Debian Bug report logs - #679272
bcfg2-server: unescaped shell command issues in the Trigger plugin

version graph

Package: bcfg2-server; Maintainer for bcfg2-server is Arto Jantunen <viiru@debian.org>; Source for bcfg2-server is src:bcfg2.

Reported by: Arto Jantunen <viiru@debian.org>

Date: Wed, 27 Jun 2012 14:12:02 UTC

Severity: critical

Tags: patch, security

Found in version bcfg2/1.0.1-3+squeeze1

Fixed in versions bcfg2/1.2.2-2, bcfg2/1.0.1-3+squeeze2

Done: Arto Jantunen <viiru@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, security@debian.org:
Bug#679272; Package bcfg2-server. (Wed, 27 Jun 2012 14:12:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Arto Jantunen <viiru@debian.org>:
New Bug report received and forwarded. Copy sent to security@debian.org. (Wed, 27 Jun 2012 14:12:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Arto Jantunen <viiru@debian.org>
To: submit@bugs.debian.org
Subject: bcfg2-server: unescaped shell command issues in the Trigger plugin
Date: Wed, 27 Jun 2012 17:09:11 +0300
[Message part 1 (text/plain, inline)]
Package: bcfg2-server
Version: 1.0.1-3+squeeze1
Severity: critical
Tags: security, patch, pending

Quoting the upstream announcement (written by Chris St. Pierre):

"We have found a major security flaw in the Trigger plugin that would allow a
malicious user who has root access to a Bcfg2 client to run arbitrary commands
on the server as the user the bcfg2-server process is running as by passing a
malformed UUID.

This is very similar to a flaw discovered last year in a large number of other
plugins; this instance was not fixed at that time because Trigger uses a
different method to invoke external shell commands, and because Trigger
previously hid all errors from trigger scripts, so tests did not find the
issue.  As a side effect of this change, Trigger will begin reporting errors
from triggered scripts.

This only affects the Trigger plugin; if you are not using Trigger, you are
not affected by this flaw.  As a workaround, you can disable Trigger until you
are able to upgrade."

In Debian (and all other distros I know of) the bcfg2 server runs as
root, so in practice this is a remote root hole (limited to attackers
who can connect to the bcfg2 server (protected by a password and/or an
ssl key)).

-- 
Arto Jantunen

[trigger-security-fix.patch (text/x-diff, inline)]
commit 8b0a5c5fc3ca99f6a2a8c393cedd02be66e6a846 (HEAD, squeeze-security)
Author: Arto Jantunen <viiru@debian.org>
Date:   Wed Jun 27 12:00:08 2012 +0300

    Backport upstream patch to fix unescaped shell command issues in the Trigger plugin

