"Management Parameters" (for example a system) which can be set in the web interface can result in arbitrary code execution on the host due to the use of yaml.loads instead of yaml.safe_loads in item.py on line 248:

Bug #858883 reported by David
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cobbler (Ubuntu)
Fix Released
High
Robie Basak
Oneiric
Won't Fix
High
Robie Basak
Precise
Fix Released
High
Robie Basak

Bug Description

"Management Parameters" (for example a system) which can be set in the web interface can result in arbitrary code execution on the host due to the use of yaml.loads instead of yaml.safe_loads in item.py on line 248:

            data = yaml.load(mgmt_parameters)

which appears in the set_mgmt_parameters function.
Note: I have not checked if this can be triggered from the web interface. (This like #858875 should just be fixed regardless and should be a one line patch ).

Note: I installed cobbler as a result of installing ubuntu-orchestra. (cobbler version: 2.1.0+git20110602-0ubuntu25).

Related branches

David (d--)
visibility: private → public
Changed in cobbler (Ubuntu):
importance: Undecided → High
Dave Walker (davewalker)
Changed in cobbler (Ubuntu Oneiric):
importance: Undecided → High
milestone: none → oneiric-updates
Changed in cobbler (Ubuntu Precise):
milestone: none → precise-alpha-1
Changed in cobbler (Ubuntu Oneiric):
status: New → Triaged
Changed in cobbler (Ubuntu Precise):
status: New → Triaged
Robie Basak (racb)
Changed in cobbler (Ubuntu Oneiric):
assignee: nobody → Robie Basak (racb)
Changed in cobbler (Ubuntu Precise):
assignee: nobody → Robie Basak (racb)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cobbler - 2.2.2-0ubuntu1

---------------
cobbler (2.2.2-0ubuntu1) precise; urgency=low

  [Chuck Short]
  * New upstream release:
    + Use dh_python2 everywhere.
    + Folded debian/patches/49_ubuntu_add_arm_arch_support.patch
      and debian/patches/56_ubuntu_arm_generate_pxe_files.patch
      into one patch for easier upstreaming.
    + Dropped debian/patches/50_fix_cobbler_timezone.patch:
      Fix upstream.
    + Dropped debian/patches/47_ubuntu_add_oneiric_codename.patch
      in favor of debian/patches/47_ubuntu_add_codenames.patch:
      It adds "precise" and drops unsupported releases as well.
    + Dropped debian/patches/41_update_tree_path_with_arch.patch:
      No longer needed.
    + Dropped debian/patches/55_ubuntu_branding.patch: Will be moved
      to orchestra

   [Clint Byrum]
   * debian/cobbler.postinst: create users.digest mode 0600 so it
     is not world readable. (LP: #858860)
   * debian/control: cobbler needs to depend on python-cobbler
     (LP: #863738)
   * debian/patches/58_fix_egg_cache.patch: Do not point dangerous
     PYTHON_EGG_CACHE at world writable directory. (LP: #858875)
   * debian/cobbler-common.install: remove users.digest as it is
     not required and contains a known password that would leave
     cobblerd vulnerable if started before configuration is done
   * debian/cobbler-web.postinst: fix perms on webui_sessions to
     be more secure (LP: #863755)

   [Robie Basak]
   * Backport safe YAML load from upstream. (LP: #858883)
 -- Chuck Short <email address hidden> Tue, 15 Nov 2011 12:35:40 -0500

Changed in cobbler (Ubuntu Precise):
status: Triaged → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. oneiric has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against oneiric is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in cobbler (Ubuntu Oneiric):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers