Bug#986014: buster-pu: package crmsh/4.0.0~git20190108.3d56538-3+deb10u1

Valentin Vidic Sat, 27 Mar 2021 14:21:13 -0700

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu


Hi,

This update contains the fix for CVE-2020-35459 - privilege escalation
for Hawk webserver using crmsh bug. Since Debian does not ship Hawk,
security team agreed that the fix for crmsh can go through stable
updates.


diff -Nru crmsh-4.0.0~git20190108.3d56538/debian/changelog 
crmsh-4.0.0~git20190108.3d56538/debian/changelog
--- crmsh-4.0.0~git20190108.3d56538/debian/changelog    2019-01-20 
10:59:14.000000000 +0100
+++ crmsh-4.0.0~git20190108.3d56538/debian/changelog    2021-03-27 
19:07:26.000000000 +0100
@@ -1,3 +1,9 @@
+crmsh (4.0.0~git20190108.3d56538-3+deb10u1) buster; urgency=medium
+
+  * d/patches: include fix for CVE-2020-35459 (Closes: #985376)
+
+ -- Valentin Vidic <vvi...@debian.org>  Sat, 27 Mar 2021 19:07:26 +0100
+
 crmsh (4.0.0~git20190108.3d56538-3) unstable; urgency=medium
 
   * d/tests: disable regression tests for now
diff -Nru crmsh-4.0.0~git20190108.3d56538/debian/patches/CVE-2020-35459.patch 
crmsh-4.0.0~git20190108.3d56538/debian/patches/CVE-2020-35459.patch
--- crmsh-4.0.0~git20190108.3d56538/debian/patches/CVE-2020-35459.patch 
1970-01-01 01:00:00.000000000 +0100
+++ crmsh-4.0.0~git20190108.3d56538/debian/patches/CVE-2020-35459.patch 
2021-03-27 19:05:37.000000000 +0100
@@ -0,0 +1,95 @@
+>From 1a4ed641835c6b6d45b2480c7ff2227e0611fe9d Mon Sep 17 00:00:00 2001
+From: liangxin1300 <xli...@suse.com>
+Date: Fri, 18 Dec 2020 13:16:14 +0800
+Subject: [PATCH] Fix: history: use Path.mkdir instead of mkdir
+ command(bsc#1179999)
+
+And check if the directory name was sane
+---
+ crmsh/history.py | 10 ++++++----
+ crmsh/utils.py   | 14 ++++++++------
+ 2 files changed, 14 insertions(+), 10 deletions(-)
+
+--- a/crmsh/history.py
++++ b/crmsh/history.py
+@@ -465,6 +465,8 @@
+             return None
+ 
+         d = self._live_loc()
++        if not utils.is_path_sane(d):
++            return None
+         utils.rmdir_r(d)
+         tarball = "%s.tar.bz2" % d
+         to_option = ""
+@@ -473,8 +475,7 @@
+         nodes_option = ""
+         if self.setnodes:
+             nodes_option = "'-n %s'" % ' '.join(self.setnodes)
+-        if utils.pipe_cmd_nosudo("mkdir -p %s" % os.path.dirname(d)) != 0:
+-            return None
++        utils.mkdirp(os.path.dirname(d))
+         common_info("Retrieving information from cluster nodes, please 
wait...")
+         rc = utils.pipe_cmd_nosudo("%s -Z -Q -f '%s' %s %s %s %s" %
+                                    (extcmd,
+@@ -981,6 +982,8 @@
+ 
+     def manage_session(self, subcmd, name):
+         session_dir = self.get_session_dir(name)
++        if not utils.is_path_sane(session_dir):
++            return False
+         if subcmd == "save" and os.path.exists(session_dir):
+             common_err("history session %s exists" % name)
+             return False
+@@ -988,8 +991,7 @@
+             common_err("history session %s does not exist" % name)
+             return False
+         if subcmd == "save":
+-            if utils.pipe_cmd_nosudo("mkdir -p %s" % session_dir) != 0:
+-                return False
++            utils.mkdirp(session_dir)
+             if self.source == "live":
+                 rc = utils.pipe_cmd_nosudo("tar -C '%s' -c . | tar -C '%s' 
-x" %
+                                            (self._live_loc(), session_dir))
+--- a/crmsh/utils.py
++++ b/crmsh/utils.py
+@@ -15,6 +15,7 @@
+ import fnmatch
+ import gc
+ import ipaddress
++from pathlib import Path
+ from contextlib import contextmanager
+ from . import config
+ from . import userdir
+@@ -657,14 +658,14 @@
+ 
+ 
+ def is_path_sane(name):
+-    if re.search(r"['`#*?$\[\]]", name):
++    if re.search(r"['`#*?$\[\];]", name):
+         common_err("%s: bad path" % name)
+         return False
+     return True
+ 
+ 
+ def is_filename_sane(name):
+-    if re.search(r"['`/#*?$\[\]]", name):
++    if re.search(r"['`/#*?$\[\];]", name):
+         common_err("%s: bad filename" % name)
+         return False
+     return True
+@@ -793,10 +794,11 @@
+             rmdir_r(os.path.join(lockdir, _LOCKDIR))
+ 
+ 
+-def mkdirp(d, mode=0o777):
+-    if os.path.isdir(d):
+-        return True
+-    os.makedirs(d, mode=mode)
++def mkdirp(directory, mode=0o777, parents=True, exist_ok=True):
++    """
++    Same behavior as the POSIX mkdir -p command
++    """
++    Path(directory).mkdir(mode, parents, exist_ok)
+ 
+ 
+ def pipe_cmd_nosudo(cmd):
diff -Nru crmsh-4.0.0~git20190108.3d56538/debian/patches/series 
crmsh-4.0.0~git20190108.3d56538/debian/patches/series
--- crmsh-4.0.0~git20190108.3d56538/debian/patches/series       2019-01-19 
14:56:34.000000000 +0100
+++ crmsh-4.0.0~git20190108.3d56538/debian/patches/series       2021-03-27 
19:02:25.000000000 +0100
@@ -9,3 +9,4 @@
 0013-Fix-cluster-bootstrap.patch
 0014-Fix-cluster-stop-start.patch
 0015-Fix-testsuite-errors.patch
+CVE-2020-35459.patch

Bug#986014: buster-pu: package crmsh/4.0.0~git20190108.3d56538-3+deb10u1

Reply via email to