On Mon, Dec 29, 2014 at 02:34:40AM +0100, Moritz Mühlenhoff wrote: > On Wed, Nov 26, 2014 at 12:18:13AM +0100, Ángel González wrote: > > On 20-11-2014 Mitre wrote: > > > > There is a command injection flaw in lsyncd, a file change monitoring > > > > and synchronization daemon: > > > > > > > > https://github.com/axkibe/lsyncd/issues/220 > > > > > > > > https://github.com/creshal/lsyncd/commit/18f02ad013b41a72753912155ae2ba72f2a53e52 > > > > > > > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=767227 > > > > > > Use CVE-2014-8990. The scope of this CVE ID includes both: > > What's the status for jessie?
Hello,
I just finished packages for Wheezy and Jessie but did not upload them yet.
Attached are the .dsc's, the debian.tar.{gz,xz} and debdiffs for
convenience.
I'll ask the release team for a pre-approval for a Jessie unblock before
uploading to unstable.
Best regards
Jan
--
Jan Dittberner - Debian Developer
GPG-key: 4096R/558FB8DD 2009-05-10
B2FF 1D95 CE8F 7A22 DF4C F09B A73E 0055 558F B8DD
https://portfolio.debian.net/ - https://people.debian.org/~jandd/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 3.0 (quilt) Source: lsyncd Binary: lsyncd Architecture: any Version: 2.1.5-2 Maintainer: Jan Dittberner <ja...@debian.org> Homepage: https://github.com/axkibe/lsyncd Standards-Version: 3.9.4 Vcs-Browser: http://anonscm.debian.org/gitweb/?p=collab-maint/lsyncd.git Vcs-Git: git://anonscm.debian.org/collab-maint/lsyncd.git Build-Depends: debhelper (>= 7.0.50~), libxml2-dev, automake, liblua5.1-0-dev, lua5.1, pkg-config, asciidoc, xsltproc, docbook-xml, docbook-xsl, autotools-dev, dpkg-dev (>= 1.16.1~) Package-List: lsyncd deb admin optional arch=any Checksums-Sha1: 5be0a65956837d8e621b711bc7f96c6429d9da50 149873 lsyncd_2.1.5.orig.tar.gz a5e2176e3f1c40849933c92a637d8aed5553a372 5492 lsyncd_2.1.5-2.debian.tar.xz Checksums-Sha256: 4a793056c4ed833edb59436d7711bb65f7e38a4d8d44371cc9dc5eb91fbc461f 149873 lsyncd_2.1.5.orig.tar.gz 33de0865276248db19734029a33ebf4e8085ace860c7324e5f76347b5d5ae64a 5492 lsyncd_2.1.5-2.debian.tar.xz Files: fb10547494ec5ec662fe88343047c364 149873 lsyncd_2.1.5.orig.tar.gz 9805dd5c92ba7a19584cb6ce4cc721ef 5492 lsyncd_2.1.5-2.debian.tar.xz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCgAGBQJUoTGKAAoJEA15HcjXN8HZgMEH/iNMXZl43TRTnI4saeTJlCCD qlFKx0FiXLtk24OT0gChkWYkx0C4fwaUMKzhJdyAs4XFY2en6fho40N/sagY2/Ia yC3aoViDTlBgaYq09UP0QygVcrOgIceb/rj33OQ4PLxkZCJrj69khk40km3fMTV7 OJs/f45teoX/CUtdE4knGobfeiCWWphmyFYI29PCNmqHbUpPqjFMyr3RrIqTYdQk ATUDlDToLA2qfOugxb0mE5k1I0PZUulBjbsIMTY2Uh15wgOPr1uK/k823om5HJYw f7MqtpctEDyk3q5wvlpb/KYesLXOJCvE0KlQ/rWu7I2jClmGJ1ef4T3rEV491ko= =Cvyh -----END PGP SIGNATURE-----
lsyncd_2.1.5-2.debian.tar.xz
Description: application/xz
