Your message dated Sat, 11 Dec 2021 17:32:07 +0000
with message-id <[email protected]>
and subject line Bug#996266: fixed in btrbk 0.27.1-1.1+deb11u2
has caused the Debian Bug report #996266,
regarding btrbk: Patch for CVE-2021-38173 breaks standard btrbk backup
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
996266: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=996266
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: btrbk
Version: 0.27.1-1+deb10u1
Severity: important
Dear Maintainer,
Starting with version 0.27.1-1+deb10u1 ssh_filter_btrbk.sh rejects commands
issued via ssh by btrbk of the same version on a remote host:
root@off-site ~ # /usr/sbin/btrbk --progress archive
on-site.example.com:/mnt/backup/dc /mnt/backup/on-site.example.com/dc
ERROR: ssh_filter_btrbk.sh: ssh command rejected: disallowed command:
sudo -n btrfs subvolume list -a -c -u -q -R /mnt/backup
ERROR: Failed to fetch subvolume detail for
'on-site.example.com:/mnt/backup/dc'
Downgrading to 0.27.1-1 restores the expected functionality. A subsequent
diff unsurprisingly shows that the only meaningful difference is the
patch[1] for CVE-2021-38173 introduced by 0.27.1-1+deb10u1.
According to `man 1 ssh_filter_btrbk` listing subvolumes is always allowed
and not restricted. Without any of the parameters set by btrbk itself this
actually still works:
root@off-site ~ # ssh -l btrbk -i /etc/btrbk/ssh/id_ed25519
on-site.example.com sudo -n btrfs subvolume list /mnt/backup
ID 19675 gen 66861 top level 1057 path some/subvolume
[...]
But any parameter after `list` causes the command to be rejected:
root@off-site ~ # ssh -l btrbk -i /etc/btrbk/ssh/id_ed25519
on-site.example.com sudo -n btrfs subvolume list -a /mnt/backup
ERROR: ssh_filter_btrbk.sh: ssh command rejected: disallowed command:
sudo -n btrfs subvolume list -a /mnt/backup
In my opinion the patch is breaking core functionality. The only
"work-around" besides downgrading is not using `ssh_filter_btrbk.sh` which
is probably worse than the fixed vulnerability. Newer upstream versions of
btrbk provide a revised version of the affected script. Please advise.
Kind Regards
Leonhard Preis
[1]
https://sources.debian.org/patches/btrbk/0.27.1-1+deb10u1/CVE-2021-38173.patch/
-- System Information:
Debian Release: 10.11
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-18-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages btrbk depends on:
ii btrfs-progs [btrfs-tools] 4.20.1-2
ii perl 5.28.1-6+deb10u1
Versions of packages btrbk recommends:
ii mbuffer 20190127+ds1-1
ii openssh-client 1:7.9p1-10+deb10u2
ii pv 1.6.6-1
Versions of packages btrbk suggests:
ii openssl 1.1.1d-0+deb10u7
ii python3 3.7.3-1
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: btrbk
Source-Version: 0.27.1-1.1+deb11u2
Done: Thorsten Alteholz <[email protected]>
We believe that the bug you reported is fixed in the latest version of
btrbk, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thorsten Alteholz <[email protected]> (supplier of updated btrbk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 23 Nov 2021 20:03:02 +0100
Source: btrbk
Architecture: source
Version: 0.27.1-1.1+deb11u2
Distribution: bullseye
Urgency: high
Maintainer: Axel Burri <[email protected]>
Changed-By: Thorsten Alteholz <[email protected]>
Closes: 996260 996266
Changes:
btrbk (0.27.1-1.1+deb11u2) bullseye; urgency=high
.
* Non-maintainer upload by the LTS Team.
* regression fix for CVE-2021-38173
(Closes: #996260, #996266)
Checksums-Sha1:
fc6f6869cc05192ffd4ef5bb33bb78a6fa7475c7 2016 btrbk_0.27.1-1.1+deb11u2.dsc
e9e92a009387576c26c86c2e8a91084aa39864a9 7452
btrbk_0.27.1-1.1+deb11u2.debian.tar.xz
c20cfdfd7560f6a1b934dc20fe70fed1b79fe5dc 6467
btrbk_0.27.1-1.1+deb11u2_amd64.buildinfo
Checksums-Sha256:
e702724045300895b348a0550828c1f0ef07c061ac83f79a85ddfe2f7d6a414f 2016
btrbk_0.27.1-1.1+deb11u2.dsc
a6e1d86cc9cda8cc0bf41652e2576caa5a982b0449071d120c167cbec8821599 7452
btrbk_0.27.1-1.1+deb11u2.debian.tar.xz
6240b5efc6c84c521e0d73a08c52c397208929e417ce73b3d427ae9daac14a0c 6467
btrbk_0.27.1-1.1+deb11u2_amd64.buildinfo
Files:
80d2062a18b9711e4e824489d387bb81 2016 utils optional
btrbk_0.27.1-1.1+deb11u2.dsc
0f67edd113a6d581755a3d6606aa33be 7452 utils optional
btrbk_0.27.1-1.1+deb11u2.debian.tar.xz
e04ff37d1b1c08876717fa7cd7d7c2bd 6467 utils optional
btrbk_0.27.1-1.1+deb11u2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKnBAEBCgCRFiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmGz7xNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcTHGRlYmlhbkBh
bHRlaG9sei5kZQAKCRCW/KwNOHtYRy3GD/4nDrWKHm92jfC+yBQmAyJps6JpOlwX
9LtAN3uXVnprM5n3beQn8Vz4E8EHqY9dNawrKevrB1kRFwDAQO9R4j+Tynphc128
yAmi3GC/M34uTi42f3P4zOPZqVBwlU4bBN5ivFKnbfzOYFvHnOzyy9x+SFPajGUJ
9EYc+o/e+gASR8fmGGN3liMF6N1n7vJBxKC7DKuA2gAH2X3vKek13iabE6HqU8bi
MX20nKhwXJlKnT762+gSKdzty8CI2cgUlq/goLRyZbfJw5IDnsXDvy1fa7BDTpUN
erZjvnU9Ta2U0obmhx8DG3+ebOrxl9Cu2lCCh9Cbnwtt/SYFvJAxGr8cbOTTAxhn
cXXvgDTAgN1fX35XmDxTe77iBtMkoPBOZNvk6zrNcinJ/oogo32OMXqEaCPecxqa
5yIQgDkUrzUbLnrPnAQ52lPHMqdEokfbCMkUvo+a6d9GgPN0O4OTgKbjPBez+8+T
Pa+FOAMgOcGcWpED1XTULhhcyEkv+Qpjec4xhzyKsXU+LgXg5nQYied1i9Y1yy0Z
x9gsWbKE4ADqEJ4+6wXpmbKQqHqQEZTQTvB2puJT68Msh/cDacOeO9wZYG/shg8h
8sQYmVrmDvY24bMQFoGiQhdeCamtVGT2XSR5vfdD8qRegQio3rbMfH8CYA3mzxcn
Ok60F5nmu9XWEg==
=i/F5
-----END PGP SIGNATURE-----
--- End Message ---
