[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#774146: pre-approval: unblock: lsyncd/2.1.5-2

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

unblock lsyncd/2.1.5-2

Dear release team,

I prepared a new lsyncd version that fixes a security issue (#767227,
CVE-2014-8990). I attach the debdiff for the new version to this report.
Please tell me whether I should upload the package to unstable.


Best regards
Jan Dittberner

-- 
Jan Dittberner - Debian Developer
GPG-key: 4096R/558FB8DD 2009-05-10
         B2FF 1D95 CE8F 7A22 DF4C  F09B A73E 0055 558F B8DD
https://portfolio.debian.net/ - https://people.debian.org/~jandd/

diff -Nru lsyncd-2.1.5/debian/changelog lsyncd-2.1.5/debian/changelog
--- lsyncd-2.1.5/debian/changelog	2013-06-22 23:15:08.000000000 +0200
+++ lsyncd-2.1.5/debian/changelog	2014-12-29 11:37:06.000000000 +0100
@@ -1,3 +1,11 @@
+lsyncd (2.1.5-2) unstable; urgency=high
+
+  * fix security issue CVE-2014-8990 that allows code execution via shell
+    characters in file names and denial of service scenarios by applying
+    debian/patches/fix-CVE-2014-8990-shell-escapes.patch (Closes: #767227)
+
+ -- Jan Dittberner <jandd@debian.org>  Mon, 29 Dec 2014 11:36:43 +0100
+
 lsyncd (2.1.5-1) unstable; urgency=low
 
   * New upstream version (Closes: #707328).
diff -Nru lsyncd-2.1.5/debian/patches/fix-CVE-2014-8990-shell-escapes.patch lsyncd-2.1.5/debian/patches/fix-CVE-2014-8990-shell-escapes.patch
--- lsyncd-2.1.5/debian/patches/fix-CVE-2014-8990-shell-escapes.patch	1970-01-01 01:00:00.000000000 +0100
+++ lsyncd-2.1.5/debian/patches/fix-CVE-2014-8990-shell-escapes.patch	2014-12-29 11:37:06.000000000 +0100
@@ -0,0 +1,39 @@
+Author: Ángel González <angel@16bits.net>
+Bug: https://github.com/axkibe/lsyncd/issues/220
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=767227
+Subject: Properly sanitize mv parameters (CVE-2014-8990)
+ Sanitize mv arguments:
+ .
+ 1. Fixes crashes on file names containing `, $ or "
+ 2. Also prevents shell execution of ``, $() … in file names, which can be
+    used to gain remote shell access as lsyncd's (target) user.
+--- a/default-rsyncssh.lua
++++ b/default-rsyncssh.lua
+@@ -74,6 +74,11 @@
+ 	-- makes move local on target host
+ 	-- if the move fails, it deletes the source
+ 	if event.etype == 'Move' then
++		local path1 = config.targetdir .. event.path
++		local path2 = config.targetdir .. event2.path
++		path1 = "'" .. path1:gsub ('\'', '\'"\'"\'') .. "'"
++		path2 = "'" .. path2:gsub ('\'', '\'"\'"\'') .. "'"
++
+ 		log('Normal', 'Moving ',event.path,' -> ',event2.path)
+ 
+ 		spawn(
+@@ -82,10 +87,12 @@
+ 			config.ssh._computed,
+ 			config.host,
+ 			'mv',
+-			'\"' .. config.targetdir .. event.path .. '\"',
+-			'\"' .. config.targetdir .. event2.path .. '\"',
++			path1,
++			path2
+ 			'||', 'rm', '-rf',
+-			'\"' .. config.targetdir .. event.path .. '\"')
++			path1
++		)
++
+ 		return
+ 	end
+ 
diff -Nru lsyncd-2.1.5/debian/patches/series lsyncd-2.1.5/debian/patches/series
--- lsyncd-2.1.5/debian/patches/series	2013-06-22 23:15:08.000000000 +0200
+++ lsyncd-2.1.5/debian/patches/series	2014-12-29 11:37:06.000000000 +0100
@@ -1 +1,2 @@
+fix-CVE-2014-8990-shell-escapes.patch
 dont_install_lua_as_docs.patch

Attachment: signature.asc
Description: Digital signature

Reply to: