Bugzilla – Bug 1074594
VUL-0: CVE-2017-1000469: cobbler: command injection vulnerability in the "add repo" component
Last modified: 2021-01-14 20:18:15 UTC
CVE-2017-1000469 Cobbler version up to 2.8.2 is vulnerable to a command injection vulnerability in the "add repo" component resulting in arbitrary code execution as root user. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-1000469 https://github.com/cobbler/cobbler/issues/1845
I've created a fix to escape the parameters provided by the user to generate the shell command which is executed during the "cobbler reposync" run. That way, we prevent from executing the malicious shell code that might be injected in variables set by the user while creating the repo. Upstream cobbler PR: https://github.com/cobbler/cobbler/pull/1889 "systemsmanagement/cobbler": https://build.opensuse.org/request/show/601548 Closing this as RESOLVED/FIXED since SR to "systemsmanagement/cobbler" has been accepted. Thanks
(In reply to Pablo Suárez Hernández from comment #5) Please don't close security issues. Assign them to security-team@suse.de once you're done. Before we can close this we need maintenance submissions to SUSE:SLE-12:Update and SUSE:SLE-12-SP2:Update:Products:Manager31:Update, please.
I've created the following maintenance requests: MR to "SUSE:SLE-12:Update": https://build.suse.de/request/show/163065 MR to "SUSE:SLE-12-SP2:Update:Products:Manager31:Update": https://build.suse.de/request/show/163066 Setting back the assignee to "security-team@suse.de" as requested MR has been created. BTW, we also have cobbler version 2.2.2 on "Devel:Galaxy:Manager:3.1:SLE11-SUSE-Manager-Tools" and "Devel:Galaxy:Manager:3.1:RES6-SUSE-Manager-Tools" projects which are used to provide the "koan" package to the SUSE Manager client tools (but not cobbler IIUC). Do we need to create SR/MR also there? Thanks for the support!
(In reply to Pablo Suárez Hernández from comment #8) Thank you. For the devel projects we don't track this, but we should either submit there too or bump to a newer version that has the fix.
(In reply to Johannes Segitz from comment #9) > For the devel projects we don't track this, but we should either submit > there too or bump to a newer version that has the fix. SR to "Devel:Galaxy:Manager:Head:SLE11-SUSE-Manager-Tools" accepted: https://build.suse.de/request/show/164282 Since for SLE11 and RES6 Manager tools we only ship the cobbler src package, we decided to not create MR but include this fix as part of the next maintenance update starting the next week.
SUSE-SU-2018:1736-1: An update that solves one vulnerability and has three fixes is now available. Category: security (moderate) Bug References: 1074594,1075014,1081714,1090205 CVE References: CVE-2017-1000469 Sources used: SUSE OpenStack Cloud 8 (src): cobbler-2.6.6-49.9.1 SUSE Manager Tools 12 (src): cobbler-2.6.6-49.9.1 SUSE Manager Server 3.0 (src): cobbler-2.6.6-49.9.1 HPE Helion OpenStack 8 (src): cobbler-2.6.6-49.9.1
SUSE-SU-2018:1741-1: An update that solves one vulnerability and has one errata is now available. Category: security (moderate) Bug References: 1074594,1090205 CVE References: CVE-2017-1000469 Sources used: SUSE Linux Enterprise Server 11-SP4-CLIENT-TOOLS (src): cobbler-2.2.2-0.68.3.1 SUSE Linux Enterprise Server 11-SP3-CLIENT-TOOLS (src): cobbler-2.2.2-0.68.3.1
SUSE-SU-2018:1751-1: An update that solves two vulnerabilities and has 41 fixes is now available. Category: security (moderate) Bug References: 1073267,1074594,1075466,1080474,1081714,1082796,1083278,1083513,1084679,1085044,1085471,1085650,1085838,1087055,1087071,1087840,1088667,1088861,1089103,1089396,1089401,1089468,1090040,1090059,1090205,1090221,1090395,1090400,1090401,1090585,1091052,1091091,1091667,1091840,1091855,1092161,1092194,1092275,1092383,1092492,1095231,1095569,1096714 CVE References: CVE-2014-5326,CVE-2017-1000469 Sources used: SUSE Manager Server 3.1 (src): cobbler-2.6.6-5.10.4, google-gson-2.8.2-3.3.6, patterns-suse-manager-3.1-3.3.2, prometheus-client-java-0.3.0-1.3.5, py26-compat-salt-2016.11.4-1.7.2, salt-netapi-client-0.14.0-3.9.5, spacewalk-backend-2.7.73.13-2.19.5, spacewalk-branding-2.7.2.13-2.19.5, spacewalk-certs-tools-2.7.0.10-2.12.4, spacewalk-java-2.7.46.14-2.25.1, spacewalk-utils-2.7.10.7-2.10.4, spacewalk-web-2.7.1.16-2.19.5, susemanager-3.1.14-2.19.5, susemanager-docs_en-3.1-10.20.7, susemanager-frontend-libs-3.1.1-3.3.2, susemanager-schema-3.1.17-2.23.3, susemanager-sls-3.1.17-2.23.2, susemanager-sync-data-3.1.14-2.23.2, susemanager-tftpsync-3.1.3-3.6.2
openSUSE-SU-2018:1770-1: An update that solves one vulnerability and has three fixes is now available. Category: security (moderate) Bug References: 1074594,1075014,1081714,1090205 CVE References: CVE-2017-1000469 Sources used: openSUSE Leap 42.3 (src): cobbler-2.6.6-14.1
released
This is an autogenerated message for OBS integration: This bug (1074594) was mentioned in https://build.opensuse.org/request/show/850700 15.2 / cobbler
openSUSE-SU-2021:0046-1: An update that solves 6 vulnerabilities and has 58 fixes is now available. Category: security (moderate) Bug References: 1020376,1029276,1048183,1074594,1075014,1081714,1081739,1090205,1097733,1101670,1104189,1104190,1104287,1105440,1105442,1113747,1128754,1128926,1130658,1134588,1149075,1151875,1156574,1159010,1169207,1169553,1169779,1170462,660126,671212,672471,682665,687891,695955,714618,722443,722445,757062,763610,783671,790545,796773,811025,812948,842699,846580,869371,884051,924118,952844,956264,966622,966841,967523,968406,969538,969541,973413,973418,976826,980577,984998,986978,988889 CVE References: CVE-2011-4953,CVE-2012-2395,CVE-2017-1000469,CVE-2018-1000225,CVE-2018-1000226,CVE-2018-10931 JIRA References: Sources used: openSUSE Leap 15.2 (src): cobbler-3.1.2-lp152.6.3.1
openSUSE-SU-2021:0058-1: An update that solves 6 vulnerabilities and has 58 fixes is now available. Category: security (moderate) Bug References: 1020376,1029276,1048183,1074594,1075014,1081714,1081739,1090205,1097733,1101670,1104189,1104190,1104287,1105440,1105442,1113747,1128754,1128926,1130658,1134588,1149075,1151875,1156574,1159010,1169207,1169553,1169779,1170462,660126,671212,672471,682665,687891,695955,714618,722443,722445,757062,763610,783671,790545,796773,811025,812948,842699,846580,869371,884051,924118,952844,956264,966622,966841,967523,968406,969538,969541,973413,973418,976826,980577,984998,986978,988889 CVE References: CVE-2011-4953,CVE-2012-2395,CVE-2017-1000469,CVE-2018-1000225,CVE-2018-1000226,CVE-2018-10931 JIRA References: Sources used: openSUSE Backports SLE-15-SP2 (src): cobbler-3.1.2-bp152.4.3.1