Your message dated Fri, 24 Dec 2021 15:47:19 +0000
with message-id <[email protected]>
and subject line Bug#996266: fixed in btrbk 0.27.1-1+deb10u2
has caused the Debian Bug report #996266,
regarding btrbk: Patch for CVE-2021-38173 breaks standard btrbk backup
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
996266: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=996266
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: btrbk
Version: 0.27.1-1+deb10u1
Severity: important
Dear Maintainer,
Starting with version 0.27.1-1+deb10u1 ssh_filter_btrbk.sh rejects commands
issued via ssh by btrbk of the same version on a remote host:
root@off-site ~ # /usr/sbin/btrbk --progress archive
on-site.example.com:/mnt/backup/dc /mnt/backup/on-site.example.com/dc
ERROR: ssh_filter_btrbk.sh: ssh command rejected: disallowed command:
sudo -n btrfs subvolume list -a -c -u -q -R /mnt/backup
ERROR: Failed to fetch subvolume detail for
'on-site.example.com:/mnt/backup/dc'
Downgrading to 0.27.1-1 restores the expected functionality. A subsequent
diff unsurprisingly shows that the only meaningful difference is the
patch[1] for CVE-2021-38173 introduced by 0.27.1-1+deb10u1.
According to `man 1 ssh_filter_btrbk` listing subvolumes is always allowed
and not restricted. Without any of the parameters set by btrbk itself this
actually still works:
root@off-site ~ # ssh -l btrbk -i /etc/btrbk/ssh/id_ed25519
on-site.example.com sudo -n btrfs subvolume list /mnt/backup
ID 19675 gen 66861 top level 1057 path some/subvolume
[...]
But any parameter after `list` causes the command to be rejected:
root@off-site ~ # ssh -l btrbk -i /etc/btrbk/ssh/id_ed25519
on-site.example.com sudo -n btrfs subvolume list -a /mnt/backup
ERROR: ssh_filter_btrbk.sh: ssh command rejected: disallowed command:
sudo -n btrfs subvolume list -a /mnt/backup
In my opinion the patch is breaking core functionality. The only
"work-around" besides downgrading is not using `ssh_filter_btrbk.sh` which
is probably worse than the fixed vulnerability. Newer upstream versions of
btrbk provide a revised version of the affected script. Please advise.
Kind Regards
Leonhard Preis
[1]
https://sources.debian.org/patches/btrbk/0.27.1-1+deb10u1/CVE-2021-38173.patch/
-- System Information:
Debian Release: 10.11
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-18-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages btrbk depends on:
ii btrfs-progs [btrfs-tools] 4.20.1-2
ii perl 5.28.1-6+deb10u1
Versions of packages btrbk recommends:
ii mbuffer 20190127+ds1-1
ii openssh-client 1:7.9p1-10+deb10u2
ii pv 1.6.6-1
Versions of packages btrbk suggests:
ii openssl 1.1.1d-0+deb10u7
ii python3 3.7.3-1
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: btrbk
Source-Version: 0.27.1-1+deb10u2
Done: Thorsten Alteholz <[email protected]>
We believe that the bug you reported is fixed in the latest version of
btrbk, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thorsten Alteholz <[email protected]> (supplier of updated btrbk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 23 Nov 2021 16:03:02 +0100
Source: btrbk
Architecture: source
Version: 0.27.1-1+deb10u2
Distribution: buster
Urgency: high
Maintainer: Axel Burri <[email protected]>
Changed-By: Thorsten Alteholz <[email protected]>
Closes: 996260 996266
Changes:
btrbk (0.27.1-1+deb10u2) buster; urgency=high
.
* Non-maintainer upload by the LTS Team.
* regression fix for CVE-2021-38173
(Closes: #996260, #996266)
Checksums-Sha1:
cf6d5dc8bcf5e3b9a19abdfcc848741759ec405c 2008 btrbk_0.27.1-1+deb10u2.dsc
9c16b42d97619f31b29980f37357dc1a810ec3f2 7372
btrbk_0.27.1-1+deb10u2.debian.tar.xz
dd4a5598837b7f27d4897d151bf4ad206b3fd333 6186
btrbk_0.27.1-1+deb10u2_amd64.buildinfo
Checksums-Sha256:
6f1e1bd850bfe2add4c50dfeea34d840c0fdc561ad6181d78812945151c63553 2008
btrbk_0.27.1-1+deb10u2.dsc
4f0d6f5d37235c16d1893588600a69662a419226a97eeaed6688b2fb823c1ea8 7372
btrbk_0.27.1-1+deb10u2.debian.tar.xz
ff9a3beb9dbd4f73de37cfb2f33b7132f92ac9f498725b5e06811fde348cb58c 6186
btrbk_0.27.1-1+deb10u2_amd64.buildinfo
Files:
074dde6b7cbb405ad2564ec684c4a328 2008 utils optional btrbk_0.27.1-1+deb10u2.dsc
fae403dc51a6ffa5ca2697476a14a2c5 7372 utils optional
btrbk_0.27.1-1+deb10u2.debian.tar.xz
efdd27a406e8c44329df11c14302aa71 6186 utils optional
btrbk_0.27.1-1+deb10u2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKnBAEBCgCRFiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmGz5jNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcTHGRlYmlhbkBh
bHRlaG9sei5kZQAKCRCW/KwNOHtYR6UlD/9R+cZZoHaYtE0mp6y/Z1uRNuKr3kPe
1gz19Ky5Fl1pWtvZ7bC15pXvQapes8jHTzPaNR2yKSXt8uSuPi4IMcs/8EyrSfme
z69R4fIrBwZh1aptRckT7fHUhNwBhPON5mEMTLKwuAx05ivuuQ8/1p8FlC1hPWT3
IhqOLUczek/TCJgWJMguuxsympGgrR5B4yYuq0F8vAyJa+Tmt6SguTS02qd/l4qR
o/74sroH6DjDBlIfwgaNF5WIfK4c78O8P3WyeCBFU7qNH6IrHZrwxxiVBdooZN46
01Ik8tTEe46fGa51bZuKQhcv3GzSFEZa7raclzipoyP+7dV/zQ+Fz9RVxEMIyLyn
wsCf966AE3hMzXHJIU1I3exo6Nymtp2R8NrhzZFqPPSUOnXcdnzb3P/oEMxEWZhv
OP4T8U9EzXs29SAsZcHaICERmYQOfwv9wNvxqnj4zC/3lo9tN7s7RAFF6nnu0gUO
egnMe3PGNfj5FvLDqG+UWz2Qbm6BRmdnoYBGrql9Bnwet1bbsFl8apLhEwbTVz6r
dPVEHkwJe337+Z7zHWUih0QbHH5jfrUU6jH2IPtaf5Od3PBiDlKaPR6+otkGYuoS
zXEPm/1p37rEfxNDHmfQj4PnVg4Li+4SPx8JhZN9aIBTgbHPsc/2ADyihl9pYnGo
l2x1qqKJrAn5eQ==
=bR61
-----END PGP SIGNATURE-----
--- End Message ---
