use of HTTP to download sensitive files CVE-2014-8174

[ghost]

Found in a past security audit, agreed with Tristan to make public and file issues here.

Please see https://bugzilla.redhat.com/show_bug.cgi?id=1202972

edeploy uses HTTP to download a large number of sensitive files which can lead to code execution:

./ansible/edeploy-install.yml: value=http://{{ ansible_default_ipv4["address"] }}/ ./build/base.install: echo "Acquire { Retries "0"; HTTP { Proxy "http://${HTTP_PROXY}"; }; };" >> "$target/etc/apt/apt.conf.d/01proxy" ./build/base.install: curl -o ${target}/tmp/tar.deb http://ftp.debian.org/debian/pool/main/t/tar/tar_1.27.1-1~bpo70+1_${ARCH:=amd64}.deb ./build/base.install: echo "deb http://security.ubuntu.com/ubuntu $dist-security main universe multiverse" >> ${target}/etc/apt/sources.list ./build/base.install: echo "deb http://security.debian.org/ $dist/updates main" > ${target}/etc/apt/sources.list.d/updates.list ./build/base.install: wget -O - http://hwraid.le-vert.net/debian/hwraid.le-vert.net.gpg.key | do_chroot $target apt-key add - ./build/base.install: echo "deb http://hwraid.le-vert.net/debian ${dist} main" > $target/etc/apt/sources.list.d/hwraid.list ./build/base.install: wget -O - http://hwraid.le-vert.net/ubuntu/hwraid.le-vert.net.gpg.key | do_chroot $target apt-key add - ./build/base.install: echo "deb http://hwraid.le-vert.net/ubuntu precise main" > $target/etc/apt/sources.list.d/hwraid.list ./build/base.install: wget -O - http://hwraid.le-vert.net/ubuntu/hwraid.le-vert.net.gpg.key | do_chroot $target apt-key add - ./build/base.install: echo "deb http://hwraid.le-vert.net/ubuntu ${dist} main" > $target/etc/apt/sources.list.d/hwraid.list ./build/base.install: wget --no-verbose http://downloads.linux.hp.com/SDR/downloads/MCP/pool/non-free/$package_name -O $target/../../$package_name ./build/base.install: http://downloads.linux.hp.com/SDR/downloads/ServicePackforProLiant/2013.02.0/hp/swpackages/hpacucli-9.40-12.0.x86_64.rpm ./build/base.install: do_chroot $dir rpm --import http://downloads.linux.hp.com/SDR/hpPublicKey1024.pub ./build/base.install: do_chroot $dir rpm --import http://downloads.linux.hp.com/SDR/hpPublicKey2048.pub ./build/base.install:baseurl=http://downloads.linux.hp.com/repo/spp/rhel/$CODENAME_MAJOR.$CODENAME_MINOR/x86_64/current ./build/common: wget --no-verbose http://us.archive.ubuntu.com/ubuntu/ubuntu/pool/universe/libm/libmlx4/$LIBMLX ./build/health-check.install: PACKAGES="$PACKAGES numpy http://pkgs.repoforge.org/netperf/netperf-2.6.0-1.el6.rf.x86_64.rpm" ./build/health-check.install: PACKAGES="$PACKAGES python-psutil http://pkgs.repoforge.org/fio/fio-2.1.7-1.el6.rf.x86_64.rpm http://pkgs.repoforge.org/lshw/lshw-2.17-1.el6.rf.x86_64.rpm" ./build/health-check.install: PACKAGES="$PACKAGES http://pkgs.repoforge.org/fio/fio-2.1.7-1.el7.rf.x86_64.rpm http://pkgs.repoforge.org/lshw/lshw-2.17-1.el7.rf.x86_64.rpm" ./build/init: curl -s -S -o/configure -F section=${SECTION} -F file=@/hw.json http://${SERV}:${HTTP_PORT}/${HTTP_PATH}/upload.py & ./build/init: give_up "Curl exited as failed ($RET_CODE). Cannot get a configuration from http://${SERV}:${HTTP_PORT}/${HTTP_PATH}/upload.py'" ./build/init: log "Transferring files from http://${HSERV}:${HSERV_PORT}/${HPATH}/${VERS}/${ROLE}-${VERS}.edeploy..." ./build/init: curl -s -S http://${HSERV}:${HSERV_PORT}/${HPATH}/${VERS}/${ROLE}-${VERS}.edeploy | gzip -d | tar x --xattrs --selinux -C $d || give_up "Unable to download http://${HSERV}:${HSERV_PORT}/${HPATH}/${VERS}/${ROLE}-${VERS}.edeploy" ./build/init.common: curl http://169.254.169.254/2009-04-04/user-data -fso /user-data -m 5 --retry 10 --retry-delay 2 ./build/init.common: curl -s -S -o/log.stats -F section=${SECTION} -F file=@/${log_file} http://${SERV}:${HTTP_PORT}/${HTTP_PATH}/upload.py || : ./build/init.common: curl -s -S -F section=${SECTION} -F failure=$PROFILE -F file=@/hw.json http://${SERV}:${HTTP_PORT}/${HTTP_PATH}/upload.py ./build/init.health:curl -s -S $SESSION_CURL -F file=@/health.json http://${SERV}:${HTTP_PORT}/${HTTP_PATH}/upload-health.py & ./build/init.health: log "Curl exited as failed ($RET_CODE). Cannot get a configuration from http://${SERV}:${HTTP_PORT}/${HTTP_PATH}/upload-health.py'" ./build/pxe.install: PACKAGES="$PACKAGES http://pkgs.repoforge.org/lshw/lshw-2.17-1.el6.rf.x86_64.rpm" ./build/repositories: echo "http://http.debian.net/debian" ./build/repositories: echo "http://archive.ubuntu.com/ubuntu" ./build/repositories: echo "http://mirror.centos.org/centos/6.5/os/x86_64/Packages/centos-release-6-5.el6.centos.11.1.x86_64.rpm" ./build/repositories: echo "http://mirror.centos.org/centos/7/os/x86_64/Packages/centos-release-7-0.1406.el7.centos.2.3.x86_64.rpm" ./build/repositories: wget "http://dev.centos.org/centos/6/SCL/scl.repo" -O $dir/etc/yum.repos.d/scl.repo Binary file ./build/sources/lshw matches ./server/edeploy.conf:PXEMNGRURL=http://192.168.122.1:8000/ ./server/upload-health.py:$ curl -i -F name=test -F file=@/tmp/hw.lst http://localhost/cgi-bin/upload.py ./server/upload.py:$ curl -i -F name=test -F file=@/tmp/hw.lst http://localhost/cgi-bin/upload.py ./setup.cfg:home-page = http://www.enovance.com/ ./src/sample_dmesg: Command line: BOOT_IMAGE=vmlinuz initrd=http://10.101.14.14/health.pxe DEBUG=1 SERV=10.101.14.14 HSERV=10.101.14.14 UPLOAD_LOG=1 IP=all:dhcp SESSION=smoke NONETWORKTEST=1 ONSUCCESS=console ONFAILURE=console |pci=bfsort| ./src/sample_dmesg: Kernel command line: BOOT_IMAGE=vmlinuz initrd=http://10.101.14.14/health.pxe DEBUG=1 SERV=10.101.14.14 HSERV=10.101.14.14 UPLOAD_LOG=1 IP=all:dhcp SESSION=smoke NONETWORKTEST=1 ONSUCCESS=console ONFAILURE=console |pci=bfsort|

[NicoleG25]

Was this issue ever addressed? Note that it appears CVE-2014-8174 was assigned to this issue.