Bug#774146: pre-approval: unblock: lsyncd/2.1.5-2

Mon, 29 Dec 2014 03:36:58 -0800 

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock

unblock lsyncd/2.1.5-2

Dear release team,

I prepared a new lsyncd version that fixes a security issue (#767227,
CVE-2014-8990). I attach the debdiff for the new version to this report.
Please tell me whether I should upload the package to unstable.


Best regards
Jan Dittberner

-- 
Jan Dittberner - Debian Developer
GPG-key: 4096R/558FB8DD 2009-05-10
         B2FF 1D95 CE8F 7A22 DF4C  F09B A73E 0055 558F B8DD
https://portfolio.debian.net/ - https://people.debian.org/~jandd/

diff -Nru lsyncd-2.1.5/debian/changelog lsyncd-2.1.5/debian/changelog
--- lsyncd-2.1.5/debian/changelog       2013-06-22 23:15:08.000000000 +0200
+++ lsyncd-2.1.5/debian/changelog       2014-12-29 11:37:06.000000000 +0100
@@ -1,3 +1,11 @@
+lsyncd (2.1.5-2) unstable; urgency=high
+
+  * fix security issue CVE-2014-8990 that allows code execution via shell
+    characters in file names and denial of service scenarios by applying
+    debian/patches/fix-CVE-2014-8990-shell-escapes.patch (Closes: #767227)
+
+ -- Jan Dittberner <ja...@debian.org>  Mon, 29 Dec 2014 11:36:43 +0100
+
 lsyncd (2.1.5-1) unstable; urgency=low
 
   * New upstream version (Closes: #707328).
diff -Nru lsyncd-2.1.5/debian/patches/fix-CVE-2014-8990-shell-escapes.patch 
lsyncd-2.1.5/debian/patches/fix-CVE-2014-8990-shell-escapes.patch
--- lsyncd-2.1.5/debian/patches/fix-CVE-2014-8990-shell-escapes.patch   
1970-01-01 01:00:00.000000000 +0100
+++ lsyncd-2.1.5/debian/patches/fix-CVE-2014-8990-shell-escapes.patch   
2014-12-29 11:37:06.000000000 +0100
@@ -0,0 +1,39 @@
+Author: Ángel González <an...@16bits.net>
+Bug: https://github.com/axkibe/lsyncd/issues/220
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=767227
+Subject: Properly sanitize mv parameters (CVE-2014-8990)
+ Sanitize mv arguments:
+ .
+ 1. Fixes crashes on file names containing `, $ or "
+ 2. Also prevents shell execution of ``, $() … in file names, which can be
+    used to gain remote shell access as lsyncd's (target) user.
+--- a/default-rsyncssh.lua
++++ b/default-rsyncssh.lua
+@@ -74,6 +74,11 @@
+       -- makes move local on target host
+       -- if the move fails, it deletes the source
+       if event.etype == 'Move' then
++              local path1 = config.targetdir .. event.path
++              local path2 = config.targetdir .. event2.path
++              path1 = "'" .. path1:gsub ('\'', '\'"\'"\'') .. "'"
++              path2 = "'" .. path2:gsub ('\'', '\'"\'"\'') .. "'"
++
+               log('Normal', 'Moving ',event.path,' -> ',event2.path)
+ 
+               spawn(
+@@ -82,10 +87,12 @@
+                       config.ssh._computed,
+                       config.host,
+                       'mv',
+-                      '\"' .. config.targetdir .. event.path .. '\"',
+-                      '\"' .. config.targetdir .. event2.path .. '\"',
++                      path1,
++                      path2
+                       '||', 'rm', '-rf',
+-                      '\"' .. config.targetdir .. event.path .. '\"')
++                      path1
++              )
++
+               return
+       end
+ 
diff -Nru lsyncd-2.1.5/debian/patches/series lsyncd-2.1.5/debian/patches/series
--- lsyncd-2.1.5/debian/patches/series  2013-06-22 23:15:08.000000000 +0200
+++ lsyncd-2.1.5/debian/patches/series  2014-12-29 11:37:06.000000000 +0100
@@ -1 +1,2 @@
+fix-CVE-2014-8990-shell-escapes.patch
 dont_install_lua_as_docs.patch

Attachment: signature.asc
Description: Digital signature

Reply via email to