Univention Bugzilla – Full Text Bug Listing |
Summary: | code execution vulnerability in updater module | ||
---|---|---|---|
Product: | UCS | Reporter: | Florian Best <best> |
Component: | UMC - Software update | Assignee: | Florian Best <best> |
Status: | CLOSED FIXED | QA Contact: | Stefan Gohmann <gohmann> |
Severity: | critical | ||
Priority: | P5 | CC: | gohmann, walkenhorst |
Version: | UCS 4.0 | ||
Target Milestone: | UCS 4.1-0-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
See Also: | https://forge.univention.org/bugzilla/show_bug.cgi?id=40354 | ||
What kind of report is it?: | Security Issue | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | Security | |
Max CVSS v3 score: | |||
Bug Depends on: | |||
Bug Blocks: | 40354 |
Description
Florian Best
2015-11-17 12:00:18 CET
There were 2 different types of injections: 1. The unquoted use of detail as command argument. This has been fixed by quoting it and restricting the general character set of detail. 2. The atjob comments didn't encode newlines so that comments could be used to inject code. The whole command and detail as well as some other things were stored as comments. Example: detail='\ntouch /tmp/hacked;' This has been fixed by removing every non-needed comment. I also switched to the usage of univention.lib.atjobs instead of the own implementation. There I fixed that atjob comments are encoded so that command execution is not possible. This is also necessary to fix Bug #40354. Backwards compatibility with the old univention-updater-atjob format seems not necessary. Nevertheless I added a fallback detection of the current running update process via psutil if no atjob was found. A ucs-test case for univention.lib.atjobs comments have also been added. ucs-test (6.0.31-9): r66621 | Bug #39993: add test case for univention.lib.atjobs comments univention-updater (11.0.7-11): r66589 | Bug #39993: fix code execution vulnerability r66588 | Bug #39993: fix code execution vulnerability univention-lib (5.0.0-14): r66620 | Bug #40354: Bug #39993: encode atjob comments Code review: OK Tests: OK. Updater module still works like expected. I was unable to reproduce the original issue. YAML: OK |