Your message dated Sat, 17 Jan 2015 11:47:05 +0000
with message-id <[email protected]>
and subject line Bug#767227: fixed in lsyncd 2.0.7-3+deb7u1
has caused the Debian Bug report #767227,
regarding lsyncd: CVE-2014-8990: Crash and/or code execution on `, $, " in file
names
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
767227: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=767227
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: lsyncd
Version: 2.0.7-3
Severity: important
Tags: security patch
cf. upstream bug report and fix at
https://github.com/axkibe/lsyncd/issues/220
This is the same patch backported to the lsyncd version in stable.
-- System Information:
Debian Release: 7.6
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages lsyncd depends on:
ii libc6 2.13-38+deb7u4
ii liblua5.1-0 5.1.5-4+deb7u1
ii lua5.1 5.1.5-4+deb7u1
ii rsync 3.0.9-4
lsyncd recommends no packages.
lsyncd suggests no packages.
-- no debconf information
Sanitize mv arguments:
1. Fixes crashes on file names containing `, $ or "
2. Also prevents shell execution of ``, $() … in file names, which can be
used to gain remote shell access as lsyncd's (target) user.
Index: lsyncd-2.0.7/default-rsyncssh.lua
===================================================================
--- lsyncd-2.0.7.orig/default-rsyncssh.lua 2012-02-16 08:24:20.000000000 +0100
+++ lsyncd-2.0.7/default-rsyncssh.lua 2014-10-29 13:59:51.165553255 +0100
@@ -29,14 +29,17 @@
-- makes move local on host
-- if fails deletes the source...
if event.etype == 'Move' then
- log('Normal', 'Moving ',event.path,' -> ',event2.path)
+ local path1 = event.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$')
+ local path2 = event2.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$')
+ log('Normal', 'Moving ',path1,' -> ',path2)
+
spawn(event, '/usr/bin/ssh',
config.host,
'mv',
- '\"' .. config.targetdir .. event.path .. '\"',
- '\"' .. config.targetdir .. event2.path .. '\"',
+ '\"' .. config.targetdir .. path1 .. '\"',
+ '\"' .. config.targetdir .. path2 .. '\"',
'||', 'rm', '-rf',
- '\"' .. config.targetdir .. event.path .. '\"')
+ '\"' .. config.targetdir .. path1 .. '\"')
return
end
--- End Message ---
--- Begin Message ---
Source: lsyncd
Source-Version: 2.0.7-3+deb7u1
We believe that the bug you reported is fixed in the latest version of
lsyncd, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jan Dittberner <[email protected]> (supplier of updated lsyncd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 29 Dec 2014 11:29:15 +0100
Source: lsyncd
Binary: lsyncd
Architecture: source amd64
Version: 2.0.7-3+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Jan Dittberner <[email protected]>
Changed-By: Jan Dittberner <[email protected]>
Description:
lsyncd - daemon to synchronize local directories using rsync
Closes: 767227
Changes:
lsyncd (2.0.7-3+deb7u1) wheezy-security; urgency=high
.
* fix security issue CVE-2014-8990 that allows code execution via shell
characters in file names and denial of service scenarios by applying
debian/patches/fix-CVE-2014-8990-shell-escapes.patch (Closes: #767227)
Checksums-Sha1:
de9aad1b0735b7299e7742727509b6548ad594a4 1616 lsyncd_2.0.7-3+deb7u1.dsc
b8e64ea9c83da5546109b8ea47d7fb1ac35ed90c 141498 lsyncd_2.0.7.orig.tar.gz
bad47ab7f3d96f6e3c6a4ac04f1bfb0c921ddddb 5704
lsyncd_2.0.7-3+deb7u1.debian.tar.gz
779f22baa1ee40f6d33bc87596707fa1d71e226f 68702 lsyncd_2.0.7-3+deb7u1_amd64.deb
Checksums-Sha256:
15cfb8ad316f6854a483136369ca374025628ca69630ca67ad7428ffe50da722 1616
lsyncd_2.0.7-3+deb7u1.dsc
3c76a6e8acfceea742154afd21f74b220277e54b1ffdb71ee1dc2eb104b0bbde 141498
lsyncd_2.0.7.orig.tar.gz
59fab8573ba35fb6fd74e020b06e76e632590e6b1372a86399e7132d990fb940 5704
lsyncd_2.0.7-3+deb7u1.debian.tar.gz
608b1e881981a8a4e516b36e2916fe2577d12954498efdeda48d0da4638c0fb6 68702
lsyncd_2.0.7-3+deb7u1_amd64.deb
Files:
46c5dd89069117dd0149705d4f16df32 1616 admin optional lsyncd_2.0.7-3+deb7u1.dsc
4ef8787f6e3a402a9a2bcb84c123fb17 141498 admin optional lsyncd_2.0.7.orig.tar.gz
37c43bf253f704a4d9f789a76d45718a 5704 admin optional
lsyncd_2.0.7-3+deb7u1.debian.tar.gz
32a154600e5a347addddd1126d1fea00 68702 admin optional
lsyncd_2.0.7-3+deb7u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCgAGBQJUoyN9AAoJEA15HcjXN8HZk5kIAMo/9eZQDwUsTciXYfuqsJVN
t5sGbgQdmqzFebnhNAvZTsfscXGQPLPOH4nSUi7RCm5rcxo5/XfeZUwzHBKAEtt2
dWtcIXGw/ukrleleqqUhXstDpll+BGFm2QKgAQc08GuZglyDwX5Dnkdh9GMCGhTj
js9FTygWkJmaDMWNyr0C+ksIq8/Wd442ErQJ5kParb4oZFgLIH9tVxT0f8MZG/qX
vkELCFqRM71xk4JG1wUfPDEcFMXwBIAc5jnpQ1h+jKcOMtb9pmZsdTILTvYBf2td
/ZISUJGhnpSfUg+2VMlVWJ407jRk25oiOYHc2nAAJmb7pfvvego61DUQiW/rTJw=
=eYo+
-----END PGP SIGNATURE-----
--- End Message ---
