381543 – (CVE-2011-3211) <app-admin/bcfg2-{1.2.0_rc2,1.1.3}: Shell Command Injection (CVE-2011-3211)

Bug 381543 (CVE-2011-3211) - <app-admin/bcfg2-{1.2.0_rc2,1.1.3}: Shell Command Injection (CVE-2011-3211)

Summary: <app-admin/bcfg2-{1.2.0_rc2,1.1.3}: Shell Command Injection (CVE-2011-3211)

Status:	RESOLVED FIXED

Alias:	CVE-2011-3211

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:	https://github.com/solj/bcfg2/commit/...
Whiteboard:	~1 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2011-09-02 10:55 UTC by Alex Legler (RETIRED)
Modified:	2011-11-11 03:37 UTC (History)
CC List:	3 users (show)

See Also:	http://bugs.debian.org/640028
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alex Legler (RETIRED) archtester

2011-09-02 10:55:06 UTC

From a Debian bug (See also):
"All released stable versions of the bcfg2-server contain several cases
where data from the client is used in a shell command without properly
escaping it first. The 1.2 prerelease series has been fixed.

"At least the SSHbase plugin has been confirmed as being exploitable.
This is a remote root hole, which requires that the SSHbase plugin is
enabled and that the attacker has control of a bcfg2 client machine."

A patch for the problem has been commited [1] upstream and backported [2] to
the 1.1 series.

1: https://github.com/solj/bcfg2/commit/f4a35efec1b6a1e54d61cf1b8bfc83dd1d89eef7
2: https://github.com/solj/bcfg2/commit/46795ae451ca6ede55a0edeb726978aef4684b53

Comment 1 GLSAMaker/CVETool Bot gentoo-dev

2011-10-07 22:48:43 UTC

CVE-2011-3211 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3211):
  The server in Bcfg2 1.1.2 and earlier, and 1.2 prerelease, allows remote
  attackers to execute arbitrary commands via shell metacharacters in data
  received from a client.

Comment 2 Michael Weber (RETIRED) gentoo-dev

2011-11-11 00:20:35 UTC

+*bcfg2-1.2.0_rc2 (11 Nov 2011)
+*bcfg2-1.1.3 (11 Nov 2011)
+
+  11 Nov 2011; Michael Weber <xmw@gentoo.org> -bcfg2-1.1.0.ebuild,
+  -bcfg2-1.1.2.ebuild, +bcfg2-1.1.3.ebuild, +bcfg2-1.2.0_rc2.ebuild:
+  Version bump to address security issues (bug 381543)
+

Comment 3 Tim Sammut (RETIRED) gentoo-dev

2011-11-11 03:37:42 UTC

Thanks, folks. Closing noglsa.