subject:"Bug#873088\: git\-annex security issue backports"

Bug#873088: git-annex security issue backports

2017-10-26 Thread Sébastien Delafond

On Oct/26, Antoine Beaupré wrote:
> Right, how does that look then?
> 
> https://gitlab.com/anarcat/git-annex/commit/b21ccd25ecd4cad0efcc8f4f0c94ad99ce32cd04

Nah, +deb8u1 ;)

> Then I can just upload this to security-master?

Yep.

Cheers,

--Seb

Bug#873088: git-annex security issue backports

2017-10-26 Thread Antoine Beaupré

On 2017-10-26 11:14:34, Sébastien Delafond wrote:
> On Oct/26, Antoine Beaupré wrote:
>> I have also backported joey's patch to jessie. It was simpler than
>> wheezy because the code is much more similar. The resulting patch is
>> available here:
>> 
>> https://gitlab.com/anarcat/git-annex/commit/58daf6cbe4c1ea1cf71f3a538a0e27b5075c7265
>> 
>> As expected, the patch Joey provided applies fine on stretch and
>> should be applied and uploaded as-is. This time, it's in
>> debian/patches because the package is non-native since stretch:
>> 
>> https://gitlab.com/anarcat/git-annex/commit/115585df48dce16aa702663dab220de625b9de7d
>> 
>> I can do the upload if you authorize me. The above are not *exactly*
>> debdiffs, but they are pretty close, so I hope that's sufficient for
>> review.
>
> Thank you for backporting those.
>
> For the jessie debdiff, please change the version to 5.20141125+deb8u1,
> and target jessie-security. The stretch one looks good as is.
>
> Make sure you build both with -sa, and then you can upload.

Right, how does that look then?

https://gitlab.com/anarcat/git-annex/commit/b21ccd25ecd4cad0efcc8f4f0c94ad99ce32cd04

Then I can just upload this to security-master?

A.
-- 
In god we trust, others pay cash.
- Richard Desjardins, Miami

Bug#873088: git-annex security issue backports

2017-10-26 Thread Sébastien Delafond

On Oct/26, Antoine Beaupré wrote:
> I have also backported joey's patch to jessie. It was simpler than
> wheezy because the code is much more similar. The resulting patch is
> available here:
> 
> https://gitlab.com/anarcat/git-annex/commit/58daf6cbe4c1ea1cf71f3a538a0e27b5075c7265
> 
> As expected, the patch Joey provided applies fine on stretch and
> should be applied and uploaded as-is. This time, it's in
> debian/patches because the package is non-native since stretch:
> 
> https://gitlab.com/anarcat/git-annex/commit/115585df48dce16aa702663dab220de625b9de7d
> 
> I can do the upload if you authorize me. The above are not *exactly*
> debdiffs, but they are pretty close, so I hope that's sufficient for
> review.

Thank you for backporting those.

For the jessie debdiff, please change the version to 5.20141125+deb8u1,
and target jessie-security. The stretch one looks good as is.

Make sure you build both with -sa, and then you can upload.

Cheers,

--Seb

Bug#873088: git-annex security issue backports

2017-10-26 Thread Antoine Beaupré

On 2017-10-23 09:26:28, Antoine Beaupré wrote:
>> What's the status?
>
> I'm resuming work on this now, and I'll see how I can backport this to
> wheezy, which should helpfully give some help/nudge to the jessie
> version as well.

Hi,

I have pushed DLA-1144-1 for git-annex in wheezy after summary tests.

I have also backported joey's patch to jessie. It was simpler than
wheezy because the code is much more similar. The resulting patch is
available here:

https://gitlab.com/anarcat/git-annex/commit/58daf6cbe4c1ea1cf71f3a538a0e27b5075c7265

As expected, the patch Joey provided applies fine on stretch and should
be applied and uploaded as-is. This time, it's in debian/patches because
the package is non-native since stretch:

https://gitlab.com/anarcat/git-annex/commit/115585df48dce16aa702663dab220de625b9de7d

I can do the upload if you authorize me. The above are not *exactly*
debdiffs, but they are pretty close, so I hope that's sufficient for
review.

A.

