Bug#993899: bullseye-pu: package btrbk/0.27.1-1.1+deb11u1

To: submit@bugs.debian.org
Subject: Bug#993899: bullseye-pu: package btrbk/0.27.1-1.1+deb11u1
From: Thorsten Alteholz <debian@alteholz.de>
Date: Tue, 7 Sep 2021 21:09:33 +0000 (UTC)
Message-id: <[🔎] alpine.DEB.2.21.2109072108190.25458@postfach.intern.alteholz.me>
Reply-to: Thorsten Alteholz <debian@alteholz.de>, 993899@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu


The attached debdiff for btrbk fixes CVE-2021-38173 in Bullseye.

This CVE is marked as no-dsa by the security team.

The same patch was already uploaded to unstable with version 0.27.1-2.

  Thorsten

diff -Nru btrbk-0.27.1/debian/changelog btrbk-0.27.1/debian/changelog
--- btrbk-0.27.1/debian/changelog	2021-01-03 13:57:08.000000000 +0100
+++ btrbk-0.27.1/debian/changelog	2021-08-29 19:03:02.000000000 +0200
@@ -1,3 +1,12 @@
+btrbk (0.27.1-1.1+deb11u1) bullseye; urgency=high
+
+  * Non-maintainer upload by the LTS Team.
+  * CVE-2021-38173
+    fixes a security vulnerability which would have allowed for an
+    arbitrary code execution
+
+ -- Thorsten Alteholz <debian@alteholz.de>  Sun, 29 Aug 2021 19:03:02 +0200
+
 btrbk (0.27.1-1.1) unstable; urgency=medium
 
   * Non maintainer upload by the Reproducible Builds team.
diff -Nru btrbk-0.27.1/debian/patches/CVE-2021-38173.patch btrbk-0.27.1/debian/patches/CVE-2021-38173.patch
--- btrbk-0.27.1/debian/patches/CVE-2021-38173.patch	1970-01-01 01:00:00.000000000 +0100
+++ btrbk-0.27.1/debian/patches/CVE-2021-38173.patch	2021-08-29 19:03:02.000000000 +0200
@@ -0,0 +1,32 @@
+From 58212de771c381cd4fa05625927080bf264e9584 Mon Sep 17 00:00:00 2001
+From: Axel Burri <axel@tty0.ch>
+Date: Sun, 21 Mar 2021 12:53:22 +0100
+Subject: [PATCH] ssh_filter_btrbk.sh: fix alternation regex
+
+Security vulnerability fixed in alternation regex. Specialy crafted
+commands may be executed without being propely checked.
+
+Affects all versions >= btrbk-v0.23.0
+
+Regression from:
+
+   ccb5ed5e71 ssh_filter_btrbk: allow "realpath" and "cat /proc/self/mounts" on targets
+
+Reported by: @protree (responsible disclosure)
+---
+ ssh_filter_btrbk.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: btrbk-0.27.1/ssh_filter_btrbk.sh
+===================================================================
+--- btrbk-0.27.1.orig/ssh_filter_btrbk.sh	2021-08-30 15:04:39.595339393 +0200
++++ btrbk-0.27.1/ssh_filter_btrbk.sh	2021-08-30 15:04:39.591339393 +0200
+@@ -87,7 +87,7 @@
+         return 0
+     fi
+ 
+-    exact_cmd_match="^${allow_exact_list}$";
++    exact_cmd_match="^(${allow_exact_list})$";
+     if [[ $SSH_ORIGINAL_COMMAND =~ $exact_cmd_match ]] ; then
+         return 0
+     fi
diff -Nru btrbk-0.27.1/debian/patches/series btrbk-0.27.1/debian/patches/series
--- btrbk-0.27.1/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ btrbk-0.27.1/debian/patches/series	2021-08-29 19:03:02.000000000 +0200
@@ -0,0 +1 @@
+CVE-2021-38173.patch

Reply to:

Follow-Ups:
- Bug#993899: bullseye-pu: package btrbk/0.27.1-1.1+deb11u1
  - From: Jonathan Wiltshire <jmw@debian.org>
- Processed: Re: Bug#993899: bullseye-pu: package btrbk/0.27.1-1.1+deb11u1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Processed: Re: Bug#993899: bullseye-pu: package btrbk/0.27.1-1.1+deb11u1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#993899: btrbk 0.27.1-1.1+deb11u1 flagged for acceptance
  - From: Jonathan Wiltshire <jmw@debian.org>

Prev by Date: Bug#993898: buster-pu: package btrbk/0.27.1-1+deb10u1
Next by Date: NEW changes in oldstable-new
Previous by thread: Processed: btrbk 0.27.1-1+deb10u1 flagged for acceptance
Next by thread: Bug#993899: bullseye-pu: package btrbk/0.27.1-1.1+deb11u1
Index(es):
- Date
- Thread