Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
Hi,
in coordination with the security team I'd like to update koji in stretch to
fix two CVEs:
koji (1.10.0-1+deb9u1) stretch; urgency=medium
* Team upload.
* Add patch based on upstream commit bdec8c7399 to fix CVE-2018-1002161, an
SQL injection issue in multiple remote calls. Closes: #922922.
* Add patch based on upstream commit ba7b5a3cbe to fix CVE-2017-1002153, to
properly validate SCM pathes. Closes: #877921.
-- Holger Levsen <hol...@debian.org> Sat, 31 Aug 2019 20:31:37 +0200
The debdiff is attached and looks like this:
$ debdiff koji_1.10.0-1.dsc koji_1.10.0-1+deb9u1.dsc|diffstat
changelog | 10 +++++
patches/0004-CVE-2017-1002153.patch | 61 ++++++++++++++++++++++++++++++++++
patches/0005-CVE-2018-1002161.patch | 64 ++++++++++++++++++++++++++++++++++++
patches/series | 2 +
4 files changed, 137 insertions(+)
--
cheers,
Holger
-------------------------------------------------------------------------------
holger@(debian|reproducible-builds|layer-acht).org
PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
diff -Nru koji-1.10.0/debian/changelog koji-1.10.0/debian/changelog --- koji-1.10.0/debian/changelog 2015-12-04 11:20:58.000000000 +0100 +++ koji-1.10.0/debian/changelog 2019-08-31 20:31:37.000000000 +0200 @@ -1,3 +1,13 @@ +koji (1.10.0-1+deb9u1) stretch; urgency=medium + + * Team upload. + * Add patch based on upstream commit bdec8c7399 to fix CVE-2018-1002161, an + SQL injection issue in multiple remote calls. Closes: #922922. + * Add patch based on upstream commit ba7b5a3cbe to fix CVE-2017-1002153, to + properly validate SCM pathes. Closes: #877921. + + -- Holger Levsen <hol...@debian.org> Sat, 31 Aug 2019 20:31:37 +0200 + koji (1.10.0-1) unstable; urgency=medium [ Marek Marczykowski-Górecki ] diff -Nru koji-1.10.0/debian/patches/0004-CVE-2017-1002153.patch koji-1.10.0/debian/patches/0004-CVE-2017-1002153.patch --- koji-1.10.0/debian/patches/0004-CVE-2017-1002153.patch 1970-01-01 01:00:00.000000000 +0100 +++ koji-1.10.0/debian/patches/0004-CVE-2017-1002153.patch 2019-08-31 19:59:44.000000000 +0200 @@ -0,0 +1,61 @@ +From ba7b5a3cbed11ade11c3af5e834c9a6de4f6d7c3 Mon Sep 17 00:00:00 2001 +From: Mike McLean <mi...@redhat.com> +Date: Sep 19 2017 21:23:50 +0000 +Subject: PR#591: Normalize paths for scms + + +Merges #591 +https://pagure.io/koji/pull-request/591 + +Fixes #563 +https://pagure.io/koji/issue/563 + +Fixes CVE-2017-1002153 + +--- + +Index: koji/koji/daemon.py +=================================================================== +--- koji.orig/koji/daemon.py ++++ koji/koji/daemon.py +@@ -257,22 +257,31 @@ class SCM(object): + netloc = userhost[1] + elif len(userhost) > 2: + raise koji.GenericError, 'Invalid username@hostname specified: %s' % netloc ++ if not netloc: ++ raise koji.GenericError, 'Unable to parse SCM URL: %s . Could not find the netloc element.' % self.url + +- # ensure that path and query do not end in / +- if path.endswith('/'): +- path = path[:-1] +- if query.endswith('/'): +- query = query[:-1] ++ # check for empty path before we apply normpath ++ if not path: ++ raise koji.GenericError, 'Unable to parse SCM URL: %s . Could not find the path element.' % self.url ++ ++ path = os.path.normpath(path) ++ ++ # path and query should not end with / ++ path = path.rstrip('/') ++ query = query.rstrip('/') ++ # normpath might not strip // at start of path ++ if path.startswith('//'): ++ path = '/' + path.strip('/') ++ # path should start with / ++ if not path.startswith('/'): # pragma: no cover ++ # any such url should have already been caught by is_scm_url ++ raise koji.GenericError, 'Invalid SCM URL. Path should begin with /: %s) ' + + # check for validity: params should be empty, query may be empty, everything else