Hello community, here is the log from the commit of package cobbler for openSUSE:Factory checked in at 2018-04-27 16:08:49 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/cobbler (Old) and /work/SRC/openSUSE:Factory/.cobbler.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cobbler" Fri Apr 27 16:08:49 2018 rev:43 rq:601552 version:2.8.2 Changes: -------- --- /work/SRC/openSUSE:Factory/cobbler/cobbler.changes 2018-03-11 15:24:53.831977446 +0100 +++ /work/SRC/openSUSE:Factory/.cobbler.new/cobbler.changes 2018-04-27 16:09:01.538943645 +0200 @@ -1,0 +2,9 @@ +Thu Apr 26 12:09:52 UTC 2018 - pablo.suarezhernan...@suse.com + +- Escape shell parameters provided by the user for the + reposync action (CVE-2017-1000469) (bsc#1074594) + +- Added: + * escape-shell-parameters-provided-by-user-on-reposync.patch + +------------------------------------------------------------------- New: ---- escape-shell-parameters-provided-by-user-on-reposync.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cobbler.spec ++++++ --- /var/tmp/diff_new_pack.dVAOJW/_old 2018-04-27 16:09:02.754899048 +0200 +++ /var/tmp/diff_new_pack.dVAOJW/_new 2018-04-27 16:09:02.754899048 +0200 @@ -71,6 +71,8 @@ # PATCH-FIX-UPSTREAM https://github.com/cobbler/cobbler/pull/1811 (not merged yet) Patch17: fix-script-endpoint-security-bug-1030582.patch Patch18: fix-manpage-creation.patch +# PATCH-FIX-UPSTREAM https://github.com/cobbler/cobbler/pull/1889 (not merged yet) +Patch19: escape-shell-parameters-provided-by-user-on-reposync.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch @@ -185,6 +187,7 @@ %patch16 -p1 %patch17 -p1 %patch18 -p1 +%patch19 -p1 %build %{__python2} setup.py build ++++++ escape-shell-parameters-provided-by-user-on-reposync.patch ++++++ >From c4d0573eaf3dc9c8a9e3cb3d29829494af4f7543 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pablo=20Su=C3=A1rez=20Hern=C3=A1ndez?= <psuarezhernan...@suse.com> Date: Thu, 26 Apr 2018 12:37:43 +0100 Subject: [PATCH] Escape shell parameters provided by user on reposync action (CVE-2017-1000469) --- cobbler/action_reposync.py | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/cobbler/action_reposync.py b/cobbler/action_reposync.py index cfdc41ad..2701d625 100644 --- a/cobbler/action_reposync.py +++ b/cobbler/action_reposync.py @@ -23,6 +23,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA import os import os.path +import pipes import urlgrabber HAS_YUM = True @@ -203,7 +204,7 @@ class RepoSync: flags = blended.get("createrepo_flags","(ERROR: FLAGS)") try: # BOOKMARK - cmd = "createrepo %s %s %s" % (" ".join(mdoptions), flags, dirname) + cmd = "createrepo %s %s %s" % (" ".join(mdoptions), flags, pipes.quote(dirname)) utils.subprocess_call(self.logger, cmd) except: utils.log_exc(self.logger) @@ -227,7 +228,7 @@ class RepoSync: dest_path = os.path.join(self.settings.webdir + "/repo_mirror", repo.name) # FIXME: wrapper for subprocess that logs to logger - cmd = "wget -N -np -r -l inf -nd -P %s %s" % (dest_path, repo_mirror) + cmd = "wget -N -np -r -l inf -nd -P %s %s" % (pipes.quote(dest_path), pipes.quote(repo_mirror)) rc = utils.subprocess_call(self.logger, cmd) if rc != 0: @@ -259,7 +260,7 @@ class RepoSync: repo.mirror = "%s/" % repo.mirror # FIXME: wrapper for subprocess that logs to logger - cmd = "rsync -rltDv --copy-unsafe-links --delete-after %s --delete --exclude-from=/etc/cobbler/rsync.exclude %s %s" % (spacer, repo.mirror, dest_path) + cmd = "rsync -rltDv --copy-unsafe-links --delete-after %s --delete --exclude-from=/etc/cobbler/rsync.exclude %s %s" % (spacer, pipes.quote(repo.mirror), pipes.quote(dest_path)) rc = utils.subprocess_call(self.logger, cmd) if rc !=0: @@ -325,7 +326,7 @@ class RepoSync: if has_rpm_list: self.logger.warning("warning: --rpm-list is not supported for RHN content") rest = repo.mirror[6:] # everything after rhn:// - cmd = "%s %s --repo=%s --download_path=%s" % (cmd, self.rflags, rest, self.settings.webdir + "/repo_mirror") + cmd = "%s %s --repo=%s --download_path=%s" % (cmd, self.rflags, pipes.quote(rest), pipes.quote(self.settings.webdir + "/repo_mirror")) if repo.name != rest: args = { "name" : repo.name, "rest" : rest } utils.die(self.logger,"ERROR: repository %(name)s needs to be renamed %(rest)s as the name of the cobbler repository must match the name of the RHN channel" % args) @@ -392,7 +393,7 @@ class RepoSync: if not has_rpm_list: # if we have not requested only certain RPMs, use reposync - cmd = "%s %s --config=%s --repoid=%s --download_path=%s" % (cmd, self.rflags, temp_file, repo.name, self.settings.webdir + "/repo_mirror") + cmd = "%s %s --config=%s --repoid=%s --download_path=%s" % (cmd, self.rflags, temp_file, pipes.quote(repo.name), pipes.quote(self.settings.webdir + "/repo_mirror")) if repo.arch != "": if repo.arch == "x86": repo.arch = "i386" # FIX potential arch errors @@ -420,7 +421,7 @@ class RepoSync: cmd = "/usr/bin/dnf download" else: cmd = "/usr/bin/yumdownloader" - cmd = "%s %s %s --disablerepo=* --enablerepo=%s -c %s --destdir=%s %s" % (cmd, extra_flags, use_source, repo.name, temp_file, dest_path, " ".join(repo.rpm_list)) + cmd = "%s %s %s --disablerepo=* --enablerepo=%s -c %s --destdir=%s %s" % (cmd, extra_flags, use_source, pipes.quote(repo.name), temp_file, pipes.quote(dest_path), " ".join(repo.rpm_list)) # now regardless of whether we're doing yumdownloader or reposync # or whether the repo was http://, ftp://, or rhn://, execute all queued @@ -510,7 +511,7 @@ class RepoSync: dists = ",".join(repo.apt_dists) components = ",".join(repo.apt_components) - mirror_data = "--method=%s --host=%s --root=%s --dist=%s --section=%s" % (method,host,mirror,dists,components) + mirror_data = "--method=%s --host=%s --root=%s --dist=%s --section=%s" % (pipes.quote(method), pipes.quote(host), pipes.quote(mirror), pipes.quote(dists), pipes.quote(components)) rflags = "--nocleanup" for x in repo.yumopts: @@ -519,6 +520,7 @@ class RepoSync: else: rflags += " %s" % x cmd = "%s %s %s %s" % (mirror_program, rflags, mirror_data, dest_path) + cmd = "%s %s %s %s" % (mirror_program, rflags, mirror_data, pipes.quote(dest_path)) if repo.arch == "src": cmd = "%s --source" % cmd else: -- 2.15.1