diff --git a/debian/patches/0005-Fix-unescaped-shell-commands-in-the-Trigger-plugin.patch b/debian/patches/0005-Fix-unescaped-shell-commands-in-the-Trigger-plugin.patch
new file mode 100644
index 0000000..fd58e79
--- /dev/null
+++ b/debian/patches/0005-Fix-unescaped-shell-commands-in-the-Trigger-plugin.patch
@@ -0,0 +1,69 @@
+From: Chris St. Pierre <chris.a.st.pierre@gmail.com>
+Date: Tue, 12 Jun 2012 09:20:10 -0400
+Subject: [PATCH] Fix unescaped shell commands in the Trigger plugin
+
+---
+ src/lib/Server/Plugins/Trigger.py |   42 ++++++++++++++++++++++++------------
+ 1 files changed, 28 insertions(+), 14 deletions(-)
+
+diff --git a/src/lib/Server/Plugins/Trigger.py b/src/lib/Server/Plugins/Trigger.py
+index b457431..5e6007e 100644
+--- a/src/lib/Server/Plugins/Trigger.py
++++ b/src/lib/Server/Plugins/Trigger.py
+@@ -1,17 +1,7 @@
+ import os
++import pipes
+ import Bcfg2.Server.Plugin
+-
+-
+-def async_run(prog, args):
+-    pid = os.fork()
+-    if pid:
+-        os.waitpid(pid, 0)
+-    else:
+-        dpid = os.fork()
+-        if not dpid:
+-            os.system(" ".join([prog] + args))
+-        os._exit(0)
+-
++from subprocess import Popen, PIPE
+ 
+ class Trigger(Bcfg2.Server.Plugin.Plugin,
+               Bcfg2.Server.Plugin.Statistics):
+@@ -27,9 +17,33 @@ class Trigger(Bcfg2.Server.Plugin.Plugin,
+             self.logger.error("Trigger: spool directory %s does not exist; unloading" % self.data)
+             raise Bcfg2.Server.Plugin.PluginInitError
+ 
++    def async_run(self, args):
++        pid = os.fork()
++        if pid:
++            os.waitpid(pid, 0)
++        else:
++            dpid = os.fork()
++            if not dpid:
++                self.debug_log("Running %s" % " ".join(pipes.quote(a)
++                                                       for a in args))
++                proc = Popen(args, stdin=PIPE, stdout=PIPE, stderr=PIPE)
++                (out, err) = proc.communicate()
++                rv = proc.wait()
++                if rv != 0:
++                    self.logger.error("Trigger: Error running %s (%s): %s" %
++                                      (args[0], rv, err))
++                elif err:
++                    self.debug_log("Trigger: Error: %s" % err)
++            os._exit(0)
++
+     def process_statistics(self, metadata, _):
+         args = [metadata.hostname, '-p', metadata.profile, '-g',
+                 ':'.join([g for g in metadata.groups])]
+         for notifier in os.listdir(self.data):
+-            n = self.data + '/' + notifier
+-            async_run(n, args)
++            if ((notifier[-1] == '~') or
++                (notifier[:2] == '.#') or
++                (notifier[-4:] == '.swp') or
++                (notifier in ['SCCS', '.svn', '4913'])):
++                continue
++            npath = os.path.join(self.data, notifier)
++            self.async_run([npath] + args)
+-- 
diff --git a/debian/patches/series b/debian/patches/series
index 4086f4e..6b4ca70 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@
 0002-apt-deprecation-warnings.patch
 0003-agent-in-manpage.patch
 0004-unescaped-shell-command-fixes.patch
+0005-Fix-unescaped-shell-commands-in-the-Trigger-plugin.patch
\ No newline at end of file

Information forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org:
Bug#679272; Package bcfg2-server. (Wed, 27 Jun 2012 18:24:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Arto Jantunen <viiru@debian.org>:
Extra info received and forwarded to list. Copy sent to team@security.debian.org. (Wed, 27 Jun 2012 18:24:03 GMT) Full text and rfc822 format available.

Message #10 received at 679272@bugs.debian.org (full text, mbox):

From: Arto Jantunen <viiru@debian.org>
To: 679272@bugs.debian.org
Subject: Re: bcfg2-server: unescaped shell command issues in the Trigger plugin
Date: Wed, 27 Jun 2012 21:22:12 +0300
[Message part 1 (text/plain, inline)]
Arto Jantunen <viiru@debian.org> writes:

> Package: bcfg2-server
> Version: 1.0.1-3+squeeze1
> Severity: critical
> Tags: security, patch, pending
>
> Quoting the upstream announcement (written by Chris St. Pierre):
>
> "We have found a major security flaw in the Trigger plugin that would allow a
> malicious user who has root access to a Bcfg2 client to run arbitrary commands
> on the server as the user the bcfg2-server process is running as by passing a
> malformed UUID.
>
> This is very similar to a flaw discovered last year in a large number of other
> plugins; this instance was not fixed at that time because Trigger uses a
> different method to invoke external shell commands, and because Trigger
> previously hid all errors from trigger scripts, so tests did not find the
> issue.  As a side effect of this change, Trigger will begin reporting errors
> from triggered scripts.
>
> This only affects the Trigger plugin; if you are not using Trigger, you are
> not affected by this flaw.  As a workaround, you can disable Trigger until you
> are able to upgrade."
>
> In Debian (and all other distros I know of) the bcfg2 server runs as
> root, so in practice this is a remote root hole (limited to attackers
> who can connect to the bcfg2 server (protected by a password and/or an
> ssl key)).

.dsc and .debian.tar.gz for a fixed package are attached. I'll upload
the fix to unstable next.

-- 
Arto Jantunen

[Message part 2 (application/pgp-signature, inline)]
[bcfg2_1.0.1-3+squeeze2.dsc (application/octet-stream, attachment)]
[bcfg2_1.0.1-3+squeeze2.debian.tar.gz (application/octet-stream, attachment)]

Reply sent to Arto Jantunen <viiru@debian.org>:
You have taken responsibility. (Wed, 27 Jun 2012 21:21:09 GMT) Full text and rfc822 format available.

Notification sent to Arto Jantunen <viiru@debian.org>:
Bug acknowledged by developer. (Wed, 27 Jun 2012 21:21:09 GMT) Full text and rfc822 format available.

Message #15 received at 679272-close@bugs.debian.org (full text, mbox):

From: Arto Jantunen <viiru@debian.org>
To: 679272-close@bugs.debian.org
Subject: Bug#679272: fixed in bcfg2 1.2.2-2
Date: Wed, 27 Jun 2012 21:18:45 +0000
Source: bcfg2
Source-Version: 1.2.2-2

We believe that the bug you reported is fixed in the latest version of
bcfg2, which is due to be installed in the Debian FTP archive:

bcfg2-server_1.2.2-2_all.deb
  to main/b/bcfg2/bcfg2-server_1.2.2-2_all.deb
bcfg2-web_1.2.2-2_all.deb
  to main/b/bcfg2/bcfg2-web_1.2.2-2_all.deb
bcfg2_1.2.2-2.debian.tar.gz
  to main/b/bcfg2/bcfg2_1.2.2-2.debian.tar.gz
bcfg2_1.2.2-2.dsc
  to main/b/bcfg2/bcfg2_1.2.2-2.dsc
bcfg2_1.2.2-2_all.deb
  to main/b/bcfg2/bcfg2_1.2.2-2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 679272@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Arto Jantunen <viiru@debian.org> (supplier of updated bcfg2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 27 Jun 2012 21:25:43 +0300
Source: bcfg2
Binary: bcfg2 bcfg2-server bcfg2-web
Architecture: source all
Version: 1.2.2-2
Distribution: unstable
Urgency: high
Maintainer: Arto Jantunen <viiru@debian.org>
Changed-By: Arto Jantunen <viiru@debian.org>
Description: 
 bcfg2      - Configuration management client
 bcfg2-server - Configuration management server
 bcfg2-web  - Configuration management web interface
Closes: 679272
Changes: 
 bcfg2 (1.2.2-2) unstable; urgency=high
 .
   * Urgency=high due to security fix
   * Apply patch from Chris St. Pierre to fix an unescaped shell command
     vulnerability in the Trigger plugin (Closes: #679272)
Checksums-Sha1: 
 8bfab50f23bac4b281941b4f5581762221720703 1293 bcfg2_1.2.2-2.dsc
 799d5a15e22b029769ce4c5857b61224889c1fd3 14423 bcfg2_1.2.2-2.debian.tar.gz
 d953d96fab5d7613be84d70f3066cda035306d0a 108052 bcfg2_1.2.2-2_all.deb
 9c024f4ebbd73f642183d4fb7be4422b9e58f687 232626 bcfg2-server_1.2.2-2_all.deb
 19d87495a270e351154e9b60346d2c283125d9d4 58300 bcfg2-web_1.2.2-2_all.deb
Checksums-Sha256: 
 03a51b178b06a5487d2a9b1982810deedc9b3f58842e20451b83e3435343abc0 1293 bcfg2_1.2.2-2.dsc
 bfa7726c3c5748a6bb77527936b85126009fd949d4fcce2a6e619e9ac06eaefd 14423 bcfg2_1.2.2-2.debian.tar.gz
 f60e3457d01ff4745d1b244c60fbfd5d2cc0cc24875295f51dbae5083b4c46c2 108052 bcfg2_1.2.2-2_all.deb
 b4eac46ea093865a9639394360d56e5c3495eb1408fa1d17e2d1b99cde5aa028 232626 bcfg2-server_1.2.2-2_all.deb
 f4f87904abecd95d88f44d0ecf09e04d10f7ecc43c8c87a3d012ccd4173d61f3 58300 bcfg2-web_1.2.2-2_all.deb
Files: 
 a84056bfe8df3d8ff62f63ad2c413e47 1293 admin optional bcfg2_1.2.2-2.dsc
 e26df9e3dd62b98a7b29041c78bedb5b 14423 admin optional bcfg2_1.2.2-2.debian.tar.gz
 e3455a9be55a3cd5a84ec1f26fea38bd 108052 admin optional bcfg2_1.2.2-2_all.deb
 3503f68e31268ddcc29947282bc7eb5b 232626 admin optional bcfg2-server_1.2.2-2_all.deb
 f0b642641c7ff251589d57c3897fdb87 58300 admin optional bcfg2-web_1.2.2-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAk/rVSAACgkQQ9/iJIjcFnqp3QCffzH1zOpFNRwKHb5FG0rqWzxU
GSoAn3ucLVUJjQKyFDkd11cSgYnmc6D5
=wmAH
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Arto Jantunen <viiru@debian.org>:
Bug#679272; Package bcfg2-server. (Thu, 28 Jun 2012 05:39:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Arto Jantunen <viiru@debian.org>. (Thu, 28 Jun 2012 05:39:03 GMT) Full text and rfc822 format available.

