Ubuntu
cobbler package

lack of csrf protection in cobbler-web

Bug #858878 reported by David
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cobbler (Ubuntu)
Invalid
High
Robie Basak
Ubuntu precise-alpha-2
Oneiric
Invalid
High
Robie Basak
Ubuntu oneiric-updates
Precise
Invalid
High
Robie Basak
Ubuntu precise-alpha-2

Bug Description

While cobbler makes use of the django web-framework, it does not make use of the built in csrf protection, leaving the web interface vulnerable to csrf attacks.

Note: I installed cobbler as a result of installing ubuntu-orchestra. (cobbler version: 2.1.0+git20110602-0ubuntu25).

See original description

Related branches

lp:~racb/ubuntu/oneiric/cobbler/858878_858883
Dave Walker: Pending requested
Diff: 11280 lines (+10424/-53)
55 files modified
.pc/58_fix_egg_cache.patch/web/cobbler.wsgi (+10/-0)
.pc/59_add_csrf_protection.patch/web/cobbler_web/templates/filter.tmpl (+155/-0)
.pc/59_add_csrf_protection.patch/web/cobbler_web/templates/generic_edit.tmpl (+481/-0)
.pc/59_add_csrf_protection.patch/web/cobbler_web/templates/generic_list.tmpl (+192/-0)
.pc/59_add_csrf_protection.patch/web/cobbler_web/templates/import.tmpl (+47/-0)
.pc/59_add_csrf_protection.patch/web/cobbler_web/templates/ksfile_edit.tmpl (+58/-0)
.pc/59_add_csrf_protection.patch/web/cobbler_web/templates/login.tmpl (+29/-0)
.pc/59_add_csrf_protection.patch/web/cobbler_web/templates/master.tmpl (+66/-0)
.pc/59_add_csrf_protection.patch/web/cobbler_web/templates/paginate.tmpl (+22/-0)
.pc/59_add_csrf_protection.patch/web/cobbler_web/templates/snippet_edit.tmpl (+54/-0)
.pc/59_add_csrf_protection.patch/web/cobbler_web/views.py (+1162/-0)
.pc/59_add_csrf_protection.patch/web/settings.py (+69/-0)
.pc/60_yaml_safe_load.patch/cobbler/api.py (+947/-0)
.pc/60_yaml_safe_load.patch/cobbler/item.py (+427/-0)
.pc/60_yaml_safe_load.patch/cobbler/modules/serializer_catalog.py (+241/-0)
.pc/60_yaml_safe_load.patch/cobbler/modules/serializer_couch.py (+136/-0)
.pc/60_yaml_safe_load.patch/cobbler/remote.py (+2547/-0)
.pc/60_yaml_safe_load.patch/cobbler/services.py (+462/-0)
.pc/60_yaml_safe_load.patch/cobbler/utils.py (+2074/-0)
.pc/60_yaml_safe_load.patch/scripts/cobbler-ext-nodes (+21/-0)
.pc/60_yaml_safe_load.patch/scripts/index.py (+199/-0)
.pc/60_yaml_safe_load.patch/scripts/services.py (+99/-0)
.pc/applied-patches (+3/-0)
cobbler/api.py (+1/-1)
cobbler/item.py (+1/-1)
cobbler/modules/serializer_catalog.py (+4/-4)
cobbler/modules/serializer_couch.py (+1/-1)
cobbler/remote.py (+2/-2)
cobbler/services.py (+1/-1)
cobbler/utils.py (+2/-2)
debian/changelog (+21/-0)
debian/cobbler-common.install (+0/-1)
debian/cobbler-web.dirs (+1/-0)
debian/cobbler-web.postinst (+3/-0)
debian/cobbler.postinst (+1/-0)
debian/control (+4/-4)
debian/patches/58_fix_egg_cache.patch (+19/-0)
debian/patches/59_add_csrf_protection.patch (+569/-0)
debian/patches/60_yaml_safe_load.patch (+158/-0)
debian/patches/series (+3/-0)
scripts/cobbler-ext-nodes (+1/-1)
scripts/index.py (+1/-1)
scripts/services.py (+1/-1)
web/cobbler.wsgi (+1/-1)
web/cobbler_web/templates/filter.tmpl (+8/-2)
web/cobbler_web/templates/generic_edit.tmpl (+1/-0)
web/cobbler_web/templates/generic_list.tmpl (+14/-4)
web/cobbler_web/templates/import.tmpl (+1/-0)
web/cobbler_web/templates/ksfile_edit.tmpl (+1/-0)
web/cobbler_web/templates/login.tmpl (+1/-0)
web/cobbler_web/templates/master.tmpl (+13/-6)
web/cobbler_web/templates/paginate.tmpl (+16/-4)
web/cobbler_web/templates/snippet_edit.tmpl (+1/-0)
web/cobbler_web/views.py (+70/-16)
web/settings.py (+2/-0)
lp:~racb/ubuntu/oneiric/cobbler/security_201112
lp:ubuntu/oneiric-proposed/cobbler
lp:~racb/ubuntu/oneiric/cobbler/858878_security
David (d--)
description: updated
David (d--)
visibility: private → public
Serge Hallyn (serge-hallyn)
Changed in cobbler (Ubuntu):
importance: Undecided → High
Dave Walker (davewalker)
Changed in cobbler (Ubuntu):
milestone: none → precise-alpha-1
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

