"Management Parameters" (for example a system) which can be set in the web interface can result in arbitrary code execution on the host due to the use of yaml.loads instead of yaml.safe_loads in item.py on line 248:
Bug #858883 reported by
David
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
cobbler (Ubuntu) |
Fix Released
|
High
|
Robie Basak | ||
Oneiric |
Won't Fix
|
High
|
Robie Basak | ||
Precise |
Fix Released
|
High
|
Robie Basak |
Bug Description
"Management Parameters" (for example a system) which can be set in the web interface can result in arbitrary code execution on the host due to the use of yaml.loads instead of yaml.safe_loads in item.py on line 248:
data = yaml.load(
which appears in the set_mgmt_parameters function.
Note: I have not checked if this can be triggered from the web interface. (This like #858875 should just be fixed regardless and should be a one line patch ).
Note: I installed cobbler as a result of installing ubuntu-orchestra. (cobbler version: 2.1.0+git201106
Related branches
lp:~racb/ubuntu/oneiric/cobbler/858878_858883
Rejected
for merging
into
lp:ubuntu/oneiric/cobbler
- Dave Walker: Pending requested
-
Diff: 11280 lines (+10424/-53)55 files modified.pc/58_fix_egg_cache.patch/web/cobbler.wsgi (+10/-0)
.pc/59_add_csrf_protection.patch/web/cobbler_web/templates/filter.tmpl (+155/-0)
.pc/59_add_csrf_protection.patch/web/cobbler_web/templates/generic_edit.tmpl (+481/-0)
.pc/59_add_csrf_protection.patch/web/cobbler_web/templates/generic_list.tmpl (+192/-0)
.pc/59_add_csrf_protection.patch/web/cobbler_web/templates/import.tmpl (+47/-0)
.pc/59_add_csrf_protection.patch/web/cobbler_web/templates/ksfile_edit.tmpl (+58/-0)
.pc/59_add_csrf_protection.patch/web/cobbler_web/templates/login.tmpl (+29/-0)
.pc/59_add_csrf_protection.patch/web/cobbler_web/templates/master.tmpl (+66/-0)
.pc/59_add_csrf_protection.patch/web/cobbler_web/templates/paginate.tmpl (+22/-0)
.pc/59_add_csrf_protection.patch/web/cobbler_web/templates/snippet_edit.tmpl (+54/-0)
.pc/59_add_csrf_protection.patch/web/cobbler_web/views.py (+1162/-0)
.pc/59_add_csrf_protection.patch/web/settings.py (+69/-0)
.pc/60_yaml_safe_load.patch/cobbler/api.py (+947/-0)
.pc/60_yaml_safe_load.patch/cobbler/item.py (+427/-0)
.pc/60_yaml_safe_load.patch/cobbler/modules/serializer_catalog.py (+241/-0)
.pc/60_yaml_safe_load.patch/cobbler/modules/serializer_couch.py (+136/-0)
.pc/60_yaml_safe_load.patch/cobbler/remote.py (+2547/-0)
.pc/60_yaml_safe_load.patch/cobbler/services.py (+462/-0)
.pc/60_yaml_safe_load.patch/cobbler/utils.py (+2074/-0)
.pc/60_yaml_safe_load.patch/scripts/cobbler-ext-nodes (+21/-0)
.pc/60_yaml_safe_load.patch/scripts/index.py (+199/-0)
.pc/60_yaml_safe_load.patch/scripts/services.py (+99/-0)
.pc/applied-patches (+3/-0)
cobbler/api.py (+1/-1)
cobbler/item.py (+1/-1)
cobbler/modules/serializer_catalog.py (+4/-4)
cobbler/modules/serializer_couch.py (+1/-1)
cobbler/remote.py (+2/-2)
cobbler/services.py (+1/-1)
cobbler/utils.py (+2/-2)
debian/changelog (+21/-0)
debian/cobbler-common.install (+0/-1)
