Bug 626100 (CVE-2017-11610)

Summary:	<app-admin/supervisor-{3.1.4, 3.3.3}: command injection vulnerability
Product:	Gentoo Security	Reporter:	Louis Sautier (sbraz) <sbraz>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	flopwiki, proxy-maint, sbraz
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://github.com/Supervisor/supervisor/issues/964
Whiteboard:	B1 [glsa cve]
Package list:		Runtime testing required:	No

Description Louis Sautier (sbraz) gentoo-dev

2017-07-24 22:06:55 UTC

A vulnerability was found where an authenticated client can send a malicious XML-RPC request to ``supervisord`` that will run arbitrary shell commands on the server.  The commands will be run as the same user as ``supervisord``. Depending on how ``supervisord`` has been configured, this may be root.

The issue is fixed in 3.1.4 and 3.3.3.

Comment 1 Louis Sautier (sbraz) gentoo-dev

2017-07-24 22:50:06 UTC

PR here: https://github.com/gentoo/gentoo/pull/5205

Comment 2 Louis Sautier (sbraz) gentoo-dev

2017-07-26 18:39:00 UTC

Vulnerable versions removed from the tree:
https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=820ed95555d025e4b0abb3f34a2e1cb95603b6de

Comment 3 D'juan McDonald (domhnall) 2017-08-23 16:56:31 UTC

*** Bug 628724 has been marked as a duplicate of this bug. ***

Comment 4 D'juan McDonald (domhnall) 2017-08-23 17:58:50 UTC

@maintainer(s), Thank you for your work. ping @Security, please follow procedure to close on report, thank you.

Comment 5 GLSAMaker/CVETool Bot gentoo-dev

2017-09-17 15:46:39 UTC

This issue was resolved and addressed in
 GLSA 201709-06 at https://security.gentoo.org/glsa/201709-06
by GLSA coordinator Aaron Bauman (b-man).