Project

General

Profile

Actions

Bug #19442

closed

Command injection in plugins repository file names

Added by Alexis Mousset over 3 years ago. Updated over 1 year ago.

Status:
Released
Priority:
N/A
Category:
Security
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
Error - Fixed
Regression:

Description

Currently rudder-pkg runs a gpg command in a shell after downloading a file from the server.

One of the gpg command parameter is built from the remote file name, it is hence possible to run a command as root with a specially crafted file name.

This happens before signature check so an attacker would only have to impersonnate the plugins server (which uses https by default) to take control of a server.


Subtasks 3 (0 open3 closed)

Bug #19480: Parent ticket break the plugin scripts executionReleasedAlexis MoussetActions
Bug #19516: Incorrect program executionReleasedFélix DALLIDETActions
Bug #19523: Improve command error messageReleasedAlexis MoussetActions
Actions

Also available in: Atom PDF