--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package crmsh/4.0.0~git20190108.3d56538-3+deb10u1
- From: Valentin Vidic <vvidic@debian.org>
- Date: Sat, 27 Mar 2021 22:18:19 +0100
- Message-id: <161687989934.29649.2556567431908208695.reportbug@cube.valentin-vidic.from.hr>
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
This update contains the fix for CVE-2020-35459 - privilege escalation
for Hawk webserver using crmsh bug. Since Debian does not ship Hawk,
security team agreed that the fix for crmsh can go through stable
updates.
diff -Nru crmsh-4.0.0~git20190108.3d56538/debian/changelog crmsh-4.0.0~git20190108.3d56538/debian/changelog
--- crmsh-4.0.0~git20190108.3d56538/debian/changelog 2019-01-20 10:59:14.000000000 +0100
+++ crmsh-4.0.0~git20190108.3d56538/debian/changelog 2021-03-27 19:07:26.000000000 +0100
@@ -1,3 +1,9 @@
+crmsh (4.0.0~git20190108.3d56538-3+deb10u1) buster; urgency=medium
+
+ * d/patches: include fix for CVE-2020-35459 (Closes: #985376)
+
+ -- Valentin Vidic <vvidic@debian.org> Sat, 27 Mar 2021 19:07:26 +0100
+
crmsh (4.0.0~git20190108.3d56538-3) unstable; urgency=medium
* d/tests: disable regression tests for now
diff -Nru crmsh-4.0.0~git20190108.3d56538/debian/patches/CVE-2020-35459.patch crmsh-4.0.0~git20190108.3d56538/debian/patches/CVE-2020-35459.patch
--- crmsh-4.0.0~git20190108.3d56538/debian/patches/CVE-2020-35459.patch 1970-01-01 01:00:00.000000000 +0100
+++ crmsh-4.0.0~git20190108.3d56538/debian/patches/CVE-2020-35459.patch 2021-03-27 19:05:37.000000000 +0100
@@ -0,0 +1,95 @@
+>From 1a4ed641835c6b6d45b2480c7ff2227e0611fe9d Mon Sep 17 00:00:00 2001
+From: liangxin1300 <XLiang@suse.com>
+Date: Fri, 18 Dec 2020 13:16:14 +0800
+Subject: [PATCH] Fix: history: use Path.mkdir instead of mkdir
+ command(bsc#1179999)
+
+And check if the directory name was sane
+---
+ crmsh/history.py | 10 ++++++----
+ crmsh/utils.py | 14 ++++++++------
+ 2 files changed, 14 insertions(+), 10 deletions(-)
+
+--- a/crmsh/history.py
++++ b/crmsh/history.py
+@@ -465,6 +465,8 @@
+ return None
+
+ d = self._live_loc()
++ if not utils.is_path_sane(d):
++ return None
+ utils.rmdir_r(d)
+ tarball = "%s.tar.bz2" % d
+ to_option = ""
+@@ -473,8 +475,7 @@
+ nodes_option = ""
+ if self.setnodes:
+ nodes_option = "'-n %s'" % ' '.join(self.setnodes)
+- if utils.pipe_cmd_nosudo("mkdir -p %s" % os.path.dirname(d)) != 0:
+- return None
++ utils.mkdirp(os.path.dirname(d))
+ common_info("Retrieving information from cluster nodes, please wait...")
+ rc = utils.pipe_cmd_nosudo("%s -Z -Q -f '%s' %s %s %s %s" %
+ (extcmd,
+@@ -981,6 +982,8 @@
+
+ def manage_session(self, subcmd, name):
+ session_dir = self.get_session_dir(name)
++ if not utils.is_path_sane(session_dir):
++ return False
+ if subcmd == "save" and os.path.exists(session_dir):
+ common_err("history session %s exists" % name)
+ return False
+@@ -988,8 +991,7 @@
+ common_err("history session %s does not exist" % name)
+ return False
+ if subcmd == "save":
+- if utils.pipe_cmd_nosudo("mkdir -p %s" % session_dir) != 0:
+- return False
++ utils.mkdirp(session_dir)
+ if self.source == "live":
+ rc = utils.pipe_cmd_nosudo("tar -C '%s' -c . | tar -C '%s' -x" %
+ (self._live_loc(), session_dir))
+--- a/crmsh/utils.py
++++ b/crmsh/utils.py
+@@ -15,6 +15,7 @@
+ import fnmatch
+ import gc
+ import ipaddress
++from pathlib import Path
+ from contextlib import contextmanager
+ from . import config
+ from . import userdir
+@@ -657,14 +658,14 @@
+
+
+ def is_path_sane(name):
+- if re.search(r"['`#*?$\[\]]", name):
++ if re.search(r"['`#*?$\[\];]", name):
+ common_err("%s: bad path" % name)
+ return False
+ return True
+
+
+ def is_filename_sane(name):
+- if re.search(r"['`/#*?$\[\]]", name):
++ if re.search(r"['`/#*?$\[\];]", name):
+ common_err("%s: bad filename" % name)
+ return False
+ return True
+@@ -793,10 +794,11 @@
+ rmdir_r(os.path.join(lockdir, _LOCKDIR))
+
+
+-def mkdirp(d, mode=0o777):
+- if os.path.isdir(d):
+- return True
+- os.makedirs(d, mode=mode)
++def mkdirp(directory, mode=0o777, parents=True, exist_ok=True):
++ """
++ Same behavior as the POSIX mkdir -p command
++ """
++ Path(directory).mkdir(mode, parents, exist_ok)
+
+
+ def pipe_cmd_nosudo(cmd):
diff -Nru crmsh-4.0.0~git20190108.3d56538/debian/patches/series crmsh-4.0.0~git20190108.3d56538/debian/patches/series
--- crmsh-4.0.0~git20190108.3d56538/debian/patches/series 2019-01-19 14:56:34.000000000 +0100
+++ crmsh-4.0.0~git20190108.3d56538/debian/patches/series 2021-03-27 19:02:25.000000000 +0100
@@ -9,3 +9,4 @@
0013-Fix-cluster-bootstrap.patch
0014-Fix-cluster-stop-start.patch
0015-Fix-testsuite-errors.patch
+CVE-2020-35459.patch
--- End Message ---