Ubuntu
cobbler package

lack of csrf protection in cobbler-web

Bug #858878 reported by David on 2011-09-25

This bug affects 1 person

Affects		Status	Importance	Assigned to
cobbler (Ubuntu)	Invalid	High	Robie Basak	Ubuntu precise-alpha-2
Oneiric	Invalid	High	Robie Basak	Ubuntu oneiric-updates
Precise	Invalid	High	Robie Basak	Ubuntu precise-alpha-2

Bug Description

While cobbler makes use of the django web-framework, it does not make use of the built in csrf protection, leaving the web interface vulnerable to csrf attacks.

Note: I installed cobbler as a result of installing ubuntu-orchestra. (cobbler version: 2.1.0+git20110602-0ubuntu25).

See original description

Tags: patch-needswork

Related branches

lp:~racb/ubuntu/oneiric/cobbler/858878_858883

👁 Image
Rejected for merging into lp:ubuntu/oneiric/cobbler

Dave Walker: Pending requested 2011-11-11

Diff: 11280 lines (+10424/-53)

55 files modified

.pc/58_fix_egg_cache.patch/web/cobbler.wsgi (+10/-0)
.pc/59_add_csrf_protection.patch/web/cobbler_web/templates/filter.tmpl (+155/-0)
.pc/59_add_csrf_protection.patch/web/cobbler_web/templates/generic_edit.tmpl (+481/-0)
.pc/59_add_csrf_protection.patch/web/cobbler_web/templates/generic_list.tmpl (+192/-0)
.pc/59_add_csrf_protection.patch/web/cobbler_web/templates/import.tmpl (+47/-0)
.pc/59_add_csrf_protection.patch/web/cobbler_web/templates/ksfile_edit.tmpl (+58/-0)
.pc/59_add_csrf_protection.patch/web/cobbler_web/templates/login.tmpl (+29/-0)
.pc/59_add_csrf_protection.patch/web/cobbler_web/templates/master.tmpl (+66/-0)
.pc/59_add_csrf_protection.patch/web/cobbler_web/templates/paginate.tmpl (+22/-0)
.pc/59_add_csrf_protection.patch/web/cobbler_web/templates/snippet_edit.tmpl (+54/-0)
.pc/59_add_csrf_protection.patch/web/cobbler_web/views.py (+1162/-0)
.pc/59_add_csrf_protection.patch/web/settings.py (+69/-0)
.pc/60_yaml_safe_load.patch/cobbler/api.py (+947/-0)
.pc/60_yaml_safe_load.patch/cobbler/item.py (+427/-0)
.pc/60_yaml_safe_load.patch/cobbler/modules/serializer_catalog.py (+241/-0)
.pc/60_yaml_safe_load.patch/cobbler/modules/serializer_couch.py (+136/-0)
.pc/60_yaml_safe_load.patch/cobbler/remote.py (+2547/-0)
.pc/60_yaml_safe_load.patch/cobbler/services.py (+462/-0)
.pc/60_yaml_safe_load.patch/cobbler/utils.py (+2074/-0)
.pc/60_yaml_safe_load.patch/scripts/cobbler-ext-nodes (+21/-0)
.pc/60_yaml_safe_load.patch/scripts/index.py (+199/-0)
.pc/60_yaml_safe_load.patch/scripts/services.py (+99/-0)
.pc/applied-patches (+3/-0)
cobbler/api.py (+1/-1)
cobbler/item.py (+1/-1)
cobbler/modules/serializer_catalog.py (+4/-4)
cobbler/modules/serializer_couch.py (+1/-1)
cobbler/remote.py (+2/-2)
cobbler/services.py (+1/-1)
cobbler/utils.py (+2/-2)
debian/changelog (+21/-0)
debian/cobbler-common.install (+0/-1)
debian/cobbler-web.dirs (+1/-0)
debian/cobbler-web.postinst (+3/-0)
debian/cobbler.postinst (+1/-0)
debian/control (+4/-4)
debian/patches/58_fix_egg_cache.patch (+19/-0)
debian/patches/59_add_csrf_protection.patch (+569/-0)
debian/patches/60_yaml_safe_load.patch (+158/-0)
debian/patches/series (+3/-0)
scripts/cobbler-ext-nodes (+1/-1)
scripts/index.py (+1/-1)
scripts/services.py (+1/-1)
web/cobbler.wsgi (+1/-1)
web/cobbler_web/templates/filter.tmpl (+8/-2)
web/cobbler_web/templates/generic_edit.tmpl (+1/-0)
web/cobbler_web/templates/generic_list.tmpl (+14/-4)
web/cobbler_web/templates/import.tmpl (+1/-0)
web/cobbler_web/templates/ksfile_edit.tmpl (+1/-0)
web/cobbler_web/templates/login.tmpl (+1/-0)
web/cobbler_web/templates/master.tmpl (+13/-6)
web/cobbler_web/templates/paginate.tmpl (+16/-4)
web/cobbler_web/templates/snippet_edit.tmpl (+1/-0)
web/cobbler_web/views.py (+70/-16)
web/settings.py (+2/-0)