While this is targeted for Precise, it also is going to need to be backported to Oneiric as this is a security vulnerability.

Changed in cobbler (Ubuntu Precise):
milestone: none → precise-alpha-1
Changed in cobbler (Ubuntu Oneiric):
milestone: precise-alpha-1 → oneiric-updates
Changed in cobbler (Ubuntu Precise):
importance: Undecided → High
Jamie Strandboge (jdstrand)
Changed in cobbler (Ubuntu Precise):
status: New → Triaged
Changed in cobbler (Ubuntu Oneiric):
status: New → Triaged
Robie Basak (racb)
Changed in cobbler (Ubuntu Oneiric):
assignee: nobody → Robie Basak (racb)
Changed in cobbler (Ubuntu Precise):
assignee: nobody → Robie Basak (racb)
Revision history for this message
Kate Stewart (kate.stewart) wrote :

Moving milestone to alpha-2, and starting tracking on this since it missed alpha-1 milestone target.

Changed in cobbler (Ubuntu Precise):
milestone: precise-alpha-1 → precise-alpha-2
Revision history for this message
Robie Basak (racb) wrote :

This bug was fixed in the package cobbler - 2.2.2-0ubuntu1, but evidently got omitted from the changelog entry. I have just verified that CSRF protection in Precise (2.2.2-0ubuntu6) is working correctly.

Still pending: SRU for Oneiric.

Changed in cobbler (Ubuntu Precise):
status: Triaged → Fix Released
Revision history for this message
Robie Basak (racb) wrote :

I've prepared an upload for oneiric-security (lp:~racb/ubuntu/oneiric/cobbler/security_201112) but this still needs review and testing.

Revision history for this message
Tyler Hicks (tyhicks) wrote :

Hi Robie - Thanks for the oneiric-security branch! I've reviewed the diff and it looks mostly good. There are a few very minor touch-ups that will be needed to the changelog:

1) Make the patch attribution style in the changelog match the examples here: https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging

2) The last bullet says that the change is to debian/cobbler.postinst, but it is actually to debian/cobbler-web.postinst

Those are very minor and something the security team can do if there are no other changes needed to be made.

However, there is one technical concern that I have with fix for bug 858860. It doesn't seem to do anything for existing cobbler installations. In other words, if you already have a world-readable users.digest, it will stay that way after the package upgrade.

Finally, have you had a chance to do testing in Oneiric? If so, can you provide some details on the testing that was performed?

Please resubscribe ubuntu-security-sponsors and set the status to 'NEW' when the issues above have been fixed.

Changed in cobbler (Ubuntu Oneiric):
status: Triaged → Incomplete
tags: added: patch-needswork
Revision history for this message
Robie Basak (racb) wrote :

I have prepared lp:~racb/ubuntu/oneiric/cobbler/858878_security which addresses all of Tyler's points (thanks for the review!). Details of testing to follow.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

We are closing this bug report because it lacks the information we need to investigate the problem, as described in the previous comments. Please reopen it if you can give us the missing information, and don't hesitate to submit bug reports in the future. To reopen the bug report you can click on the current status, under the Status column, and change the Status back to 'New'. Thanks again!

Changed in cobbler (Ubuntu):
status: Fix Released → Invalid
Changed in cobbler (Ubuntu Oneiric):
status: Incomplete → Invalid
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.