Bug#774146: marked as done (pre-approval: unblock: lsyncd/2.1.5-2)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Mon, 29 Dec 2014 17:55:57 +0000
with message-id <20141229175557.GB15483@lupin.home.powdarrmonkey.net>
and subject line Re: Bug#774146: pre-approval: unblock: lsyncd/2.1.5-2
has caused the Debian Bug report #774146,
regarding pre-approval: unblock: lsyncd/2.1.5-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
774146: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774146
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: pre-approval: unblock: lsyncd/2.1.5-2
• From: Jan Dittberner <jandd@debian.org>
• Date: Mon, 29 Dec 2014 12:23:48 +0100
• Message-id: <[🔎] 20141229112348.GA13460@roadie.dittberner.home>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

unblock lsyncd/2.1.5-2

Dear release team,

I prepared a new lsyncd version that fixes a security issue (#767227,
CVE-2014-8990). I attach the debdiff for the new version to this report.
Please tell me whether I should upload the package to unstable.


Best regards
Jan Dittberner

-- 
Jan Dittberner - Debian Developer
GPG-key: 4096R/558FB8DD 2009-05-10
         B2FF 1D95 CE8F 7A22 DF4C  F09B A73E 0055 558F B8DD
https://portfolio.debian.net/ - https://people.debian.org/~jandd/

diff -Nru lsyncd-2.1.5/debian/changelog lsyncd-2.1.5/debian/changelog
--- lsyncd-2.1.5/debian/changelog	2013-06-22 23:15:08.000000000 +0200
+++ lsyncd-2.1.5/debian/changelog	2014-12-29 11:37:06.000000000 +0100
@@ -1,3 +1,11 @@
+lsyncd (2.1.5-2) unstable; urgency=high
+
+  * fix security issue CVE-2014-8990 that allows code execution via shell
+    characters in file names and denial of service scenarios by applying
+    debian/patches/fix-CVE-2014-8990-shell-escapes.patch (Closes: #767227)
+
+ -- Jan Dittberner <jandd@debian.org>  Mon, 29 Dec 2014 11:36:43 +0100
+
 lsyncd (2.1.5-1) unstable; urgency=low
 
   * New upstream version (Closes: #707328).
diff -Nru lsyncd-2.1.5/debian/patches/fix-CVE-2014-8990-shell-escapes.patch lsyncd-2.1.5/debian/patches/fix-CVE-2014-8990-shell-escapes.patch
--- lsyncd-2.1.5/debian/patches/fix-CVE-2014-8990-shell-escapes.patch	1970-01-01 01:00:00.000000000 +0100
+++ lsyncd-2.1.5/debian/patches/fix-CVE-2014-8990-shell-escapes.patch	2014-12-29 11:37:06.000000000 +0100
@@ -0,0 +1,39 @@
+Author: Ángel González <angel@16bits.net>
+Bug: https://github.com/axkibe/lsyncd/issues/220
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=767227
+Subject: Properly sanitize mv parameters (CVE-2014-8990)
+ Sanitize mv arguments:
+ .
+ 1. Fixes crashes on file names containing `, $ or "
+ 2. Also prevents shell execution of ``, $() … in file names, which can be
+    used to gain remote shell access as lsyncd's (target) user.
+--- a/default-rsyncssh.lua
++++ b/default-rsyncssh.lua
+@@ -74,6 +74,11 @@
+ 	-- makes move local on target host
+ 	-- if the move fails, it deletes the source
+ 	if event.etype == 'Move' then
++		local path1 = config.targetdir .. event.path
++		local path2 = config.targetdir .. event2.path
++		path1 = "'" .. path1:gsub ('\'', '\'"\'"\'') .. "'"
++		path2 = "'" .. path2:gsub ('\'', '\'"\'"\'') .. "'"
++
+ 		log('Normal', 'Moving ',event.path,' -> ',event2.path)
+ 
+ 		spawn(
+@@ -82,10 +87,12 @@
+ 			config.ssh._computed,
+ 			config.host,
+ 			'mv',
+-			'\"' .. config.targetdir .. event.path .. '\"',
+-			'\"' .. config.targetdir .. event2.path .. '\"',
++			path1,
++			path2
+ 			'||', 'rm', '-rf',
+-			'\"' .. config.targetdir .. event.path .. '\"')
++			path1
++		)
++
+ 		return
+ 	end
+ 
diff -Nru lsyncd-2.1.5/debian/patches/series lsyncd-2.1.5/debian/patches/series
--- lsyncd-2.1.5/debian/patches/series	2013-06-22 23:15:08.000000000 +0200
+++ lsyncd-2.1.5/debian/patches/series	2014-12-29 11:37:06.000000000 +0100
@@ -1 +1,2 @@
+fix-CVE-2014-8990-shell-escapes.patch
 dont_install_lua_as_docs.patch

Attachment: signature.asc
Description: Digital signature

--- End Message ---

--- Begin Message ---

• To: Jan Dittberner <jandd@debian.org>, 774146-done@bugs.debian.org
• Subject: Re: Bug#774146: pre-approval: unblock: lsyncd/2.1.5-2
• From: Jonathan Wiltshire <jmw@debian.org>
• Date: Mon, 29 Dec 2014 17:55:57 +0000
• Message-id: <20141229175557.GB15483@lupin.home.powdarrmonkey.net>
• In-reply-to: <[🔎] 20141229112348.GA13460@roadie.dittberner.home>
• References: <[🔎] 20141229112348.GA13460@roadie.dittberner.home>

On Mon, Dec 29, 2014 at 12:23:48PM +0100, Jan Dittberner wrote:
> I prepared a new lsyncd version that fixes a security issue (#767227,
> CVE-2014-8990). I attach the debdiff for the new version to this report.
> Please tell me whether I should upload the package to unstable.

Seems to be already uploaded; unblocked.

Thanks,

-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Attachment: signature.asc
Description: Digital signature

--- End Message ---