Message #20 received at 679272@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: Arto Jantunen <viiru@debian.org>
Cc: 679272@bugs.debian.org
Subject: Re: Bug#679272: bcfg2-server: unescaped shell command issues in the Trigger plugin
Date: Thu, 28 Jun 2012 07:35:01 +0200
* Arto Jantunen:

>> In Debian (and all other distros I know of) the bcfg2 server runs as
>> root, so in practice this is a remote root hole (limited to attackers
>> who can connect to the bcfg2 server (protected by a password and/or an
>> ssl key)).
>
> .dsc and .debian.tar.gz for a fixed package are attached. I'll upload
> the fix to unstable next.

There's a spurious diff in the changelog:

 bcfg2 (1.0.1-3+squeeze1) stable-security; urgency=high
 
   * Apply patch from Chris St. Pierre to fix several problems with
-    unescaped shell commands (Closes: #640028).
+    unescaped shell commands

But the actual patch seems fine.  Please build without -sa and upload
to security-master.  Thanks!




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#679272; Package bcfg2-server. (Thu, 28 Jun 2012 16:00:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Arto Jantunen <viiru@debian.org>:
Extra info received and forwarded to list. (Thu, 28 Jun 2012 16:00:04 GMT) Full text and rfc822 format available.

Message #25 received at 679272@bugs.debian.org (full text, mbox):

From: Arto Jantunen <viiru@debian.org>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: 679272@bugs.debian.org
Subject: Re: Bug#679272: bcfg2-server: unescaped shell command issues in the Trigger plugin
Date: Thu, 28 Jun 2012 18:56:29 +0300
Florian Weimer <fw@deneb.enyo.de> writes:

> * Arto Jantunen:
>
>>> In Debian (and all other distros I know of) the bcfg2 server runs as
>>> root, so in practice this is a remote root hole (limited to attackers
>>> who can connect to the bcfg2 server (protected by a password and/or an
>>> ssl key)).
>>
>> .dsc and .debian.tar.gz for a fixed package are attached. I'll upload
>> the fix to unstable next.
>
> There's a spurious diff in the changelog:
>
>  bcfg2 (1.0.1-3+squeeze1) stable-security; urgency=high
>  
>    * Apply patch from Chris St. Pierre to fix several problems with
> -    unescaped shell commands (Closes: #640028).
> +    unescaped shell commands
>
> But the actual patch seems fine.  Please build without -sa and upload
> to security-master.  Thanks!

I have fixed the mistake in the changelog, built the package and
uploaded the result.

-- 
Arto Jantunen




Information forwarded to debian-bugs-dist@lists.debian.org, Arto Jantunen <viiru@debian.org>:
Bug#679272; Package bcfg2-server. (Thu, 28 Jun 2012 17:03:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Arto Jantunen <viiru@debian.org>. (Thu, 28 Jun 2012 17:03:05 GMT) Full text and rfc822 format available.

Message #30 received at 679272@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Arto Jantunen <viiru@debian.org>
Cc: Florian Weimer <fw@deneb.enyo.de>, <679272@bugs.debian.org>
Subject: Re: Bug#679272: bcfg2-server: unescaped shell command issues in the Trigger plugin
Date: Thu, 28 Jun 2012 18:00:47 +0100
On 28.06.2012 16:56, Arto Jantunen wrote:
> Florian Weimer <fw@deneb.enyo.de> writes:
>> There's a spurious diff in the changelog:
>>
>>  bcfg2 (1.0.1-3+squeeze1) stable-security; urgency=high
>>
>>    * Apply patch from Chris St. Pierre to fix several problems with
>> -    unescaped shell commands (Closes: #640028).
>> +    unescaped shell commands
>>
>> But the actual patch seems fine.  Please build without -sa and 
>> upload
>> to security-master.  Thanks!
>
> I have fixed the mistake in the changelog, built the package and
> uploaded the result.

That upload appears to have hit ftp-master, rather than 
security-master, so the package is currently in proposed-updates; I've 
flagged that copy for rejection.

Regards,

Adam




Reply sent to Arto Jantunen <viiru@debian.org>:
You have taken responsibility. (Sat, 30 Jun 2012 09:49:22 GMT) Full text and rfc822 format available.

