CVE-2012-3366 | Ubuntu

Description

The Trigger plugin in bcfg2 1.2.x before 1.2.3 allows remote attackers with root access to the client to execute arbitrary commands via shell metacharacters in the UUID field to the server process (bcfg2-server). This is very similar to a flaw discovered last year in a large number of other plugins; this instance was not fixed at that time because Trigger uses a different method to invoke external shell commands, and because Trigger previously hid all errors from trigger scripts, so tests did not find the issue. As a side effect of this change, Trigger will begin reporting errors from triggered scripts. This only affects the Trigger plugin; if you are not using Trigger, you are not affected by this flaw. As a workaround, you can disable Trigger until you are able to upgrade."

Status

Show unmaintained releases

Package	Ubuntu Release	Status
bcfg2	13.10 saucy	Not affected
	13.04 raring	Not affected
	12.10 quantal	Not affected
	12.04 LTS precise	Not affected
	11.10 oneiric	Ignored end of life
	11.04 natty	Ignored end of life
	10.04 LTS lucid	Ignored end of life
	8.04 LTS hardy	Ignored end of life

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
bcfg2	Upstream: 46795ae Upstream: f4a35ef Vendor: http://www.debian.org/security/2012/dsa-2503

References

Other references

https://www.cve.org/CVERecord?id=CVE-2012-3366