Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
in coordination with the security team I'd like to update koji in stretch to
fix two CVEs:
koji (1.10.0-1+deb9u1) stretch; urgency=medium
* Team upload.
* Add patch based on upstream commit bdec8c7399 to fix CVE-2018-1002161, an
SQL injection issue in multiple remote calls. Closes: #922922.
* Add patch based on upstream commit ba7b5a3cbe to fix CVE-2017-1002153, to
properly validate SCM pathes. Closes: #877921.
-- Holger Levsen <holger@debian.org> Sat, 31 Aug 2019 20:31:37 +0200
The debdiff is attached and looks like this:
$ debdiff koji_1.10.0-1.dsc koji_1.10.0-1+deb9u1.dsc|diffstat
changelog | 10 +++++
patches/0004-CVE-2017-1002153.patch | 61 ++++++++++++++++++++++++++++++++++
patches/0005-CVE-2018-1002161.patch | 64 ++++++++++++++++++++++++++++++++++++
patches/series | 2 +
4 files changed, 137 insertions(+)
--
cheers,
Holger
-------------------------------------------------------------------------------
holger@(debian|reproducible-builds|layer-acht).org
PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
diff -Nru koji-1.10.0/debian/changelog koji-1.10.0/debian/changelog
--- koji-1.10.0/debian/changelog 2015-12-04 11:20:58.000000000 +0100
+++ koji-1.10.0/debian/changelog 2019-08-31 20:31:37.000000000 +0200
@@ -1,3 +1,13 @@
+koji (1.10.0-1+deb9u1) stretch; urgency=medium
+
+ * Team upload.
+ * Add patch based on upstream commit bdec8c7399 to fix CVE-2018-1002161, an
+ SQL injection issue in multiple remote calls. Closes: #922922.
+ * Add patch based on upstream commit ba7b5a3cbe to fix CVE-2017-1002153, to
+ properly validate SCM pathes. Closes: #877921.
+
+ -- Holger Levsen <holger@debian.org> Sat, 31 Aug 2019 20:31:37 +0200
+
koji (1.10.0-1) unstable; urgency=medium
[ Marek Marczykowski-Górecki ]
diff -Nru koji-1.10.0/debian/patches/0004-CVE-2017-1002153.patch koji-1.10.0/debian/patches/0004-CVE-2017-1002153.patch
--- koji-1.10.0/debian/patches/0004-CVE-2017-1002153.patch 1970-01-01 01:00:00.000000000 +0100
+++ koji-1.10.0/debian/patches/0004-CVE-2017-1002153.patch 2019-08-31 19:59:44.000000000 +0200
@@ -0,0 +1,61 @@
+From ba7b5a3cbed11ade11c3af5e834c9a6de4f6d7c3 Mon Sep 17 00:00:00 2001
+From: Mike McLean <mikem@redhat.com>
+Date: Sep 19 2017 21:23:50 +0000
+Subject: PR#591: Normalize paths for scms
+
+
+Merges #591
+https://pagure.io/koji/pull-request/591
+
+Fixes #563
+https://pagure.io/koji/issue/563
+
+Fixes CVE-2017-1002153
+
+---
+
+Index: koji/koji/daemon.py
+===================================================================
+--- koji.orig/koji/daemon.py
++++ koji/koji/daemon.py
+@@ -257,22 +257,31 @@ class SCM(object):
+ netloc = userhost[1]
+ elif len(userhost) > 2:
+ raise koji.GenericError, 'Invalid username@hostname specified: %s' % netloc
++ if not netloc:
++ raise koji.GenericError, 'Unable to parse SCM URL: %s . Could not find the netloc element.' % self.url
+
+- # ensure that path and query do not end in /
+- if path.endswith('/'):
+- path = path[:-1]
+- if query.endswith('/'):
+- query = query[:-1]
++ # check for empty path before we apply normpath
++ if not path:
++ raise koji.GenericError, 'Unable to parse SCM URL: %s . Could not find the path element.' % self.url
++
++ path = os.path.normpath(path)
++
++ # path and query should not end with /
++ path = path.rstrip('/')
++ query = query.rstrip('/')
++ # normpath might not strip // at start of path
++ if path.startswith('//'):
++ path = '/' + path.strip('/')
++ # path should start with /
++ if not path.startswith('/'): # pragma: no cover
++ # any such url should have already been caught by is_scm_url
++ raise koji.GenericError, 'Invalid SCM URL. Path should begin with /: %s) '
+
+ # check for validity: params should be empty, query may be empty, everything else should be populated
+ if params :
+ raise koji.GenericError, 'Unable to parse SCM URL: %s . Params element %s should be empty.' % (self.url, params)
+ if not scheme :
+ raise koji.GenericError, 'Unable to parse SCM URL: %s . Could not find the scheme element.' % self.url
+- if not netloc :
+- raise koji.GenericError, 'Unable to parse SCM URL: %s . Could not find the netloc element.' % self.url
+- if not path :
+- raise koji.GenericError, 'Unable to parse SCM URL: %s . Could not find the path element.' % self.url
+ if not fragment :
+ raise koji.GenericError, 'Unable to parse SCM URL: %s . Could not find the fragment element.' % self.url
+
diff -Nru koji-1.10.0/debian/patches/0005-CVE-2018-1002161.patch koji-1.10.0/debian/patches/0005-CVE-2018-1002161.patch
--- koji-1.10.0/debian/patches/0005-CVE-2018-1002161.patch 1970-01-01 01:00:00.000000000 +0100
+++ koji-1.10.0/debian/patches/0005-CVE-2018-1002161.patch 2019-08-31 20:19:44.000000000 +0200
@@ -0,0 +1,64 @@
+From bdec8c7399802c0bc0713f36c4aac02b3a79486a Mon Sep 17 00:00:00 2001
+From: Mike McLean <mikem@redhat.com>
+Date: Feb 21 2019 14:39:54 +0000
+Subject: PR#1274: cve-2018-1002161
+
+
+Merges #1274
+https://pagure.io/koji/pull-request/1274
+
+Fixes: #1183
+https://pagure.io/koji/issue/1183
+fix query parameter processing in multiple calls
+
+---
+
+Index: koji/hub/kojihub.py
+===================================================================
+--- koji.orig/hub/kojihub.py
++++ koji/hub/kojihub.py
+@@ -3709,8 +3709,10 @@ def list_archives(buildID=None, buildroo
+ val = typeInfo[key]
+ if not isinstance(val, (list, tuple)):
+ val = [val]
+- for v in val:
+- clauses.append(r"""%s ~ E'\\m%s\\M'""" % (key, v))
++ for i, v in enumerate(val):
++ pkey = '%s_pattern_%i' % (key, i)
++ values[pkey] = r'\m%s\M' % v
++ clauses.append('%s ~ %%(%s)s' % (key, pkey))
+ elif type == 'image':
+ joins.append('image_archives ON archiveinfo.id = image_archives.archive_id')
+ fields.append(['image_archives.arch', 'arch'])
+@@ -4907,13 +4909,15 @@ def get_archive_type(filename=None, type
+ raise koji.GenericError, 'one of filename, type_name, or type_id must be specified'
+
+ parts = filename.split('.')
+-
++ query = QueryProcessor(
++ tables=['archivetypes'],
++ columns=['id', 'name', 'description', 'extensions'],
++ clauses=['extensions ~* %(pattern)s'],
++ )
+ for start in range(len(parts)-1, -1, -1):
+ ext = '.'.join(parts[start:])
+-
+- select = r"""SELECT id, name, description, extensions FROM archivetypes
+- WHERE extensions ~ E'\\m%s\\M'""" % ext
+- results = _multiRow(select, locals(), ('id', 'name', 'description', 'extensions'))
++ query.values['pattern'] = r'(\s|^)%s(\s|$)' % ext
++ results = query.execute()
+
+ if len(results) == 1:
+ return results[0]
+@@ -9164,8 +9168,8 @@ class RootExports(object):
+ # matching 'ppc64'
+ if not (isinstance(arches, list) or isinstance(arches, tuple)):
+ arches = [arches]
+- archClause = [r"""arches ~ E'\\m%s\\M'""" % arch for arch in arches]
+- clauses.append('(' + ' OR '.join(archClause) + ')')
++ archPattern = r'\m(%s)\M' % '|'.join(arches)
++ clauses.append('arches ~ %(archPattern)s')
+ if channelID != None:
+ joins.append('host_channels on host.id = host_channels.host_id')
+ clauses.append('host_channels.channel_id = %(channelID)i')
diff -Nru koji-1.10.0/debian/patches/series koji-1.10.0/debian/patches/series
--- koji-1.10.0/debian/patches/series 2015-12-03 16:16:35.000000000 +0100
+++ koji-1.10.0/debian/patches/series 2019-08-31 20:31:05.000000000 +0200
@@ -1,3 +1,5 @@
0001-Fail-the-build-when-pkg-config-is-missing.patch
0002-Move-files-from-usr-libexec-to-usr-lib-koji-libexec.patch
0003-Make-kojikamid-executable.patch
+0004-CVE-2017-1002153.patch
+0005-CVE-2018-1002161.patch
Attachment:
signature.asc
Description: PGP signature