Notification sent to Arto Jantunen <viiru@debian.org>:
Bug acknowledged by developer. (Sat, 30 Jun 2012 09:49:36 GMT) Full text and rfc822 format available.

Message #35 received at 679272-close@bugs.debian.org (full text, mbox):

From: Arto Jantunen <viiru@debian.org>
To: 679272-close@bugs.debian.org
Subject: Bug#679272: fixed in bcfg2 1.0.1-3+squeeze2
Date: Sat, 30 Jun 2012 09:47:13 +0000
Source: bcfg2
Source-Version: 1.0.1-3+squeeze2

We believe that the bug you reported is fixed in the latest version of
bcfg2, which is due to be installed in the Debian FTP archive:

bcfg2-server_1.0.1-3+squeeze2_all.deb
  to main/b/bcfg2/bcfg2-server_1.0.1-3+squeeze2_all.deb
bcfg2_1.0.1-3+squeeze2.debian.tar.gz
  to main/b/bcfg2/bcfg2_1.0.1-3+squeeze2.debian.tar.gz
bcfg2_1.0.1-3+squeeze2.dsc
  to main/b/bcfg2/bcfg2_1.0.1-3+squeeze2.dsc
bcfg2_1.0.1-3+squeeze2_all.deb
  to main/b/bcfg2/bcfg2_1.0.1-3+squeeze2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 679272@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Arto Jantunen <viiru@debian.org> (supplier of updated bcfg2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 27 Jun 2012 13:34:38 +0300
Source: bcfg2
Binary: bcfg2 bcfg2-server
Architecture: source all
Version: 1.0.1-3+squeeze2
Distribution: stable-security
Urgency: high
Maintainer: Arto Jantunen <viiru@debian.org>
Changed-By: Arto Jantunen <viiru@debian.org>
Description: 
 bcfg2      - Configuration management client
 bcfg2-server - Configuration management server
Closes: 679272
Changes: 
 bcfg2 (1.0.1-3+squeeze2) stable-security; urgency=high
 .
   * Backport upstream patch to fix unescaped shell command issues in the
     Trigger plugin (Closes: #679272)
Checksums-Sha1: 
 7092d6d8b0cfada5ef44fb079e0b829d5f7fc181 1139 bcfg2_1.0.1-3+squeeze2.dsc
 0ed4023be8282f409e1c1e7250a564ced3386df9 16975 bcfg2_1.0.1-3+squeeze2.debian.tar.gz
 45eb62e111486da0fd4bf1502af52ac46581616d 259528 bcfg2_1.0.1-3+squeeze2_all.deb
 94d06c08c4f5bdc5427d7841b958e13a3f7da9f6 335144 bcfg2-server_1.0.1-3+squeeze2_all.deb
Checksums-Sha256: 
 924098ccc0f04cfe58b470cd5325882b5b139a646828b46a6c53692df3053910 1139 bcfg2_1.0.1-3+squeeze2.dsc
 e9f387bbfc6a2ffff9f9f2da73dd8ed1f3e0f688e3a8d1d01d7e698b9248ae75 16975 bcfg2_1.0.1-3+squeeze2.debian.tar.gz
 2d155c57af74cc47fb1c38f0ff2ae9d9370bb4d069898ae30da5fd3ba49a02f3 259528 bcfg2_1.0.1-3+squeeze2_all.deb
 32383abbf336f914cfaab6dac714957489d9e280427712ed36ccd67d0264ebe4 335144 bcfg2-server_1.0.1-3+squeeze2_all.deb
Files: 
 1f9d1c5d7be7756201f3500b187fd79a 1139 admin optional bcfg2_1.0.1-3+squeeze2.dsc
 42092ae49c83c97692917aade2ced209 16975 admin optional bcfg2_1.0.1-3+squeeze2.debian.tar.gz
 9b50b8fa82efde58dfceba5ce7bd3e3a 259528 admin optional bcfg2_1.0.1-3+squeeze2_all.deb
 55213e6a0ec55fe471b603056f3c0181 335144 admin optional bcfg2-server_1.0.1-3+squeeze2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAk/sfeEACgkQQ9/iJIjcFnr8fwCgxT/2YfaDsyq6lOJgkYUSK1Gf
5voAnA0HnTBuWPpfrQh+9Py6I9fKpVTr
=1twI
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 30 Sep 2012 07:31:00 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 05:42:14 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.