Public bug reported: Cockpit 270 introduced a possible local privilege escalation vulnerability with deleting diagnostic reports (sosreport). Files in /var/tmp/ are controllable by any user. In particular, an unprivileged user could create an sosreport* file containing a ' and a shell command, which would then run with root privileges when the admin Cockpit user tried to delete the report.
Cockpit version 314 fixes the problem by removing the files with direct system calls instead of a shell command. Specifically, this commit: https://github.com/cockpit- project/cockpit/commit/9c4cc9b6df632082538b53bdc8ee9ec1c5cad4da Thus the only affected released version is in 23.10 mantic, 22.04 LTS' is older (264). The backports version is affected, though. 314 has been in noble-proposed for a while, but it'll probably take several more weeks to sort out the massive uninstallability and autopkgtest queue before it can land in noble proper (and thus the backports of mantic and jammy get updated). ** Affects: cockpit (Ubuntu) Importance: High Assignee: Martin Pitt (pitti) Status: Fix Committed ** Affects: cockpit (Ubuntu Mantic) Importance: Medium Status: Triaged ** Affects: cockpit (Ubuntu Noble) Importance: High Assignee: Martin Pitt (pitti) Status: Fix Committed ** Tags: mantic noble ** Changed in: cockpit (Ubuntu) Assignee: (unassigned) => Martin Pitt (pitti) ** Also affects: cockpit (Ubuntu Mantic) Importance: Undecided Status: New ** Also affects: cockpit (Ubuntu Noble) Importance: High Assignee: Martin Pitt (pitti) Status: New ** Changed in: cockpit (Ubuntu Noble) Status: New => Fix Committed ** Changed in: cockpit (Ubuntu Mantic) Importance: Undecided => Medium ** Changed in: cockpit (Ubuntu Mantic) Status: New => Triaged -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2060014 Title: CVE-2024-2947 command injection when deleting a sosreport with a crafted name To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cockpit/+bug/2060014/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