diff -Nru lsyncd-2.1.5/debian/changelog lsyncd-2.1.5/debian/changelog --- lsyncd-2.1.5/debian/changelog 2013-06-22 23:15:08.000000000 +0200 +++ lsyncd-2.1.5/debian/changelog 2014-12-29 11:37:06.000000000 +0100 @@ -1,3 +1,11 @@ +lsyncd (2.1.5-2) unstable; urgency=high + + * fix security issue CVE-2014-8990 that allows code execution via shell + characters in file names and denial of service scenarios by applying + debian/patches/fix-CVE-2014-8990-shell-escapes.patch (Closes: #767227) + + -- Jan Dittberner <ja...@debian.org> Mon, 29 Dec 2014 11:36:43 +0100 + lsyncd (2.1.5-1) unstable; urgency=low * New upstream version (Closes: #707328). diff -Nru lsyncd-2.1.5/debian/patches/fix-CVE-2014-8990-shell-escapes.patch lsyncd-2.1.5/debian/patches/fix-CVE-2014-8990-shell-escapes.patch --- lsyncd-2.1.5/debian/patches/fix-CVE-2014-8990-shell-escapes.patch 1970-01-01 01:00:00.000000000 +0100 +++ lsyncd-2.1.5/debian/patches/fix-CVE-2014-8990-shell-escapes.patch 2014-12-29 11:37:06.000000000 +0100 @@ -0,0 +1,39 @@ +Author: Ángel González <an...@16bits.net> +Bug: https://github.com/axkibe/lsyncd/issues/220 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=767227 +Subject: Properly sanitize mv parameters (CVE-2014-8990) + Sanitize mv arguments: + . + 1. Fixes crashes on file names containing `, $ or " + 2. Also prevents shell execution of ``, $() … in file names, which can be + used to gain remote shell access as lsyncd's (target) user. +--- a/default-rsyncssh.lua ++++ b/default-rsyncssh.lua +@@ -74,6 +74,11 @@ + -- makes move local on target host + -- if the move fails, it deletes the source + if event.etype == 'Move' then ++ local path1 = config.targetdir .. event.path ++ local path2 = config.targetdir .. event2.path ++ path1 = "'" .. path1:gsub ('\'', '\'"\'"\'') .. "'" ++ path2 = "'" .. path2:gsub ('\'', '\'"\'"\'') .. "'" ++ + log('Normal', 'Moving ',event.path,' -> ',event2.path) + + spawn( +@@ -82,10 +87,12 @@ + config.ssh._computed, + config.host, + 'mv', +- '\"' .. config.targetdir .. event.path .. '\"', +- '\"' .. config.targetdir .. event2.path .. '\"', ++ path1, ++ path2 + '||', 'rm', '-rf', +- '\"' .. config.targetdir .. event.path .. '\"') ++ path1 ++ ) ++ + return + end + diff -Nru lsyncd-2.1.5/debian/patches/series lsyncd-2.1.5/debian/patches/series --- lsyncd-2.1.5/debian/patches/series 2013-06-22 23:15:08.000000000 +0200 +++ lsyncd-2.1.5/debian/patches/series 2014-12-29 11:37:06.000000000 +0100 @@ -1 +1,2 @@ +fix-CVE-2014-8990-shell-escapes.patch dont_install_lua_as_docs.patch
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 3.0 (quilt) Source: lsyncd Binary: lsyncd Architecture: any Version: 2.0.7-3+deb7u1 Maintainer: Jan Dittberner <ja...@debian.org> Homepage: http://code.google.com/p/lsyncd/ Standards-Version: 3.9.3 Vcs-Browser: http://git.debian.org/?p=collab-maint/lsyncd.git Vcs-Git: git://git.debian.org/collab-maint/lsyncd.git Build-Depends: debhelper (>= 7.0.50~), libxml2-dev, automake, liblua5.1-0-dev, lua5.1, pkg-config, asciidoc, xsltproc, docbook-xml, docbook-xsl, autotools-dev, dpkg-dev (>= 1.16.1~) Package-List: lsyncd deb admin optional Checksums-Sha1: b8e64ea9c83da5546109b8ea47d7fb1ac35ed90c 141498 lsyncd_2.0.7.orig.tar.gz 9848d47c8e640f9c22d211a62c3974c96d54b191 5701 lsyncd_2.0.7-3+deb7u1.debian.tar.gz Checksums-Sha256: 3c76a6e8acfceea742154afd21f74b220277e54b1ffdb71ee1dc2eb104b0bbde 141498 lsyncd_2.0.7.orig.tar.gz 9bfcbec7c2f6949baf9e228b99bd21f688d6b60face74ffd627e150583a826cd 5701 lsyncd_2.0.7-3+deb7u1.debian.tar.gz Files: 4ef8787f6e3a402a9a2bcb84c123fb17 141498 lsyncd_2.0.7.orig.tar.gz 7eee9f3a2bb700e5fa1f6d1b47149585 5701 lsyncd_2.0.7-3+deb7u1.debian.tar.gz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCgAGBQJUoTGiAAoJEA15HcjXN8HZ9cQH/2wdLyDkHJvnVOAv/2/gV0iU eRtp3V1fQJ8gz7T7PJRNfVU+PHQovYW5UkKt++2JVuAB7mgISF9SDP9YQ5C33yLx LETs5VX72ydZdkPHs6fmD3Yg0EkoTY2a3fXonQVYiIBF6lauIWHNUUpnCPhFYXJx DKWu4cm7PsZSm3QuHAllRtifOvgk7zskDyFHzZtlGewv+Yc0mAQW8Y/jK1rLu/sf FlPqoHyyCnAbP1PUWvaZv/dki0ZSIhXLIVDkQM+34mvhElZ4hjHez2Do4ef7JCU3 pCGjZ5u+lFlbG9nSt9Lro+cVYtC3cdsZku1eEzbT8yHIU1ONywk13kQtnQRhshY= =U9kh -----END PGP SIGNATURE-----
