503694 – (CVE-2012-6639) <app-emulation/cloud-init-0.7.2 : insecure transmission of EC2 instance data can lead to root privilege escalation (CVE-2012-6639)

Bug 503694 (CVE-2012-6639) - <app-emulation/cloud-init-0.7.2 : insecure transmission of EC2 instance data can lead to root privilege escalation (CVE-2012-6639)

Summary: <app-emulation/cloud-init-0.7.2 : insecure transmission of EC2 instance data ...

Status:	RESOLVED FIXED

Alias:	CVE-2012-6639

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:	https://bugzilla.redhat.com/show_bug....
Whiteboard:	~1 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2014-03-07 06:10 UTC by Agostino Sarubbo
Modified:	2014-03-07 06:11 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2014-03-07 06:10:05 UTC

From ${URL} :

It was reported [1],[2] that cloud-init could send requests for EC2 instance data to untrusted 
systems.  This could allow someone who has control over a suitable domain name to obtain root 
rights on an affected system.

This issue was found and silently fixed in 2012; version 0.7.0 contains the fix [3].

[1] http://seclists.org/oss-sec/2014/q1/514
[2] https://bugs.launchpad.net/cloud-init/+bug/1040200
[3] http://bazaar.launchpad.net/~cloud-init-dev/cloud-init/trunk/revision/635

Comment 1 Agostino Sarubbo gentoo-dev

2014-03-07 06:11:17 UTC

Filed for tracking purpose.