-- 
In serious work commanding and discipline are of little avail.
 - Peter Kropotkin

Bug#873088: git-annex security issue backports

2017-10-23 Thread Antoine Beaupré

On 2017-10-12 20:53:13, Moritz Mühlenhoff wrote:
> On Fri, Sep 29, 2017 at 06:56:32PM +0200, Salvatore Bonaccorso wrote:
>> Hi Antoine,
>> 
>> On Thu, Sep 28, 2017 at 01:53:06PM -0400, Antoine Beaupré wrote:
>> > Hi again,
>> > 
>> > I reached out to joeyh to see how we could backport git-annex security
>> > patches to wheezy. He responded by sharing the attached patch he sent to
>> > the git-annex maintainer that backports the fixes to stretch. I figured
>> > it would be useful for the core secteam to have visibilty on this...
>> > 
>> > He also validated the approach i suggested of "grep for ssh and backport
>> > the SshHost construct" to fix the issue in earlier version.
>> 
>> Thanks. Indeed we were already in contact with Richard.
>> 
>> Richard, friendly ping, did you had a chance to continue working on
>> the jessie- and stretch-security upload?
>
> What's the status?

I'm resuming work on this now, and I'll see how I can backport this to
wheezy, which should helpfully give some help/nudge to the jessie
version as well.

A.

-- 
It is a miracle that curiosity survives formal education
- Albert Einstein

Bug#873088: git-annex security issue backports

2017-10-12 Thread Moritz Mühlenhoff

On Fri, Sep 29, 2017 at 06:56:32PM +0200, Salvatore Bonaccorso wrote:
> Hi Antoine,
> 
> On Thu, Sep 28, 2017 at 01:53:06PM -0400, Antoine Beaupré wrote:
> > Hi again,
> > 
> > I reached out to joeyh to see how we could backport git-annex security
> > patches to wheezy. He responded by sharing the attached patch he sent to
> > the git-annex maintainer that backports the fixes to stretch. I figured
> > it would be useful for the core secteam to have visibilty on this...
> > 
> > He also validated the approach i suggested of "grep for ssh and backport
> > the SshHost construct" to fix the issue in earlier version.
> 
> Thanks. Indeed we were already in contact with Richard.
> 
> Richard, friendly ping, did you had a chance to continue working on
> the jessie- and stretch-security upload?

What's the status?

Cheers,
Moritz

Bug#873088: git-annex security issue backports

2017-09-29 Thread Salvatore Bonaccorso

Hi Antoine,

On Thu, Sep 28, 2017 at 01:53:06PM -0400, Antoine Beaupré wrote:
> Hi again,
> 
> I reached out to joeyh to see how we could backport git-annex security
> patches to wheezy. He responded by sharing the attached patch he sent to
> the git-annex maintainer that backports the fixes to stretch. I figured
> it would be useful for the core secteam to have visibilty on this...
> 
> He also validated the approach i suggested of "grep for ssh and backport
> the SshHost construct" to fix the issue in earlier version.

Thanks. Indeed we were already in contact with Richard.

Richard, friendly ping, did you had a chance to continue working on
the jessie- and stretch-security upload?

Regards,
Salvatore

Bug#873088: git-annex security issue backports

2017-09-28 Thread Antoine Beaupré

Hi again,

I reached out to joeyh to see how we could backport git-annex security
patches to wheezy. He responded by sharing the attached patch he sent to
the git-annex maintainer that backports the fixes to stretch. I figured
it would be useful for the core secteam to have visibilty on this...

He also validated the approach i suggested of "grep for ssh and backport
the SshHost construct" to fix the issue in earlier version.

I may look at this again tomorrow, otherwise next week.

A.

-- 
Celui qui sait jouir du peu qu'il a est toujours assez riche.
 - Démocrite

--- Begin Message ---
- Forwarded message from Joey Hess  -

Date: Thu, 17 Aug 2017 22:42:27 -0400
From: Joey Hess 
To: Richard Hartmann 
Subject: heads up: git-annex security hole
User-Agent: NeoMutt/20170609 (1.8.3)

I'll be releasing a new version of git-annex tomorrow fixing a remotely
exploitable security hole, the same class of vulnerability that recently
afflicted git. Patch is attached.

This affects all versions of git-annex, so will need backporting.
I've also attached a version of the patch that will apply cleanly to
6.20170101 in stable.

