Bug#767227: marked as done (lsyncd: CVE-2014-8990: Crash and/or code execution on `, $, " in file names)

Mon, 29 Dec 2014 03:37:04 -0800 

Your message dated Mon, 29 Dec 2014 11:33:54 +0000
with message-id <[email protected]>
and subject line Bug#767227: fixed in lsyncd 2.1.5-2
has caused the Debian Bug report #767227,
regarding lsyncd: CVE-2014-8990: Crash and/or code execution on `, $, " in file 
names
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
767227: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=767227
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: lsyncd
Version: 2.0.7-3
Severity: important
Tags: security patch

cf. upstream bug report and fix at
 https://github.com/axkibe/lsyncd/issues/220

This is the same patch backported to the lsyncd version in stable.

-- System Information:
Debian Release: 7.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages lsyncd depends on:
ii  libc6        2.13-38+deb7u4
ii  liblua5.1-0  5.1.5-4+deb7u1
ii  lua5.1       5.1.5-4+deb7u1
ii  rsync        3.0.9-4

lsyncd recommends no packages.

lsyncd suggests no packages.

-- no debconf information

Sanitize mv arguments:

1. Fixes crashes on file names containing `, $ or "
2. Also prevents shell execution of ``, $() … in file names, which can be
   used to gain remote shell access as lsyncd's (target) user.
Index: lsyncd-2.0.7/default-rsyncssh.lua
===================================================================
--- lsyncd-2.0.7.orig/default-rsyncssh.lua	2012-02-16 08:24:20.000000000 +0100
+++ lsyncd-2.0.7/default-rsyncssh.lua	2014-10-29 13:59:51.165553255 +0100
@@ -29,14 +29,17 @@
 		-- makes move local on host
 		-- if fails deletes the source...
 		if event.etype == 'Move' then
-			log('Normal', 'Moving ',event.path,' -> ',event2.path)
+			local path1 = event.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$')
+			local path2 = event2.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$')
+			log('Normal', 'Moving ',path1,' -> ',path2)
+
 			spawn(event, '/usr/bin/ssh',
 				config.host,
 				'mv',
-				'\"' .. config.targetdir .. event.path .. '\"',
-				'\"' .. config.targetdir .. event2.path .. '\"',
+				'\"' .. config.targetdir .. path1 .. '\"',
+				'\"' .. config.targetdir .. path2 .. '\"',
 				'||', 'rm', '-rf',
-				'\"' .. config.targetdir .. event.path .. '\"')
+				'\"' .. config.targetdir .. path1 .. '\"')
 			return
 		end

--- End Message ---
--- Begin Message --- 
Source: lsyncd
Source-Version: 2.1.5-2

We believe that the bug you reported is fixed in the latest version of
lsyncd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jan Dittberner <[email protected]> (supplier of updated lsyncd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 29 Dec 2014 11:36:43 +0100
Source: lsyncd
Binary: lsyncd
Architecture: source amd64
Version: 2.1.5-2
Distribution: unstable
Urgency: high
Maintainer: Jan Dittberner <[email protected]>
Changed-By: Jan Dittberner <[email protected]>
Description:
 lsyncd     - daemon to synchronize local directories using rsync
Closes: 767227
Changes:
 lsyncd (2.1.5-2) unstable; urgency=high
 .
   * fix security issue CVE-2014-8990 that allows code execution via shell
     characters in file names and denial of service scenarios by applying
     debian/patches/fix-CVE-2014-8990-shell-escapes.patch (Closes: #767227)
Checksums-Sha1:
 dae3ac0e5f0015a061111766603fddc44d53a330 1608 lsyncd_2.1.5-2.dsc
 a5e2176e3f1c40849933c92a637d8aed5553a372 5492 lsyncd_2.1.5-2.debian.tar.xz
 8487b5289e02c95772c1c4df8abfa16e38ad6769 61858 lsyncd_2.1.5-2_amd64.deb
Checksums-Sha256:
 345755eaf9f94015371d2eac75a587e85c9d5b813362c2bc5bbf25f4e99a2bce 1608 
lsyncd_2.1.5-2.dsc
 33de0865276248db19734029a33ebf4e8085ace860c7324e5f76347b5d5ae64a 5492 
lsyncd_2.1.5-2.debian.tar.xz
 907a2aeb3e8fefc020cdac095b353e415f42126dcc59a3a14c116c19b4bd95a9 61858 
lsyncd_2.1.5-2_amd64.deb
Files:
 787c7abea6eaf7f6142634c75b6eeea1 1608 admin optional lsyncd_2.1.5-2.dsc
 9805dd5c92ba7a19584cb6ce4cc721ef 5492 admin optional 
lsyncd_2.1.5-2.debian.tar.xz
 cac114703e3a0bcee4d6a349b383e797 61858 admin optional lsyncd_2.1.5-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCgAGBQJUoTGYAAoJEA15HcjXN8HZwpAIALAxJXXT5PmExHvWEDC3FRku
+gU1w1pl32h3WZweQHqIrGAthcIrHXafgcVpAclJE4bzkCZlwSMZt/rpmxICLqFG
dHkjlabxYXvz5m/QHqomfufF5Aonw2PPlsbsChe+UnJfK2wo8al4BgDHqfalk1sO
6of12WFgjh69zbTItMOmnLZbR0tUX57oGT3WKKlJgSR8Zn++PwHlMzFRF8qDchIp
TOKp3BcI073HFNhzBhvEJeGOsT1+oWAj4ufrH2F0lRXwRj6N59t3tsELZyhUBXGo
cpxOxfTw5DOSnA1Yna8/BO83wUhLP8QFj8TYQdtIAljVV3vL3YKc2v+z8d07GC4=
=RG8N
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to