Bug#913801: stretch-pu: package mistral/3.0.0-4 CVE-2018-16849: std.ssh action may disclose presence of arbitrary files

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#913801: stretch-pu: package mistral/3.0.0-4 CVE-2018-16849: std.ssh action may disclose presence of arbitrary files
From: Thomas Goirand <zigo@debian.org>
Date: Thu, 15 Nov 2018 14:07:01 +0100
Message-id: <[🔎] 154228722164.17145.6160990070702732072.reportbug@buzig2.debian.org>
Reply-to: Thomas Goirand <zigo@debian.org>, 913801@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Dear release team,

The security team doesn't wish to do a DSA for this CVE, and asked me to
deal with it with the release team. Here's the CVE description:

    CVE-2018-16849: std.ssh action may disclose presence of arbitrary files,
    applied upstream patch: remove extra information from std.ssh action.
    (Closes: #912714).

Debdiff is attached. Please allow me to upload the fix to Stretch.

Cheers,

Thomas Goirand (zigo)

diff --git a/debian/changelog b/debian/changelog
index b2ce8602..06234034 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+mistral (3.0.0-4+deb9u1) stretch-security; urgency=medium
+
+  * CVE-2018-16849: std.ssh action may disclose presence of arbitrary files,
+    applied upstream patch: remove extra information from std.ssh action.
+    (Closes: #912714).
+
+ -- Thomas Goirand <zigo@debian.org>  Mon, 05 Nov 2018 14:38:44 +0100
+
 mistral (3.0.0-4) unstable; urgency=medium
 
   * Add allow-sqla-1.1.patch to allow SQLA transition.
diff --git a/debian/patches/CVE-2018-16849_Remove_extra_information_from_std.ssh_action.patch b/debian/patches/CVE-2018-16849_Remove_extra_information_from_std.ssh_action.patch
new file mode 100644
index 00000000..af601bbf
--- /dev/null
+++ b/debian/patches/CVE-2018-16849_Remove_extra_information_from_std.ssh_action.patch
@@ -0,0 +1,29 @@
+Description: CVE-2018-16849: Remove extra information from std.ssh action
+ The ssh error message can lead to information leak.
+ Removing the extra ssh message effects only the CLI call,
+ the full message is still being logged
+Author: apetrich <petrich@gmail.com>
+Date: Mon, 3 Sep 2018 14:00:22 +0200
+Change-Id: I0b28e1cb17d4ce3ae711a25b6eaffb4ebf00ccd6
+Bug-Ubuntu: https://launchpad.net/bugs/1783708
+Bug-Debian: https://bugs.debian.org/912714
+Origin: upstream, https://review.openstack.org/601214
+Last-Update: 2018-11-05
+
+Index: mistral/mistral/actions/std_actions.py
+===================================================================
+--- mistral.orig/mistral/actions/std_actions.py
++++ mistral/mistral/actions/std_actions.py
+@@ -358,8 +358,11 @@ class SSHAction(base.Action):
+         def raise_exc(parent_exc=None):
+             message = ("Failed to execute ssh cmd "
+                        "'%s' on %s" % (self.cmd, self.host))
++            # We suppress the actual parent error messages in favor of
++            # more generic ones as we might be leaking information to the CLI
+             if parent_exc:
+-                message += "\nException: %s" % str(parent_exc)
++                # The full error message needs to be logged regardless
++                LOG.exception(message + " Exception: %s", str(parent_exc))
+             raise exc.ActionException(message)
+ 
+         try:
diff --git a/debian/patches/series b/debian/patches/series
index 7f9d7ed2..5017dfe7 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 allow-sqla-1.1.patch
+CVE-2018-16849_Remove_extra_information_from_std.ssh_action.patch

Reply to:

Prev by Date: Bug#904316: transition: boost-defaults
Next by Date: Bug#904316: Fwd: boost-defaults_1.67.0.1_multi.changes is NEW
Previous by thread: Bug#913768: transition: glibc
Next by thread: Bug#904316: Fwd: boost-defaults_1.67.0.1_multi.changes is NEW
Index(es):
- Date
- Thread