Bug#858427: unblock: pcs/0.9.155+dfsg-2
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package pcs
This upload fixes CVE-2017-2661 reported in #858379 by
applying an upstream patch.
diff -Nru pcs-0.9.155+dfsg/debian/changelog pcs-0.9.155+dfsg/debian/changelog
--- pcs-0.9.155+dfsg/debian/changelog 2017-01-13 13:50:46.000000000 +0100
+++ pcs-0.9.155+dfsg/debian/changelog 2017-03-21 20:37:55.000000000 +0100
@@ -1,3 +1,9 @@
+pcs (0.9.155+dfsg-2) unstable; urgency=medium
+
+ * Add upstream fix for CVE-2017-2661 (Closes: #858379)
+
+ -- Valentin Vidic <Valentin.Vidic@CARNet.hr> Tue, 21 Mar 2017 20:37:55 +0100
+
pcs (0.9.155+dfsg-1) unstable; urgency=medium
* Repack upstream source without Liberation fonts (Closes: #851115)
diff -Nru pcs-0.9.155+dfsg/debian/patches/0012-CVE-2017-2661.patch pcs-0.9.155+dfsg/debian/patches/0012-CVE-2017-2661.patch
--- pcs-0.9.155+dfsg/debian/patches/0012-CVE-2017-2661.patch 1970-01-01 01:00:00.000000000 +0100
+++ pcs-0.9.155+dfsg/debian/patches/0012-CVE-2017-2661.patch 2017-03-21 20:37:55.000000000 +0100
@@ -0,0 +1,41 @@
+From: Ondrej Mular <omular@redhat.com>
+Date: Sat, 4 Mar 2017 14:01:43 +0100
+Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1428948
+Subject: [PATCH] web UI: fixed XSS vulnerability
+
+---
+ pcsd/public/js/nodes-ember.js | 4 ++--
+ pcsd/public/js/pcsd.js | 2 +-
+ 3 files changed, 7 insertions(+), 3 deletions(-)
+
+--- a/pcsd/public/js/nodes-ember.js
++++ b/pcsd/public/js/nodes-ember.js
+@@ -75,7 +75,7 @@
+ var banned_options = ["SBD_OPTS", "SBD_WATCHDOG_DEV", "SBD_PACEMAKER"];
+ $.each(this.get("sbd_config"), function(opt, val) {
+ if (banned_options.indexOf(opt) == -1) {
+- out += '<tr><td>' + opt + '</td><td>' + val + '</td></tr>\n';
++ out += '<tr><td>' + htmlEncode(opt) + '</td><td>' + htmlEncode(val) + '</td></tr>\n';
+ }
+ });
+ return out + '</table>';
+@@ -879,7 +879,7 @@
+ }.property("status_val"),
+ show_status: function() {
+ return '<span style="' + this.get('status_style') + '">'
+- + this.get('status') + (this.get("is_unmanaged") ? " (unmanaged)" : "")
++ + htmlEncode(this.get('status')) + (this.get("is_unmanaged") ? " (unmanaged)" : "")
+ + '</span>';
+ }.property("status_style", "disabled"),
+ status_class: function() {
+--- a/pcsd/public/js/pcsd.js
++++ b/pcsd/public/js/pcsd.js
+@@ -822,7 +822,7 @@
+
+ dialog_obj.find('#auth_nodes_list').empty();
+ unauth_nodes.forEach(function(node) {
+- dialog_obj.find('#auth_nodes_list').append("\t\t\t<tr><td>" + node + '</td><td><input type="password" name="' + node + '-pass"></td></tr>\n');
++ dialog_obj.find('#auth_nodes_list').append("\t\t\t<tr><td>" + htmlEncode(node) + '</td><td><input type="password" name="' + htmlEncode(node) + '-pass"></td></tr>\n');
+ });
+
+ }
diff -Nru pcs-0.9.155+dfsg/debian/patches/series pcs-0.9.155+dfsg/debian/patches/series
--- pcs-0.9.155+dfsg/debian/patches/series 2017-01-13 13:50:46.000000000 +0100
+++ pcs-0.9.155+dfsg/debian/patches/series 2017-03-21 20:37:55.000000000 +0100
@@ -9,3 +9,4 @@
0009-Fix-testsuite.patch
0010-Replace-chkconfig.patch
0011-Fix-python-lxml.patch
+0012-CVE-2017-2661.patch
unblock pcs/0.9.155+dfsg-2
-- System Information:
Debian Release: 9.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)
Reply to: