Bug#931028: unblock: fence-agents/4.3.3-2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#931028: unblock: fence-agents/4.3.3-2
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 24 Jun 2019 21:32:02 +0200
Message-id: <[🔎] 156140472262.2180.16339974244210026081.reportbug@eldamar.local>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 931028@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi Release Team,

Please unblock package fence-agents. Valentin Vidic has backported the
fix to address CVE-2019-10153 (#930887):

> fence-agents (4.3.3-2) unstable; urgency=high
> 
>   * fence_rhevm: add patch for CVE-2019-10153 (Closes: #930887)
>     Including non-ASCII characters in a guest VM's comment or other fields
>     would cause fence_rhevm to exit with an exception.
> 
>  -- Valentin Vidic <vvidic@debian.org>  Sun, 23 Jun 2019 19:53:35 +0200

unblock fence-agents/4.3.3-2

Regards,
Salvatore

diff -Nru fence-agents-4.3.3/debian/changelog fence-agents-4.3.3/debian/changelog
--- fence-agents-4.3.3/debian/changelog	2018-12-03 19:32:54.000000000 +0100
+++ fence-agents-4.3.3/debian/changelog	2019-06-23 19:53:35.000000000 +0200
@@ -1,3 +1,11 @@
+fence-agents (4.3.3-2) unstable; urgency=high
+
+  * fence_rhevm: add patch for CVE-2019-10153 (Closes: #930887)
+    Including non-ASCII characters in a guest VM's comment or other fields
+    would cause fence_rhevm to exit with an exception.
+
+ -- Valentin Vidic <vvidic@debian.org>  Sun, 23 Jun 2019 19:53:35 +0200
+
 fence-agents (4.3.3-1) unstable; urgency=medium
 
   * New upstream version 4.3.3
diff -Nru fence-agents-4.3.3/debian/patches/CVE-2019-10153 fence-agents-4.3.3/debian/patches/CVE-2019-10153
--- fence-agents-4.3.3/debian/patches/CVE-2019-10153	1970-01-01 01:00:00.000000000 +0100
+++ fence-agents-4.3.3/debian/patches/CVE-2019-10153	2019-06-23 19:52:19.000000000 +0200
@@ -0,0 +1,34 @@
+Description: fence_rhevm fix for CVE-2019-10153
+ Import upstream security patches.
+Author: Oyvind Albrigtsen <oalbrigt@redhat.com>
+Origin: upstream
+Bug-RHEL: https://bugzilla.redhat.com/show_bug.cgi?id=1716286
+Reviewed-by: Valentin Vidic <vvidic@debian.org>
+Last-Update: 2019-06-23
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/agents/rhevm/fence_rhevm.py
++++ b/agents/rhevm/fence_rhevm.py
+@@ -88,7 +88,7 @@
+ 	## send command through pycurl
+ 	conn = pycurl.Curl()
+ 	web_buffer = io.BytesIO()
+-	conn.setopt(pycurl.URL, url.encode("ascii"))
++	conn.setopt(pycurl.URL, url.encode("UTF-8"))
+ 	conn.setopt(pycurl.HTTPHEADER, [
+ 		"Version: 3",
+ 		"Content-type: application/xml",
+@@ -128,10 +128,10 @@
+ 
+ 		opt["cookie"] = cookie
+ 
+-	result = web_buffer.getvalue().decode()
++	result = web_buffer.getvalue().decode("UTF-8")
+ 
+-	logging.debug("%s\n", command)
+-	logging.debug("%s\n", result)
++	logging.debug("%s\n", command.encode("UTF-8"))
++	logging.debug("%s\n", result.encode("UTF-8"))
+ 
+ 	return result
+ 
diff -Nru fence-agents-4.3.3/debian/patches/series fence-agents-4.3.3/debian/patches/series
--- fence-agents-4.3.3/debian/patches/series	2018-10-18 09:00:43.000000000 +0200
+++ fence-agents-4.3.3/debian/patches/series	2019-06-23 19:47:30.000000000 +0200
@@ -1,3 +1,4 @@
 remove-fence_amt_ws
 disable-network-access
 spelling
+CVE-2019-10153

Reply to:

Follow-Ups:
- Bug#931028: marked as done (unblock: fence-agents/4.3.3-2)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#930998: marked as done (RM: ompl/1.4.2+ds1-3)
Next by Date: Bug#931028: marked as done (unblock: fence-agents/4.3.3-2)
Previous by thread: Bug#928185: marked as done (unblock: openjdk-11/11.0.3+7-4)
Next by thread: Bug#931028: marked as done (unblock: fence-agents/4.3.3-2)
Index(es):
- Date
- Thread