Unescaped shell command vulnerabilities

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

This bug was fixed in the package bcfg2 - 1.1.2-2ubuntu1

---------------
bcfg2 (1.1.2-2ubuntu1) oneiric; urgency=low

  * Merge upstream bugfix only release 1.1.2.
  * Also fixes CVE 2011-3211 (LP: #844743)

  * Merge from debian unstable. Remaining changes:
    - Added patches:
      + Add NagiosGen patch to support "parents" in Nagios
      + Add BackupPCGen plugin by Revolution Linux (off by default).
      + Make ssh_known_hosts base64 to avoid timeouts (SSHGen).
    - Recommends: Move graphviz to Suggests (avoid libX11 on a server).
    - Suggests: Move genshi and cheetah to Recommends (for templating).

bcfg2 (1.1.2-2) unstable; urgency=high

  * Urgency=high due to security fix
  * Apply patch from Torsten Rehn to honor BCFG2_SERVER_OPTIONS in the
    server init script (Closes: #634875)
  * Remove deprecated Breaks: ${python:Breaks}
  * Add dependency on patch to bcfg2-server, the Cfg plugin needs it
    (Closes: #638826)
  * Build-Depend on python-all instead of just python
  * Refresh patches to match what current gbp-pq generates
  * Apply patch from Chris St. Pierre to fix security issues caused by
    unescaped shell commands (Closes: #640028)

bcfg2 (1.1.2-1) unstable; urgency=low

  * New upstream version 1.1.2
  * Patches 0004 and 0005 included upstream, remove them
  * Update Standards-Version to 3.9.2.0, no changes
 -- Stephane Graber <email address hidden> Thu, 08 Sep 2011 09:38:14 -0400

Uploaded the bugfix (and merged 1.1.2) in Oneiric.

Had a quick look at the merge proposals from jtaylor. They all look good so should be ready for upload to -security.

Subscribing ubuntu-security-sponsors per https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Submission

Julian, thanks for the patches!

Hardy: ACK

With Lucid - Natty, there are a few problems though:
 * Lucid and Maverick have the same version, which is not allowed for upgrade reasons. Lucid should have 0.9.6-0ubuntu2.1.10.04.1 and Maverick should have 0.9.6-0ubuntu2.1.10.10.1
 * Lucid and Maverick use the dpatch patch system, but your patches are inline. These need to be converted to dpatch.
 * Natty's patch is named 0004-Backported-unescaped-shell-command-fixes-from-master.patch but in the series file it comes after 0005-0007. It should be named 0008-Backported-unescaped-shell-command-fixes-from-master.patch
 * Natty's changelog should reference this git commit: https://github.com/fabaff/bcfg2/commit/46795ae451ca6ede55a0edeb726978aef4684b53
 * The natty patch does not remove 'self.AddEntry(hostkey)' and 'self.AddEntry(".".join([hostkey.split('.')[0]]+['pub', "H_%s" % client]))', but upstream's does. This seems harmless just looking at the patch, but I wonder why you did that.

I verified the Lucid and Maverick patches against Debian's (ie and our Hardy version), but have not tested them.

In the interest of time due to the severity of this vulnerability, I have made these changes and uploaded to the security PPA.

Unassigning ubuntu-security-sponsors

This bug was fixed in the package bcfg2 - 1.1.1-2ubuntu1.2

---------------
bcfg2 (1.1.1-2ubuntu1.2) natty-security; urgency=high

  * SECURITY UPDATE: missing input sanitization allowing execution
    of arbitrary commands (LP: #844743)
    - patch: 0008-Backported-unescaped-shell-command-fixes-from-master.patch
      backported from upstream by Chris St. Pierre
    - https://github.com/fabaff/bcfg2/commit/46795ae451ca6ede55a0edeb726978aef4684b53
    - CVE-2011-3211
 -- Julian Taylor <email address hidden> Thu, 08 Sep 2011 14:53:11 +0200

This bug was fixed in the package bcfg2 - 0.9.6-0ubuntu2.1.10.10.1

---------------
bcfg2 (0.9.6-0ubuntu2.1.10.10.1) maverick-security; urgency=high

  * SECURITY UPDATE: missing input sanitization allowing execution
    of arbitrary commands (LP: #844743)
    - backported from upstream by Chris St. Pierre
    - https://github.com/solj/bcfg2/commit/f4a35efec1b6a1e54d61cf1b8bfc83dd1
    - CVE-2011-3211
 -- Julian Taylor <email address hidden> Thu, 08 Sep 2011 15:17:00 +0200

This bug was fixed in the package bcfg2 - 0.9.6-0ubuntu2.1.10.04.1

---------------
bcfg2 (0.9.6-0ubuntu2.1.10.04.1) lucid-security; urgency=high

  * SECURITY UPDATE: missing input sanitization allowing execution
    of arbitrary commands (LP: #844743)
    - backported fix from upstream by Chris St. Pierre
    - https://github.com/solj/bcfg2/commit/f4a35efec1b6a1e54d61cf1b8bfc83dd1
    - CVE-2011-3211
 -- Julian Taylor <email address hidden> Thu, 08 Sep 2011 15:17:00 +0200

This bug was fixed in the package bcfg2 - 0.9.5.7-1ubuntu0.1

---------------
bcfg2 (0.9.5.7-1ubuntu0.1) hardy-security; urgency=high

  * SECURITY UPDATE: missing input sanitization allowing execution
    of arbitrary commands (LP: #844743)
    - backported fix from upstream by Chris St. Pierre
    - https://github.com/solj/bcfg2/commit/f4a35efec1b6a1e54d61cf1b8bfc83dd1
    - CVE-2011-3211
 -- Julian Taylor <email address hidden> Thu, 08 Sep 2011 15:27:29 +0200