Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu


The attached debdiff for btrbk fixes a regression of CVE-2021-38173 in Buster.

The regression was reported in #996260 [1] and a pointer to the fix was provided. There was at least one report about a now working version +deb10u2.

  Thorsten

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=996260
diff -Nru btrbk-0.27.1/debian/changelog btrbk-0.27.1/debian/changelog
--- btrbk-0.27.1/debian/changelog       2021-08-29 19:03:02.000000000 +0200
+++ btrbk-0.27.1/debian/changelog       2021-11-23 16:03:02.000000000 +0100
@@ -1,3 +1,11 @@
+btrbk (0.27.1-1+deb10u2) buster; urgency=high
+
+  * Non-maintainer upload by the LTS Team.
+  * regression fix for CVE-2021-38173
+    (Closes: #996260, #996266)
+
+ -- Thorsten Alteholz <deb...@alteholz.de>  Tue, 23 Nov 2021 16:03:02 +0100
+
 btrbk (0.27.1-1+deb10u1) buster; urgency=high
 
   * Non-maintainer upload by the LTS Team.
diff -Nru btrbk-0.27.1/debian/patches/CVE-2021-38173-regression.patch 
btrbk-0.27.1/debian/patches/CVE-2021-38173-regression.patch
--- btrbk-0.27.1/debian/patches/CVE-2021-38173-regression.patch 1970-01-01 
01:00:00.000000000 +0100
+++ btrbk-0.27.1/debian/patches/CVE-2021-38173-regression.patch 2021-11-23 
15:52:28.000000000 +0100
@@ -0,0 +1,51 @@
+commit c03e960d9044961fcfbeaa5d5aeb5bcc1bc0cc7a
+Author: Axel Burri <a...@tty0.ch>
+Date:   Tue Nov 19 22:07:37 2019 +0100
+
+    ssh_filter_btrbk.sh: exclude "btrfs subvolume show|list" from restrict-path
+    
+    btrbk requires "btrfs subvolume list|show" queries from the mount
+    point in order to build btrfs trees. This conflicts with tightly set
+    --restrict-path.
+
+Index: btrbk-0.27.1/doc/ssh_filter_btrbk.1.asciidoc
+===================================================================
+--- btrbk-0.27.1.orig/doc/ssh_filter_btrbk.1.asciidoc  2021-11-23 
15:52:22.921452288 +0100
++++ btrbk-0.27.1/doc/ssh_filter_btrbk.1.asciidoc       2021-11-23 
15:52:22.917452292 +0100
+@@ -34,8 +34,8 @@
+ 
+ The following commands are always allowed:
+ 
+- - "btrfs subvolume show"
+- - "btrfs subvolume list"
++ - "btrfs subvolume show" (not affected by "--restrict-path")
++ - "btrfs subvolume list" (not affected by "--restrict-path")
+  - "readlink"
+  - "cat /proc/self/mountinfo"
+  - pipes through "gzip", "pigz", "bzip2", "pbzip2", "xz", "lzop",
+@@ -79,7 +79,8 @@
+     Allow btrfs receive command: "btrfs receive".
+ 
+ -p, --restrict-path <path>::
+-    Restrict btrfs commands to <path>.
++    Restrict commands to <path>. Note that "btrfs subvolume show",
++    "btrfs subvolume list" are NOT affected by this option.
+ 
+ -l, --log::
+     Log ACCEPT and REJECT messages to the system log.
+Index: btrbk-0.27.1/ssh_filter_btrbk.sh
+===================================================================
+--- btrbk-0.27.1.orig/ssh_filter_btrbk.sh      2021-11-23 15:52:22.921452288 
+0100
++++ btrbk-0.27.1/ssh_filter_btrbk.sh   2021-11-23 15:52:22.921452288 +0100
+@@ -161,8 +161,9 @@
+     shift
+ done
+ 
+-allow_cmd "${sudo_prefix}btrfs subvolume show"; # subvolume queries are 
always allowed
+-allow_exact_cmd "${sudo_prefix}btrfs subvolume list ${file_match}"; # 
subvolume queries are always allowed
++# NOTE: subvolume queries no NOT affected by "--restrict-path":
++# btrbk also calls show/list on the mount point of the subvolume
++allow_exact_cmd "${sudo_prefix}btrfs subvolume (show|list)( ${option_match})* 
${file_match}";
+ allow_cmd "${sudo_prefix}readlink"              # used to resolve mountpoints
+ allow_exact_cmd "cat /proc/self/mountinfo"      # used to resolve mountpoints
+ allow_exact_cmd "cat /proc/self/mounts"         # legacy, for btrbk < 0.27.0
diff -Nru btrbk-0.27.1/debian/patches/series btrbk-0.27.1/debian/patches/series
--- btrbk-0.27.1/debian/patches/series  2021-08-29 19:03:02.000000000 +0200
+++ btrbk-0.27.1/debian/patches/series  2021-11-23 15:52:21.000000000 +0100
@@ -1 +1,2 @@
 CVE-2021-38173.patch
+CVE-2021-38173-regression.patch

Reply via email to