As seen on http://www.debian.org/security/2012/dsa-2503 Quoting the upstream announcement (written by Chris St. Pierre): "We have found a major security flaw in the Trigger plugin that would allow a malicious user who has root access to a Bcfg2 client to run arbitrary commands on the server as the user the bcfg2-server process is running as by passing a malformed UUID. This is very similar to a flaw discovered last year in a large number of other plugins; this instance was not fixed at that time because Trigger uses a different method to invoke external shell commands, and because Trigger previously hid all errors from trigger scripts, so tests did not find the issue. As a side effect of this change, Trigger will begin reporting errors from triggered scripts. This only affects the Trigger plugin; if you are not using Trigger, you are not affected by this flaw. As a workaround, you can disable Trigger until you are able to upgrade." The corresponding changeset [1] will be included in app-admin/bcfg2-1.2.2-r1.
+*bcfg2-1.2.2-r1 (29 Jun 2012) + + 29 Jun 2012; Michael Weber <xmw@gentoo.org> +bcfg2-1.2.2-r1.ebuild, + +files/bcfg2-1.2.2-CVE-2012-3366-Trigger-plugin.patch: + Revbump to fix trigger plugin security problem (bug 424025) +
+ 29 Jun 2012; Michael Weber <xmw@gentoo.org> package.mask: + Mask <app-admin/bcfg2-1.2.2-r1 for security, bug 424025) +
CVE-2012-3366 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3366): The Trigger plugin in bcfg2 1.2.x before 1.2.3 allows remote attackers with root access to the client to execute arbitrary commands via shell metacharacters in the UUID field to the server process (bcfg2-server).
Thanks, everyone. Closing noglsa for ~arch only
