Bug 1146789

Summary: AUDIT-FIND: resource-agents: eval with unsanitized values in heartbeat/db
Product: [Novell Products] SUSE Security Incidents Reporter: Johannes Segitz <jsegitz>
Component: IncidentsAssignee: Peter Varkoly <varkoly>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P5 - None CC: dakechi, filippo.bonazzi, gianluca.gabrielli, jsegitz, nwang, rfrohl, stoyan.manolov, varkoly
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/240860/
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1021689    

Description Johannes Segitz 2019-08-22 08:54:52 UTC 
resource-agents-4.3.018.a7fb5035/heartbeat/db2
310     output=$(runasdb2 db2 get db cfg for $db)
311     [ $? != 0 ] && return $OCF_ERR_GENERIC
312
313     hadr_vars=$(echo "$output" |
314         awk '/HADR database role/ {printf "HADR_ROLE='%s'; ", $NF;}
315             /HADR_TIMEOUT/ {printf "HADR_TIMEOUT='%s'; ", $NF;}
316             /First active log file/ {printf "FIRST_ACTIVE_LOG='%s'\n", $NF;}
317             /HADR_PEER_WINDOW/ {printf "HADR_PEER_WINDOW='%s'\n", $NF;}')
318
319
320     # sets HADR_ROLE HADR_TIMEOUT HADR_PEER_WINDOW
321     eval $hadr_vars

I played around with a bit but I don't have a clue about DB2. So I'm not sure if you can get characters in here that are problematic, but better sanitize than be sorry
Comment 1 Peter Varkoly 2020-03-26 10:07:40 UTC 
I analyzed the possible expenditure values and found nothing dangerous:
https://www.ibm.com/support/knowledgecenter/en/SSEPGG_11.1.0/com.ibm.db2.luw.admin.cmd.doc/doc/r0001954.html
Comment 2 Peter Varkoly 2020-03-26 10:09:42 UTC 
Sorry for closing. I wanted to ask if you would agree if I closed the ticket with "worksforme".
Comment 3 Johannes Segitz 2020-03-26 13:03:55 UTC 
(In reply to Peter Varkoly from comment #2)
I would prefer just removing the eval. Something like
HADR_ROLE=$(echo "$output" "awk '/HADR database role/ {printf "HADR_ROLE='%s'; ", $NF;})
(repeat for other values) should do the trick
Comment 6 Swamp Workflow Management 2020-04-23 19:37:02 UTC 
SUSE-SU-2020:1092-1: An update that contains security fixes can now be installed.

Category: security (important)
Bug References: 1021689,1146687,1146690,1146691,1146776,1146784,1146785,1146787,1146789,1161898
CVE References: 
Sources used:
SUSE Linux Enterprise High Availability 12-SP3 (src):    resource-agents-4.0.1+git.1495055229.643177f1-2.45.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2020-04-23 19:38:53 UTC 
SUSE-SU-2020:1091-1: An update that contains security fixes can now be installed.

Category: security (important)
Bug References: 1021689,1146687,1146690,1146691,1146692,1146766,1146776,1146784,1146785,1146787,1146789
CVE References: 
Sources used:
SUSE Linux Enterprise High Availability 12-SP5 (src):    resource-agents-4.3.018.a7fb5035-3.42.1
SUSE Linux Enterprise High Availability 12-SP4 (src):    resource-agents-4.3.018.a7fb5035-3.42.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Marcus Meissner 2021-01-21 07:12:54 UTC 
seems unfixed then
Comment 10 Marcus Meissner 2021-01-21 07:31:50 UTC 
PEter, can you clarify where it is fixed and where not?
Comment 11 Peter Varkoly 2021-02-15 15:14:42 UTC 
Discussed with upstream and there is no reason to change this script.
Comment 12 Gianluca Gabrielli 2021-04-16 08:08:47 UTC 
Hi Peter,

This issue is still mentioned in SUSE:SLE-12-SP3:Update/resource-agents/resource-agents.changes:26, but no fix is provided.

