Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 12 Apr 2012 10:12:26 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Jan Lieskovsky <jlieskov@...hat.com>, David Black <disclosure@....org>
Subject: Re: CVE request: cobbler lack of csrf protection,
 code execution

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/12/2012 05:46 AM, Jan Lieskovsky wrote:
> Thank you for this post, David.
> 
> Just administrative note -- all of these security issues should get
> CVE-2011-* CVE identifiers, as all of the Ubuntu bugs have been
> reported in 2011 yet (2011-09-28 exactly).
> 
> On 04/12/2012 11:39 AM, David Black wrote:
>> Hi, I reported some bugs a while ago in cobbler which never
>> received CVE ID, could the follow bugs receive CVE ID ? 1. lack
>> of csrf protection in the cobbler web interface (vulnerable to 
>> csrf attacks) 
>> https://bugs.launchpad.net/ubuntu/oneiric/+source/cobbler/+bug/858878
>
>> 
> Some further references / patches information I was able to found: 
> 1) Ubuntu patch by Robie Basak:
> 
> http://bazaar.launchpad.net/~racb/ubuntu/oneiric/cobbler/858878_858883/revision/53
>
> 
> 
> 2) Red Hat bugzilla entry: 
> https://bugzilla.redhat.com/show_bug.cgi?id=811937

Please use CVE-2011-4952 for this issue (CSRF).

>> 2. code execution on the cobbler host through use of yaml.loads
>> on potentially untrusted user input 
>> https://bugs.launchpad.net/ubuntu/oneiric/+source/cobbler/+bug/858883
>
>> 
> Though only yaml.load privilege escalation vector has been
> mentioned in this post, from further look noticed two ways for
> privilege escalation: 1) (possibly remote) privilege escalation via
> yaml.load / by processing management parameters:
> 
> References: 
> https://bugs.launchpad.net/ubuntu/oneiric/+source/cobbler/+bug/858883
>
> 
(Ubuntu bug)
> 
> Ubuntu patch from Robie Basak: * Backport safe YAML load from
> upstream. (LP: #858883):
> 
> http://bazaar.launchpad.net/~racb/ubuntu/oneiric/cobbler/858878_858883/revision/54
>
> 
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=811920 (Red Hat bug)

Please use CVE-2011-4953 for this issue (yaml.load).


> 2) local privilege escalation due to insecure use of
> PYTHON_EGG_CACHE location:
> 
> References: 
> https://bugs.launchpad.net/ubuntu/+source/cobbler/+bug/858875
> (Ubuntu bug) https://fedorahosted.org/cobbler/ticket/688 (upstream
> ticket)
> 
> https://d-feet.fedorahosted.org/cobbler/attachment/ticket/688/58_fix_egg_cache.patch
>
>  (relevant upstream patch) 
> https://bugzilla.redhat.com/show_bug.cgi?id=811926 (Red Hat bug)

Please use CVE-2011-4954 for this issue (PYTHON_EGG_CACHE).

> Kurt, could you allocate three 2011 CVE ids for these issues? i)
> the first for CSRF issue, ii)  the second for the yaml.load priv
> esc issue, iii) the third for the PYTHON_EGG_CACHE local priv esc
> issue
> 
> David, would be great if you could confirm the three ids are
> necessary.
> 
> Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
> Security Response Team
> 
>> 
>> -- Thank you.
> 


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPhv7qAAoJEBYNRVNeJnmT+gMP/31vupdJ6Xfi/ic4i3zfxtYj
+yUYtODnMV3oyJqWbpC6Di1vnImAPGKG76gGUaoXQk6/e9sbz2P5EipCJbwQ9KHk
+0tzVxdYUJYAdN2Wi91Md7dkdKnkfAd4nN7NhVO3PsLXOGV/Dq793KNfK7pkqEgV
IJ/sXGcx947Onh5eZAjK3cHNczb0osRw7yIdlHG/0f0ylSGnXgyRKsFLTq/erV5F
ef2jq6E/X1UnGBm1svuw2clhb7FRnihvtt+pnttaXN1flCoL6nUQ4wjndjZxEa7d
IcnkIoz7oUQVLlCemnhDL+FbOWOhKFLqCPAC4awgx5OKa5aoxZNkC6HB/wd4VFvp
49zCZooGCwGDpEXjHvWjuCIKohCzUKVLyqQOs2cMaLNzrdAovuyJibpvYrqBcMBY
wQO0ACyz/if1UE4edZh3pOxcLPN5tSOgEZ5DLWGEENaHJVq3yJDuy/NtFvA5N7aN
ODWKSzYS91zq5Rc16cNj9anFe7zkDOmy9khnKFf3CeEGODEh/G0jp0YZ06hmHLgP
ybYcX//ao9UOYco7vlc00fPkfNJgH+3detaCIXYEobz6brgvK3QmXQvpi4FrRLAH
ALO4YlQmNmmQdU6BmAtmQIG/0KSOkt8i8QYWnWMaJAET4/0VgFujl8mP0JUIQ2gM
KgCGfp5YrEoVdVQRWZOC
=Bzh3
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.