debian/cobbler-web.dirs (+1/-0)
debian/cobbler-web.postinst (+3/-0)
debian/cobbler.postinst (+1/-0)
debian/control (+4/-4)
debian/patches/58_fix_egg_cache.patch (+19/-0)
debian/patches/59_add_csrf_protection.patch (+569/-0)
debian/patches/60_yaml_safe_load.patch (+158/-0)
debian/patches/series (+3/-0)
scripts/cobbler-ext-nodes (+1/-1)
scripts/index.py (+1/-1)
scripts/services.py (+1/-1)
web/cobbler.wsgi (+1/-1)
web/cobbler_web/templates/filter.tmpl (+8/-2)
web/cobbler_web/templates/generic_edit.tmpl (+1/-0)
web/cobbler_web/templates/generic_list.tmpl (+14/-4)
web/cobbler_web/templates/import.tmpl (+1/-0)
web/cobbler_web/templates/ksfile_edit.tmpl (+1/-0)
web/cobbler_web/templates/login.tmpl (+1/-0)
web/cobbler_web/templates/master.tmpl (+13/-6)
web/cobbler_web/templates/paginate.tmpl (+16/-4)
web/cobbler_web/templates/snippet_edit.tmpl (+1/-0)
web/cobbler_web/views.py (+70/-16)
web/settings.py (+2/-0)
visibility: | private → public |
Changed in cobbler (Ubuntu): | |
importance: | Undecided → High |
Changed in cobbler (Ubuntu Oneiric): | |
importance: | Undecided → High |
milestone: | none → oneiric-updates |
Changed in cobbler (Ubuntu Precise): | |
milestone: | none → precise-alpha-1 |
Changed in cobbler (Ubuntu Oneiric): | |
status: | New → Triaged |
Changed in cobbler (Ubuntu Precise): | |
status: | New → Triaged |
Changed in cobbler (Ubuntu Oneiric): | |
assignee: | nobody → Robie Basak (racb) |
Changed in cobbler (Ubuntu Precise): | |
assignee: | nobody → Robie Basak (racb) |
To post a comment you must log in.
This bug was fixed in the package cobbler - 2.2.2-0ubuntu1
---------------
cobbler (2.2.2-0ubuntu1) precise; urgency=low
[Chuck Short] patches/ 49_ubuntu_ add_arm_ arch_support. patch patches/ 56_ubuntu_ arm_generate_ pxe_files. patch patches/ 50_fix_ cobbler_ timezone. patch: patches/ 47_ubuntu_ add_oneiric_ codename. patch patches/ 47_ubuntu_ add_codenames. patch: patches/ 41_update_ tree_path_ with_arch. patch: patches/ 55_ubuntu_ branding. patch: Will be moved
* New upstream release:
+ Use dh_python2 everywhere.
+ Folded debian/
and debian/
into one patch for easier upstreaming.
+ Dropped debian/
Fix upstream.
+ Dropped debian/
in favor of debian/
It adds "precise" and drops unsupported releases as well.
+ Dropped debian/
No longer needed.
+ Dropped debian/
to orchestra
[Clint Byrum] cobbler. postinst: create users.digest mode 0600 so it patches/ 58_fix_ egg_cache. patch: Do not point dangerous EGG_CACHE at world writable directory. (LP: #858875) cobbler- common. install: remove users.digest as it is cobbler- web.postinst: fix perms on webui_sessions to
* debian/
is not world readable. (LP: #858860)
* debian/control: cobbler needs to depend on python-cobbler
(LP: #863738)
* debian/
PYTHON_
* debian/
not required and contains a known password that would leave
cobblerd vulnerable if started before configuration is done
* debian/
be more secure (LP: #863755)
[Robie Basak]
* Backport safe YAML load from upstream. (LP: #858883)
-- Chuck Short <email address hidden> Tue, 15 Nov 2011 12:35:40 -0500