Bug#996260: marked as done (btrbk: Regression with security mitigation for CVE-2021-38173)

[Debian Bug Tracking System]

Your message dated Fri, 24 Dec 2021 15:47:19 +0000
with message-id <e1n0mmt-000dti...@fasolo.debian.org>
and subject line Bug#996260: fixed in btrbk 0.27.1-1+deb10u2
has caused the Debian Bug report #996260,
regarding btrbk: Regression with security mitigation for CVE-2021-38173
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
996260: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=996260
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: btrbk
Version: 0.27.1-1+deb10u1
Severity: normal

Dear Maintainer,

In the security upload for CVE-2021-38173 the ssh_filter_btrbk.sh
script was changed. This, however, introduced a regression for me as
my btrbk clients use the command

  sudo -n btrfs subvolume list -a -c -u -q -R /srv/backup

However, ssh_filter_btrbk.sh only allows this pattern

  sudo -n btrfs subvolume list [0-9a-zA-Z_@+./-]*

I.e., options to `btrfs subvolume list` are not permitted.

I fixed this using this modified pattern:

  allow_exact_cmd "${sudo_prefix}btrfs subvolume list (${option_match}( 
${option_match})*)? ${file_match}";

Best,
Maximilian

--- End Message ---

--- Begin Message ---

Source: btrbk
Source-Version: 0.27.1-1+deb10u2
Done: Thorsten Alteholz <deb...@alteholz.de>

We believe that the bug you reported is fixed in the latest version of
btrbk, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 996...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thorsten Alteholz <deb...@alteholz.de> (supplier of updated btrbk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 23 Nov 2021 16:03:02 +0100
Source: btrbk
Architecture: source
Version: 0.27.1-1+deb10u2
Distribution: buster
Urgency: high
Maintainer: Axel Burri <a...@tty0.ch>
Changed-By: Thorsten Alteholz <deb...@alteholz.de>
Closes: 996260 996266
Changes:
 btrbk (0.27.1-1+deb10u2) buster; urgency=high
 .
   * Non-maintainer upload by the LTS Team.
   * regression fix for CVE-2021-38173
     (Closes: #996260, #996266)
Checksums-Sha1:
 cf6d5dc8bcf5e3b9a19abdfcc848741759ec405c 2008 btrbk_0.27.1-1+deb10u2.dsc
 9c16b42d97619f31b29980f37357dc1a810ec3f2 7372 
btrbk_0.27.1-1+deb10u2.debian.tar.xz
 dd4a5598837b7f27d4897d151bf4ad206b3fd333 6186 
btrbk_0.27.1-1+deb10u2_amd64.buildinfo
Checksums-Sha256:
 6f1e1bd850bfe2add4c50dfeea34d840c0fdc561ad6181d78812945151c63553 2008 
btrbk_0.27.1-1+deb10u2.dsc
 4f0d6f5d37235c16d1893588600a69662a419226a97eeaed6688b2fb823c1ea8 7372 
btrbk_0.27.1-1+deb10u2.debian.tar.xz
 ff9a3beb9dbd4f73de37cfb2f33b7132f92ac9f498725b5e06811fde348cb58c 6186 
btrbk_0.27.1-1+deb10u2_amd64.buildinfo
Files:
 074dde6b7cbb405ad2564ec684c4a328 2008 utils optional btrbk_0.27.1-1+deb10u2.dsc
 fae403dc51a6ffa5ca2697476a14a2c5 7372 utils optional 
btrbk_0.27.1-1+deb10u2.debian.tar.xz
 efdd27a406e8c44329df11c14302aa71 6186 utils optional 
btrbk_0.27.1-1+deb10u2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKnBAEBCgCRFiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmGz5jNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcTHGRlYmlhbkBh
bHRlaG9sei5kZQAKCRCW/KwNOHtYR6UlD/9R+cZZoHaYtE0mp6y/Z1uRNuKr3kPe
1gz19Ky5Fl1pWtvZ7bC15pXvQapes8jHTzPaNR2yKSXt8uSuPi4IMcs/8EyrSfme
z69R4fIrBwZh1aptRckT7fHUhNwBhPON5mEMTLKwuAx05ivuuQ8/1p8FlC1hPWT3
IhqOLUczek/TCJgWJMguuxsympGgrR5B4yYuq0F8vAyJa+Tmt6SguTS02qd/l4qR
o/74sroH6DjDBlIfwgaNF5WIfK4c78O8P3WyeCBFU7qNH6IrHZrwxxiVBdooZN46
01Ik8tTEe46fGa51bZuKQhcv3GzSFEZa7raclzipoyP+7dV/zQ+Fz9RVxEMIyLyn
wsCf966AE3hMzXHJIU1I3exo6Nymtp2R8NrhzZFqPPSUOnXcdnzb3P/oEMxEWZhv
OP4T8U9EzXs29SAsZcHaICERmYQOfwv9wNvxqnj4zC/3lo9tN7s7RAFF6nnu0gUO
egnMe3PGNfj5FvLDqG+UWz2Qbm6BRmdnoYBGrql9Bnwet1bbsFl8apLhEwbTVz6r
dPVEHkwJe337+Z7zHWUih0QbHH5jfrUU6jH2IPtaf5Od3PBiDlKaPR6+otkGYuoS
zXEPm/1p37rEfxNDHmfQj4PnVg4Li+4SPx8JhZN9aIBTgbHPsc/2ADyihl9pYnGo
l2x1qqKJrAn5eQ==
=bR61
-----END PGP SIGNATURE-----

--- End Message ---