api

lp:~racb/ubuntu/oneiric/cobbler/security_201112

lp:ubuntu/oneiric-proposed/cobbler

lp:~racb/ubuntu/oneiric/cobbler/858878_security

David (d--) on 2011-09-25

description:

updated

David (d--) on 2011-09-28

visibility:

private → public

Serge Hallyn (serge-hallyn) on 2011-09-29

Changed in cobbler (Ubuntu):
importance:	Undecided → High

Dave Walker (davewalker) on 2011-10-09

Changed in cobbler (Ubuntu):
milestone:	none → precise-alpha-1

Revision history for this message 👁 Image

Jamie Strandboge (jdstrand) wrote on 2011-10-10:

While this is targeted for Precise, it also is going to need to be backported to Oneiric as this is a security vulnerability.

Changed in cobbler (Ubuntu Precise):
milestone:	none → precise-alpha-1
Changed in cobbler (Ubuntu Oneiric):
milestone:	precise-alpha-1 → oneiric-updates
Changed in cobbler (Ubuntu Precise):
importance:	Undecided → High

Jamie Strandboge (jdstrand) on 2011-10-21

Changed in cobbler (Ubuntu Precise):
status:	New → Triaged
Changed in cobbler (Ubuntu Oneiric):
status:	New → Triaged

Robie Basak (racb) on 2011-10-25

Changed in cobbler (Ubuntu Oneiric):
assignee:	nobody → Robie Basak (racb)
Changed in cobbler (Ubuntu Precise):
assignee:	nobody → Robie Basak (racb)

Revision history for this message 👁 Image

Kate Stewart (kate.stewart) wrote on 2011-12-01:

Moving milestone to alpha-2, and starting tracking on this since it missed alpha-1 milestone target.

Changed in cobbler (Ubuntu Precise):
milestone:	precise-alpha-1 → precise-alpha-2

Revision history for this message 👁 Image

Robie Basak (racb) wrote on 2011-12-07:

This bug was fixed in the package cobbler - 2.2.2-0ubuntu1, but evidently got omitted from the changelog entry. I have just verified that CSRF protection in Precise (2.2.2-0ubuntu6) is working correctly.

Still pending: SRU for Oneiric.

Changed in cobbler (Ubuntu Precise):
status:	Triaged → Fix Released

Revision history for this message 👁 Image

Robie Basak (racb) wrote on 2011-12-09:

I've prepared an upload for oneiric-security (lp:~racb/ubuntu/oneiric/cobbler/security_201112) but this still needs review and testing.

Revision history for this message 👁 Image

Tyler Hicks (tyhicks) wrote on 2012-01-03:

Hi Robie - Thanks for the oneiric-security branch! I've reviewed the diff and it looks mostly good. There are a few very minor touch-ups that will be needed to the changelog:

1) Make the patch attribution style in the changelog match the examples here: https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging

2) The last bullet says that the change is to debian/cobbler.postinst, but it is actually to debian/cobbler-web.postinst

Those are very minor and something the security team can do if there are no other changes needed to be made.

However, there is one technical concern that I have with fix for bug 858860. It doesn't seem to do anything for existing cobbler installations. In other words, if you already have a world-readable users.digest, it will stay that way after the package upgrade.

Finally, have you had a chance to do testing in Oneiric? If so, can you provide some details on the testing that was performed?

Please resubscribe ubuntu-security-sponsors and set the status to 'NEW' when the issues above have been fixed.

Changed in cobbler (Ubuntu Oneiric):
status:	Triaged → Incomplete
tags:	added: patch-needswork

Revision history for this message 👁 Image

Robie Basak (racb) wrote on 2012-01-05:

I have prepared lp:~racb/ubuntu/oneiric/cobbler/858878_security which addresses all of Tyler's points (thanks for the review!). Details of testing to follow.

Revision history for this message 👁 Image

Jamie Strandboge (jdstrand) wrote on 2012-04-23:

We are closing this bug report because it lacks the information we need to investigate the problem, as described in the previous comments. Please reopen it if you can give us the missing information, and don't hesitate to submit bug reports in the future. To reopen the bug report you can click on the current status, under the Status column, and change the Status back to 'New'. Thanks again!