should be populated + if params : + raise koji.GenericError, 'Unable to parse SCM URL: %s . Params element %s should be empty.' % (self.url, params) + if not scheme : + raise koji.GenericError, 'Unable to parse SCM URL: %s . Could not find the scheme element.' % self.url +- if not netloc : +- raise koji.GenericError, 'Unable to parse SCM URL: %s . Could not find the netloc element.' % self.url +- if not path : +- raise koji.GenericError, 'Unable to parse SCM URL: %s . Could not find the path element.' % self.url + if not fragment : + raise koji.GenericError, 'Unable to parse SCM URL: %s . Could not find the fragment element.' % self.url + diff -Nru koji-1.10.0/debian/patches/0005-CVE-2018-1002161.patch koji-1.10.0/debian/patches/0005-CVE-2018-1002161.patch --- koji-1.10.0/debian/patches/0005-CVE-2018-1002161.patch 1970-01-01 01:00:00.000000000 +0100 +++ koji-1.10.0/debian/patches/0005-CVE-2018-1002161.patch 2019-08-31 20:19:44.000000000 +0200 @@ -0,0 +1,64 @@ +From bdec8c7399802c0bc0713f36c4aac02b3a79486a Mon Sep 17 00:00:00 2001 +From: Mike McLean <mi...@redhat.com> +Date: Feb 21 2019 14:39:54 +0000 +Subject: PR#1274: cve-2018-1002161 + + +Merges #1274 +https://pagure.io/koji/pull-request/1274 + +Fixes: #1183 +https://pagure.io/koji/issue/1183 +fix query parameter processing in multiple calls + +--- + +Index: koji/hub/kojihub.py +=================================================================== +--- koji.orig/hub/kojihub.py ++++ koji/hub/kojihub.py +@@ -3709,8 +3709,10 @@ def list_archives(buildID=None, buildroo + val = typeInfo[key] + if not isinstance(val, (list, tuple)): + val = [val] +- for v in val: +- clauses.append(r"""%s ~ E'\\m%s\\M'""" % (key, v)) ++ for i, v in enumerate(val): ++ pkey = '%s_pattern_%i' % (key, i) ++ values[pkey] = r'\m%s\M' % v ++ clauses.append('%s ~ %%(%s)s' % (key, pkey)) + elif type == 'image': + joins.append('image_archives ON archiveinfo.id = image_archives.archive_id') + fields.append(['image_archives.arch', 'arch']) +@@ -4907,13 +4909,15 @@ def get_archive_type(filename=None, type + raise koji.GenericError, 'one of filename, type_name, or type_id must be specified' + + parts = filename.split('.') +- ++ query = QueryProcessor( ++ tables=['archivetypes'], ++ columns=['id', 'name', 'description', 'extensions'], ++ clauses=['extensions ~* %(pattern)s'], ++ ) + for start in range(len(parts)-1, -1, -1): + ext = '.'.join(parts[start:]) +- +- select = r"""SELECT id, name, description, extensions FROM archivetypes +- WHERE extensions ~ E'\\m%s\\M'""" % ext +- results = _multiRow(select, locals(), ('id', 'name', 'description', 'extensions')) ++ query.values['pattern'] = r'(\s|^)%s(\s|$)' % ext ++ results = query.execute() + + if len(results) == 1: + return results[0] +@@ -9164,8 +9168,8 @@ class RootExports(object): + # matching 'ppc64' + if not (isinstance(arches, list) or isinstance(arches, tuple)): + arches = [arches] +- archClause = [r"""arches ~ E'\\m%s\\M'""" % arch for arch in arches] +- clauses.append('(' + ' OR '.join(archClause) + ')') ++ archPattern = r'\m(%s)\M' % '|'.join(arches) ++ clauses.append('arches ~ %(archPattern)s') + if channelID != None: + joins.append('host_channels on host.id = host_channels.host_id') + clauses.append('host_channels.channel_id = %(channelID)i') diff -Nru koji-1.10.0/debian/patches/series koji-1.10.0/debian/patches/series --- koji-1.10.0/debian/patches/series 2015-12-03 16:16:35.000000000 +0100 +++ koji-1.10.0/debian/patches/series 2019-08-31 20:31:05.000000000 +0200 @@ -1,3 +1,5 @@ 0001-Fail-the-build-when-pkg-config-is-missing.patch 0002-Move-files-from-usr-libexec-to-usr-lib-koji-libexec.patch 0003-Make-kojikamid-executable.patch +0004-CVE-2017-1002153.patch +0005-CVE-2018-1002161.patch
signature.asc
Description: PGP signature
