Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
Hi, This update contains the fix for CVE-2020-35459 - privilege escalation for Hawk webserver using crmsh bug. Since Debian does not ship Hawk, security team agreed that the fix for crmsh can go through stable updates. diff -Nru crmsh-4.0.0~git20190108.3d56538/debian/changelog crmsh-4.0.0~git20190108.3d56538/debian/changelog --- crmsh-4.0.0~git20190108.3d56538/debian/changelog 2019-01-20 10:59:14.000000000 +0100 +++ crmsh-4.0.0~git20190108.3d56538/debian/changelog 2021-03-27 19:07:26.000000000 +0100 @@ -1,3 +1,9 @@ +crmsh (4.0.0~git20190108.3d56538-3+deb10u1) buster; urgency=medium + + * d/patches: include fix for CVE-2020-35459 (Closes: #985376) + + -- Valentin Vidic <vvi...@debian.org> Sat, 27 Mar 2021 19:07:26 +0100 + crmsh (4.0.0~git20190108.3d56538-3) unstable; urgency=medium * d/tests: disable regression tests for now diff -Nru crmsh-4.0.0~git20190108.3d56538/debian/patches/CVE-2020-35459.patch crmsh-4.0.0~git20190108.3d56538/debian/patches/CVE-2020-35459.patch --- crmsh-4.0.0~git20190108.3d56538/debian/patches/CVE-2020-35459.patch 1970-01-01 01:00:00.000000000 +0100 +++ crmsh-4.0.0~git20190108.3d56538/debian/patches/CVE-2020-35459.patch 2021-03-27 19:05:37.000000000 +0100 @@ -0,0 +1,95 @@ +>From 1a4ed641835c6b6d45b2480c7ff2227e0611fe9d Mon Sep 17 00:00:00 2001 +From: liangxin1300 <xli...@suse.com> +Date: Fri, 18 Dec 2020 13:16:14 +0800 +Subject: [PATCH] Fix: history: use Path.mkdir instead of mkdir + command(bsc#1179999) + +And check if the directory name was sane +--- + crmsh/history.py | 10 ++++++---- + crmsh/utils.py | 14 ++++++++------ + 2 files changed, 14 insertions(+), 10 deletions(-) + +--- a/crmsh/history.py ++++ b/crmsh/history.py +@@ -465,6 +465,8 @@ + return None + + d = self._live_loc() ++ if not utils.is_path_sane(d): ++ return None + utils.rmdir_r(d) + tarball = "%s.tar.bz2" % d + to_option = "" +@@ -473,8 +475,7 @@ + nodes_option = "" + if self.setnodes: + nodes_option = "'-n %s'" % ' '.join(self.setnodes) +- if utils.pipe_cmd_nosudo("mkdir -p %s" % os.path.dirname(d)) != 0: +- return None ++ utils.mkdirp(os.path.dirname(d)) + common_info("Retrieving information from cluster nodes, please wait...") + rc = utils.pipe_cmd_nosudo("%s -Z -Q -f '%s' %s %s %s %s" % + (extcmd, +@@ -981,6 +982,8 @@ + + def manage_session(self, subcmd, name): + session_dir = self.get_session_dir(name) ++ if not utils.is_path_sane(session_dir): ++ return False + if subcmd == "save" and os.path.exists(session_dir): + common_err("history session %s exists" % name) + return False +@@ -988,8 +991,7 @@ + common_err("history session %s does not exist" % name) + return False + if subcmd == "save": +- if utils.pipe_cmd_nosudo("mkdir -p %s" % session_dir) != 0: +- return False ++ utils.mkdirp(session_dir) + if self.source == "live": + rc = utils.pipe_cmd_nosudo("tar -C '%s' -c . | tar -C '%s' -x" % + (self._live_loc(), session_dir)) +--- a/crmsh/utils.py ++++ b/crmsh/utils.py +@@ -15,6 +15,7 @@ + import fnmatch + import gc + import ipaddress ++from pathlib import Path + from contextlib import contextmanager + from . import config + from . import userdir +@@ -657,14 +658,14 @@ + + + def is_path_sane(name): +- if re.search(r"['`#*?$\[\]]", name): ++ if re.search(r"['`#*?$\[\];]", name): + common_err("%s: bad path" % name) + return False + return True + + + def is_filename_sane(name): +- if re.search(r"['`/#*?$\[\]]", name): ++ if re.search(r"['`/#*?$\[\];]", name): + common_err("%s: bad filename" % name) + return False + return True +@@ -793,10 +794,11 @@ + rmdir_r(os.path.join(lockdir, _LOCKDIR)) + + +-def mkdirp(d, mode=0o777): +- if os.path.isdir(d): +- return True +- os.makedirs(d, mode=mode) ++def mkdirp(directory, mode=0o777, parents=True, exist_ok=True): ++ """ ++ Same behavior as the POSIX mkdir -p command ++ """ ++ Path(directory).mkdir(mode, parents, exist_ok) + + + def pipe_cmd_nosudo(cmd): diff -Nru crmsh-4.0.0~git20190108.3d56538/debian/patches/series crmsh-4.0.0~git20190108.3d56538/debian/patches/series --- crmsh-4.0.0~git20190108.3d56538/debian/patches/series 2019-01-19 14:56:34.000000000 +0100 +++ crmsh-4.0.0~git20190108.3d56538/debian/patches/series 2021-03-27 19:02:25.000000000 +0100 @@ -9,3 +9,4 @@ 0013-Fix-cluster-bootstrap.patch 0014-Fix-cluster-stop-start.patch 0015-Fix-testsuite-errors.patch +CVE-2020-35459.patch