As you said, I can see that upstream is not fixing this [0]. Could you please create and maintain a patch to enforce this from our side? As Johannes pointed out a long time ago, eval could pose a security risk.


[0] https://github.com/ClusterLabs/resource-agents/blob/a0e622d3b1e84833b2d60094abe4818df031d8a8/heartbeat/db2#L323-L331
Comment 13 Johannes Segitz 2021-07-09 07:21:02 UTC 
Please have a look here or ping us if you need further guidance. Thanks
Comment 14 Robert Frohl 2021-10-21 14:45:08 UTC 
(In reply to Johannes Segitz from comment #13)
> Please have a look here or ping us if you need further guidance. Thanks

Also seems to be missing for SLE-15-SP1.
Comment 16 Gianluca Gabrielli 2022-02-15 07:55:30 UTC 
Hi Peter,

I don't want to bore you, but there are a couple of things that needs to be clarified here:

 - If there is a bug that we consider a security risk and no patch is available, then the maintainer needs to write and maintain a patch for all the affected SUSE products. In this case the patch is trivial.
 - There still are two packages with the wrong changes file:
   - SUSE:SLE-12-SP3:Update/resource-agents/resource-agents.changes:36
   - SUSE:SLE-12-SP3:Update/resource-agents/.osc/resource-agents.changes:36
   these needs to be fixed.
 - Security BZ issues should not be closed by the maintainer, instead reassigned back to security-team@suse.de. This way we can double-check released updates and close the BZ issue only when all the affected packages are fixed. So, please do not close this (or any security related) issue again.

I review the currently supported 'resource-agents' packages and the following are all affected by this issue:
 - SUSE:SLE-11-SP4:Update/resource-agents
 - SUSE:SLE-12-SP2:Update/resource-agents
 - SUSE:SLE-12-SP3:Update/resource-agents
 - SUSE:SLE-12-SP4:Update/resource-agents
 - SUSE:SLE-15:Update/resource-agents
 - SUSE:SLE-15-SP1:Update/resource-agents
 - SUSE:SLE-15-SP2:Update/resource-agents
 - SUSE:SLE-15-SP3:Update/resource-agents
 - SUSE:SLE-15-SP4:Update/resource-agents

Please write and submit a patch to all of them and fix the two above-mention change files accordingly. If you need any help or guidance, please reach out to Johannes who already offered his help in comment 13.
Comment 17 Peter Varkoly 2022-02-15 12:53:03 UTC 
I'll ask upstream again.
Comment 18 Filippo Bonazzi 2022-12-12 11:13:38 UTC 
Is this fixed? Can this be closed?
Comment 19 Peter Varkoly 2023-01-24 14:19:11 UTC 
I've created a pull request with the suggested solution:
https://github.com/ClusterLabs/resource-agents/pull/1838
Comment 20 Peter Varkoly 2023-01-24 14:19:11 UTC 
I've created a pull request with the suggested solution:
https://github.com/ClusterLabs/resource-agents/pull/1838
Comment 21 Filippo Bonazzi 2023-01-24 14:29:33 UTC 
Thank you Peter, that looks to me like the best solution - we don't have to maintain a patch and we contribute an improvement (however minor) upstream.

I'll wait for the PR to be merged upstream and the update to be submitted in OBS before closing this bug.
Comment 22 Filippo Bonazzi 2023-01-25 14:47:08 UTC 
PR#1838 was submitted as part of SR#1060932 currently in Staging.
Comment 24 Filippo Bonazzi 2023-01-26 17:34:41 UTC 
Improved upstream script (PR#1838) has now been accepted into Factory (SR#1060963) and SLE-15-SP5 (SR#288876).
Comment 25 Filippo Bonazzi 2023-01-27 08:39:54 UTC 
Given this is only a hardening, we're happy with the solution being offered in Factory and SLE 15 SP5. There is no need to provide a patch for older SLEs at this time.
I am going to close this and the parent bugs. Thank you Peter for all the work.