-- 
see shy jo






- End forwarded message -
-- 
see shy jo
From cb521ac529f7072ed94d5cece78a098eac1aa715 Mon Sep 17 00:00:00 2001
From: Joey Hess 
Date: Thu, 17 Aug 2017 22:39:23 -0400
Subject: [PATCH] (stable) avoid the dashed ssh hostname class of security
 holes

Security fix: Disallow hostname starting with a dash, which would get
passed to ssh and be treated an option. This could be used by an attacker
who provides a crafted ssh url (for eg a git remote) to execute arbitrary
code via ssh -oProxyCommand.

No CVE has yet been assigned for this hole.
The same class of security hole recently affected git itself,
CVE-2017-1000117.

Method: Identified all places where ssh is run, by git grep '"ssh"'
Converted them all to use a SshHost, if they did not already, for
specifying the hostname.

SshHost was made a data type with a smart constructor, which rejects
hostnames starting with '-'.

Note that git-annex already contains extensive use of Utility.SafeCommand,
which fixes a similar class of problem where a filename starting with a
dash gets passed to a program which treats it as an option.
---
 Annex/Ssh.hs  | 15 +++-
 Assistant/Pairing/MakeRemote.hs   |  4 ++--
 Assistant/Ssh.hs  | 11 +
 Assistant/WebApp/Configurators/Ssh.hs | 44 +--
 CHANGELOG | 10 
 Remote/Ddar.hs| 10 
 Remote/GCrypt.hs  |  6 +++--
 Remote/Helper/Ssh.hs  |  8 +--
 Remote/Rsync.hs   |  4 +++-
 Utility/SshHost.hs| 29 +++
 git-annex.cabal   |  1 +
 11 files changed, 98 insertions(+), 44 deletions(-)
 create mode 100644 Utility/SshHost.hs

diff --git a/Annex/Ssh.hs b/Annex/Ssh.hs
index 512f0375c..6bd1eeb32 100644
--- a/Annex/Ssh.hs
+++ b/Annex/Ssh.hs
@@ -34,6 +34,7 @@ import Config
 import Annex.Path
 import Utility.Env
 import Utility.FileSystemEncoding
+import Utility.SshHost
 import Types.CleanupActions
 import Git.Env
 #ifndef mingw32_HOST_OS
@@ -43,7 +44,7 @@ import Annex.LockPool
 
 {- Generates parameters to ssh to a given host (or user@host) on a given
  - port. This includes connection caching parameters, and any ssh-options. -}
-sshOptions :: (String, Maybe Integer) -> RemoteGitConfig -> [CommandParam] -> Annex [CommandParam]
+sshOptions :: (SshHost, Maybe Integer) -> RemoteGitConfig -> [CommandParam] -> Annex [CommandParam]
 sshOptions (host, port) gc opts = go =<< sshCachingInfo (host, port)
   where
 	go (Nothing, params) = ret params
@@ -60,7 +61,7 @@ sshOptions (host, port) gc opts = go =<< sshCachingInfo (host, port)
 
 {- Returns a filename to use for a ssh connection caching socket, and
  - parameters to enable ssh connection caching. -}
-sshCachingInfo :: (String, Maybe Integer) -> Annex (Maybe FilePath, [CommandParam])
+sshCachingInfo :: (SshHost, Maybe Integer) -> Annex (Maybe FilePath, [CommandParam])
 sshCachingInfo (host, port) = go =<< sshCacheDir
   where
 	go Nothing = return (Nothing, [])
@@ -201,9 +202,10 @@ forceStopSsh socketfile = do
  - of the path to a socket file. At the same time, it needs to be unique
  - for each host.
  -}
-hostport2socket :: String -> Maybe Integer -> FilePath
-hostport2socket host Nothing = hostport2socket' host
-hostport2socket host (Just port) = hostport2socket' $ host ++ "!" ++ show port
+hostport2socket :: SshHost -> Maybe Integer -> FilePath
+hostport2socket host Nothing = hostport2socket' $ fromSshHost host
+hostport2socket host (Just port) = hostport2socket' $
+	fromSshHost host ++ "!" ++ show port
 hostport2socket' :: String -> FilePath
 hostport2socket' s
 	| length s >

Bug#873088: git-annex security issue backports

Bug#873088: git-annex security issue backports

Bug#873088: git-annex security issue backports

Bug#873088: git-annex security issue backports

Bug#873088: git-annex security issue backports

Bug#873088: git-annex security issue backports

Bug#873088: git-annex security issue backports

Bug#873088: git-annex security issue backports

8 matches

Site Navigation

Mail list logo

Footer information