Bug#1000486: buster-pu: package btrbk/0.27.1-1+deb10u2
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
The attached debdiff for btrbk fixes a regression of CVE-2021-38173 in
Buster.
The regression was reported in #996260 [1] and a pointer to the fix was
provided. There was at least one report about a now working version
+deb10u2.
Thorsten
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=996260
diff -Nru btrbk-0.27.1/debian/changelog btrbk-0.27.1/debian/changelog
--- btrbk-0.27.1/debian/changelog 2021-08-29 19:03:02.000000000 +0200
+++ btrbk-0.27.1/debian/changelog 2021-11-23 16:03:02.000000000 +0100
@@ -1,3 +1,11 @@
+btrbk (0.27.1-1+deb10u2) buster; urgency=high
+
+ * Non-maintainer upload by the LTS Team.
+ * regression fix for CVE-2021-38173
+ (Closes: #996260, #996266)
+
+ -- Thorsten Alteholz <debian@alteholz.de> Tue, 23 Nov 2021 16:03:02 +0100
+
btrbk (0.27.1-1+deb10u1) buster; urgency=high
* Non-maintainer upload by the LTS Team.
diff -Nru btrbk-0.27.1/debian/patches/CVE-2021-38173-regression.patch btrbk-0.27.1/debian/patches/CVE-2021-38173-regression.patch
--- btrbk-0.27.1/debian/patches/CVE-2021-38173-regression.patch 1970-01-01 01:00:00.000000000 +0100
+++ btrbk-0.27.1/debian/patches/CVE-2021-38173-regression.patch 2021-11-23 15:52:28.000000000 +0100
@@ -0,0 +1,51 @@
+commit c03e960d9044961fcfbeaa5d5aeb5bcc1bc0cc7a
+Author: Axel Burri <axel@tty0.ch>
+Date: Tue Nov 19 22:07:37 2019 +0100
+
+ ssh_filter_btrbk.sh: exclude "btrfs subvolume show|list" from restrict-path
+
+ btrbk requires "btrfs subvolume list|show" queries from the mount
+ point in order to build btrfs trees. This conflicts with tightly set
+ --restrict-path.
+
+Index: btrbk-0.27.1/doc/ssh_filter_btrbk.1.asciidoc
+===================================================================
+--- btrbk-0.27.1.orig/doc/ssh_filter_btrbk.1.asciidoc 2021-11-23 15:52:22.921452288 +0100
++++ btrbk-0.27.1/doc/ssh_filter_btrbk.1.asciidoc 2021-11-23 15:52:22.917452292 +0100
+@@ -34,8 +34,8 @@
+
+ The following commands are always allowed:
+
+- - "btrfs subvolume show"
+- - "btrfs subvolume list"
++ - "btrfs subvolume show" (not affected by "--restrict-path")
++ - "btrfs subvolume list" (not affected by "--restrict-path")
+ - "readlink"
+ - "cat /proc/self/mountinfo"
+ - pipes through "gzip", "pigz", "bzip2", "pbzip2", "xz", "lzop",
+@@ -79,7 +79,8 @@
+ Allow btrfs receive command: "btrfs receive".
+
+ -p, --restrict-path <path>::
+- Restrict btrfs commands to <path>.
++ Restrict commands to <path>. Note that "btrfs subvolume show",
++ "btrfs subvolume list" are NOT affected by this option.
+
+ -l, --log::
+ Log ACCEPT and REJECT messages to the system log.
+Index: btrbk-0.27.1/ssh_filter_btrbk.sh
+===================================================================
+--- btrbk-0.27.1.orig/ssh_filter_btrbk.sh 2021-11-23 15:52:22.921452288 +0100
++++ btrbk-0.27.1/ssh_filter_btrbk.sh 2021-11-23 15:52:22.921452288 +0100
+@@ -161,8 +161,9 @@
+ shift
+ done
+
+-allow_cmd "${sudo_prefix}btrfs subvolume show"; # subvolume queries are always allowed
+-allow_exact_cmd "${sudo_prefix}btrfs subvolume list ${file_match}"; # subvolume queries are always allowed
++# NOTE: subvolume queries no NOT affected by "--restrict-path":
++# btrbk also calls show/list on the mount point of the subvolume
++allow_exact_cmd "${sudo_prefix}btrfs subvolume (show|list)( ${option_match})* ${file_match}";
+ allow_cmd "${sudo_prefix}readlink" # used to resolve mountpoints
+ allow_exact_cmd "cat /proc/self/mountinfo" # used to resolve mountpoints
+ allow_exact_cmd "cat /proc/self/mounts" # legacy, for btrbk < 0.27.0
diff -Nru btrbk-0.27.1/debian/patches/series btrbk-0.27.1/debian/patches/series
--- btrbk-0.27.1/debian/patches/series 2021-08-29 19:03:02.000000000 +0200
+++ btrbk-0.27.1/debian/patches/series 2021-11-23 15:52:21.000000000 +0100
@@ -1 +1,2 @@
CVE-2021-38173.patch
+CVE-2021-38173-regression.patch
Reply to: