbler.postinst: create users.digest mode 0600 so it
     is not world readable. (LP: #858860)
   * debian/control: cobbler needs to depend on python-cobbler
     (LP: #863738)
   * debian/patches/58_fix_egg_cache.patch: Do not point dangerous
     PYTHON_EGG_CACHE at world writable directory. (LP: #858875)
   * debian/cobbler-common.install: remove users.digest as it is
     not required and contains a known password that would leave
     cobblerd vulnerable if started before configuration is done
   * debian/cobbler-web.postinst: fix perms on webui_sessions to
     be more secure (LP: #863755)

   [Robie Basak]
   * Backport safe YAML load from upstream. (LP: #858883)
 -- Chuck Short <email address hidden> Tue, 15 Nov 2011 12:35:40 -0500

Changed in cobbler (Ubuntu Precise):
status: Triaged → Fix Released
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. oneiric has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against oneiric is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in cobbler (Ubuntu Oneiric):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers