[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#986014: marked as done (buster-pu: package crmsh/4.0.0~git20190108.3d56538-3+deb10u1)

Your message dated Sat, 19 Jun 2021 10:56:39 +0100
with message-id <5c65c3ad2ac9b1b1f78bf73b1cf073041e619b51.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 10.10 point release
has caused the Debian Bug report #986014,
regarding buster-pu: package crmsh/4.0.0~git20190108.3d56538-3+deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
986014: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986014
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

This update contains the fix for CVE-2020-35459 - privilege escalation
for Hawk webserver using crmsh bug. Since Debian does not ship Hawk,
security team agreed that the fix for crmsh can go through stable
updates.


diff -Nru crmsh-4.0.0~git20190108.3d56538/debian/changelog crmsh-4.0.0~git20190108.3d56538/debian/changelog
--- crmsh-4.0.0~git20190108.3d56538/debian/changelog	2019-01-20 10:59:14.000000000 +0100
+++ crmsh-4.0.0~git20190108.3d56538/debian/changelog	2021-03-27 19:07:26.000000000 +0100
@@ -1,3 +1,9 @@
+crmsh (4.0.0~git20190108.3d56538-3+deb10u1) buster; urgency=medium
+
+  * d/patches: include fix for CVE-2020-35459 (Closes: #985376)
+
+ -- Valentin Vidic <vvidic@debian.org>  Sat, 27 Mar 2021 19:07:26 +0100
+
 crmsh (4.0.0~git20190108.3d56538-3) unstable; urgency=medium
 
   * d/tests: disable regression tests for now
diff -Nru crmsh-4.0.0~git20190108.3d56538/debian/patches/CVE-2020-35459.patch crmsh-4.0.0~git20190108.3d56538/debian/patches/CVE-2020-35459.patch
--- crmsh-4.0.0~git20190108.3d56538/debian/patches/CVE-2020-35459.patch	1970-01-01 01:00:00.000000000 +0100
+++ crmsh-4.0.0~git20190108.3d56538/debian/patches/CVE-2020-35459.patch	2021-03-27 19:05:37.000000000 +0100
@@ -0,0 +1,95 @@
+>From 1a4ed641835c6b6d45b2480c7ff2227e0611fe9d Mon Sep 17 00:00:00 2001
+From: liangxin1300 <XLiang@suse.com>
+Date: Fri, 18 Dec 2020 13:16:14 +0800
+Subject: [PATCH] Fix: history: use Path.mkdir instead of mkdir
+ command(bsc#1179999)
+
+And check if the directory name was sane
+---
+ crmsh/history.py | 10 ++++++----
+ crmsh/utils.py   | 14 ++++++++------
+ 2 files changed, 14 insertions(+), 10 deletions(-)
+
+--- a/crmsh/history.py
++++ b/crmsh/history.py
+@@ -465,6 +465,8 @@
+             return None
+ 
+         d = self._live_loc()
++        if not utils.is_path_sane(d):
++            return None
+         utils.rmdir_r(d)
+         tarball = "%s.tar.bz2" % d
+         to_option = ""
+@@ -473,8 +475,7 @@
+         nodes_option = ""
+         if self.setnodes:
+             nodes_option = "'-n %s'" % ' '.join(self.setnodes)
+-        if utils.pipe_cmd_nosudo("mkdir -p %s" % os.path.dirname(d)) != 0:
+-            return None
++        utils.mkdirp(os.path.dirname(d))
+         common_info("Retrieving information from cluster nodes, please wait...")
+         rc = utils.pipe_cmd_nosudo("%s -Z -Q -f '%s' %s %s %s %s" %
+                                    (extcmd,
+@@ -981,6 +982,8 @@
+ 
+     def manage_session(self, subcmd, name):
+         session_dir = self.get_session_dir(name)
++        if not utils.is_path_sane(session_dir):
++            return False
+         if subcmd == "save" and os.path.exists(session_dir):
+             common_err("history session %s exists" % name)
+             return False
+@@ -988,8 +991,7 @@
+             common_err("history session %s does not exist" % name)
+             return False
+         if subcmd == "save":
+-            if utils.pipe_cmd_nosudo("mkdir -p %s" % session_dir) != 0:
+-                return False
++            utils.mkdirp(session_dir)
+             if self.source == "live":
+                 rc = utils.pipe_cmd_nosudo("tar -C '%s' -c . | tar -C '%s' -x" %
+                                            (self._live_loc(), session_dir))
+--- a/crmsh/utils.py
++++ b/crmsh/utils.py
+@@ -15,6 +15,7 @@
+ import fnmatch
+ import gc
+ import ipaddress
++from pathlib import Path
+ from contextlib import contextmanager
+ from . import config
+ from . import userdir
+@@ -657,14 +658,14 @@
+ 
+ 
+ def is_path_sane(name):
+-    if re.search(r"['`#*?$\[\]]", name):
++    if re.search(r"['`#*?$\[\];]", name):
+         common_err("%s: bad path" % name)
+         return False
+     return True
+ 
+ 
+ def is_filename_sane(name):
+-    if re.search(r"['`/#*?$\[\]]", name):
++    if re.search(r"['`/#*?$\[\];]", name):
+         common_err("%s: bad filename" % name)
+         return False
+     return True
+@@ -793,10 +794,11 @@
+             rmdir_r(os.path.join(lockdir, _LOCKDIR))
+ 
+ 
+-def mkdirp(d, mode=0o777):
+-    if os.path.isdir(d):
+-        return True
+-    os.makedirs(d, mode=mode)
++def mkdirp(directory, mode=0o777, parents=True, exist_ok=True):
++    """
++    Same behavior as the POSIX mkdir -p command
++    """
++    Path(directory).mkdir(mode, parents, exist_ok)
+ 
+ 
+ def pipe_cmd_nosudo(cmd):
diff -Nru crmsh-4.0.0~git20190108.3d56538/debian/patches/series crmsh-4.0.0~git20190108.3d56538/debian/patches/series
--- crmsh-4.0.0~git20190108.3d56538/debian/patches/series	2019-01-19 14:56:34.000000000 +0100
+++ crmsh-4.0.0~git20190108.3d56538/debian/patches/series	2021-03-27 19:02:25.000000000 +0100
@@ -9,3 +9,4 @@
 0013-Fix-cluster-bootstrap.patch
 0014-Fix-cluster-stop-start.patch
 0015-Fix-testsuite-errors.patch
+CVE-2020-35459.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.10

Hi,

Each of the updates referenced in these bugs was included in the 10.10
point release today.

Regards,

Adam

--- End Message ---
Reply to: