Actions
Bug #19442
closed
Command injection in plugins repository file names
Pull Request:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
Error - Fixed
Regression:
Description
Currently rudder-pkg runs a gpg command in a shell after downloading a file from the server.
One of the gpg command parameter is built from the remote file name, it is hence possible to run a command as root with a specially crafted file name.
This happens before signature check so an attacker would only have to impersonnate the plugins server (which uses https by default) to take control of a server.
Updated by Alexis Mousset over 3 years ago
- Description updated (diff)
- Assignee set to Félix DALLIDET
Updated by Félix DALLIDET over 3 years ago
- Status changed from New to In progress
Updated by Félix DALLIDET over 3 years ago
- Status changed from In progress to Pending technical review
- Assignee changed from Félix DALLIDET to Alexis Mousset
- Pull Request set to https://github.com/Normation/rudder/pull/3681
Updated by Félix DALLIDET over 3 years ago
- Status changed from Pending technical review to Pending release
Applied in changeset rudder|26f2635246ba0676943a6b248a2c114033912659.
Updated by Alexis Mousset over 3 years ago
- Fix check changed from To do to Error - Blocking
Updated by Alexis Mousset over 3 years ago
The first use of rudder-pkg fails with:
centos8_server: downloading https://download.rudder.io/plugins/licenses/demo-normation/license.key
centos8_server: Could not execute ['gpg', '--batch', '--homedir', '/opt/rudder/etc/rudder-pkg', '--command-fd', '0', '--edit-key', '"Rudder Project"', 'trust', 'quit']
Updated by Vincent MEMBRÉ over 3 years ago
- Fix check changed from Error - Blocking to Error - Fixed
Updated by Vincent MEMBRÉ over 3 years ago
- Status changed from Pending release to Released
This bug has been fixed in Rudder 6.1.14 and 6.2.8 which were released today.
Actions