lsyncd_2.0.7-3+deb7u1.debian.tar.gz
Description: application/gzip
diff -Nru lsyncd-2.0.7/debian/changelog lsyncd-2.0.7/debian/changelog --- lsyncd-2.0.7/debian/changelog 2012-05-19 00:52:00.000000000 +0200 +++ lsyncd-2.0.7/debian/changelog 2014-12-29 11:31:16.000000000 +0100 @@ -1,3 +1,11 @@ +lsyncd (2.0.7-3+deb7u1) wheezy-security; urgency=high + + * fix security issue CVE-2014-8990 that allows code execution via shell + characters in file names and denial of service scenarios by applying + debian/patches/fix-CVE-2014-8990-shell-escapes.patch (Closes: #767227) + + -- Jan Dittberner <ja...@debian.org> Mon, 29 Dec 2014 11:29:15 +0100 + lsyncd (2.0.7-3) unstable; urgency=low * fix breakage introduced when trying to fix #673387, PIDFILE was not diff -Nru lsyncd-2.0.7/debian/patches/fix-CVE-2014-8990-shell-escapes.patch lsyncd-2.0.7/debian/patches/fix-CVE-2014-8990-shell-escapes.patch --- lsyncd-2.0.7/debian/patches/fix-CVE-2014-8990-shell-escapes.patch 1970-01-01 01:00:00.000000000 +0100 +++ lsyncd-2.0.7/debian/patches/fix-CVE-2014-8990-shell-escapes.patch 2014-12-29 11:31:16.000000000 +0100 @@ -0,0 +1,38 @@ +Author: Ángel González <an...@16bits.net> +Bug: https://github.com/axkibe/lsyncd/issues/220 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=767227 +Subject: Properly sanitize mv parameters (CVE-2014-8990) + Sanitize mv arguments: + . + 1. Fixes crashes on file names containing `, $ or " + 2. Also prevents shell execution of ``, $() … in file names, which can be + used to gain remote shell access as lsyncd's (target) user. + + This adapted patch is from Sven Schwedas <sven.schwe...@tao.at> +--- a/default-rsyncssh.lua ++++ b/default-rsyncssh.lua +@@ -29,14 +29,21 @@ + -- makes move local on host + -- if fails deletes the source... + if event.etype == 'Move' then ++ local path1 = config.targetdir .. event.path ++ local path2 = config.targetdir .. event2.path ++ path1 = "'" .. path1:gsub ('\'', '\'"\'"\'') .. "'" ++ path2 = "'" .. path2:gsub ('\'', '\'"\'"\'') .. "'" ++ + log('Normal', 'Moving ',event.path,' -> ',event2.path) ++ + spawn(event, '/usr/bin/ssh', + config.host, + 'mv', +- '\"' .. config.targetdir .. event.path .. '\"', +- '\"' .. config.targetdir .. event2.path .. '\"', ++ path1, ++ path2, + '||', 'rm', '-rf', +- '\"' .. config.targetdir .. event.path .. '\"') ++ path1 ++ ) + return + end + diff -Nru lsyncd-2.0.7/debian/patches/series lsyncd-2.0.7/debian/patches/series --- lsyncd-2.0.7/debian/patches/series 2012-05-19 00:52:00.000000000 +0200 +++ lsyncd-2.0.7/debian/patches/series 2014-12-29 11:31:16.000000000 +0100 @@ -1 +1,2 @@ dont_install_lua_as_docs.patch +fix-CVE-2014-8990-shell-escapes.patch
signature.asc
Description: Digital signature
