Further information will be provided as soon as this bug has been marked private.
All right, this bug is private by now, so here we go:
Someone published an exploit on May 14th, 2021 for running arbitrary commands as "nobody" on fully patched IPFire machines by manipulating package names provided to Pakfire for installation. The exploits requires valid admin credentials to the web interface.
Apparently, the author of this tried to get in touch with us via Twitter: https://twitter.com/0x00deadbeef/status/1393984652503920641
Stefan provided a workaround for this: https://git.ipfire.org/?p=people/stevee/ipfire-2.x.git;a=commit;h=d06b0ef16f08c663acaa9725206650893fc1cd74
That makes injecting commands via Pakfire calls impossible, however, a more elegant solution would be to rewrite the Pakfire CGI towards not accepting input not recoginised as being a package name.
In https://twitter.com/0x00deadbeef/status/1393984652503920641, that person claims: "@ipfire from bobody [sic] to root!!"
At least to me, the meaning of this is unclear. The screenshot attached to this tweed only shows the output of "id", executed as "root".
The root exploit chain has now been reported by the author in #12619.
Well, there we are. So much for responsible disclosure. :-/
@Michael: Do you plan to merge ttps://git.ipfire.org/?p=people/stevee/ipfire-2.x.git;a=commit;h=d06b0ef16f08c663acaa9725206650893fc1cd74 into Core Update 157 as well?
This vulnerability won't be fixed in upcoming Core Update 157, as almost any of our CGI files are vulnerable, and we need a bit more time to fix them all.
Core Update 158 will contain these changes.
The changes have now been merged into next, scheduled to be release with Core Update 158. Thanks to everyone who helped to work on it.
We will need to double-check all of them so that we can be certain they won't break anything.