Bug#913801: stretch-pu: package mistral/3.0.0-4 CVE-2018-16849: std.ssh action may disclose presence of arbitrary files

2018-12-03 Thread Thomas Goirand 
On 12/3/18 8:17 AM, Julien Cristau wrote:
> Control: tag -1 confirmed
> 
> On Thu, Nov 15, 2018 at 02:07:01PM +0100, Thomas Goirand wrote:
>> diff --git a/debian/changelog b/debian/changelog
>> index b2ce8602..06234034 100644
>> --- a/debian/changelog
>> +++ b/debian/changelog
>> @@ -1,3 +1,11 @@
>> +mistral (3.0.0-4+deb9u1) stretch-security; urgency=medium
> 
> Remove the -security bit.

Sure! This was made for the security team, and they asked to move to a
s-p-u instead (ie: no DSA).

>> +
>> +  * CVE-2018-16849: std.ssh action may disclose presence of arbitrary files,
>> +applied upstream patch: remove extra information from std.ssh action.
>> +(Closes: #912714).
>> +
>> + -- Thomas Goirand   Mon, 05 Nov 2018 14:38:44 +0100
>> +
>>  mistral (3.0.0-4) unstable; urgency=medium
>>  
>>* Add allow-sqla-1.1.patch to allow SQLA transition.
> 
> Other than that, looks ok to upload.

Uploaded. If it gets rejected because of a --force-orig-source, I'll
re-do it (I'm always confused on when to do it, though never mind if it
gets automatically rejected, it's easy to fix...).

Cheers,

Thomas Goirand (zigo)

Processed: Re: Bug#913801: stretch-pu: package mistral/3.0.0-4 CVE-2018-16849: std.ssh action may disclose presence of arbitrary files

2018-12-02 Thread Debian Bug Tracking System 
Processing control commands:

> tag -1 confirmed
Bug #913801 [release.debian.org] stretch-pu: package mistral/3.0.0-4 
CVE-2018-16849: std.ssh action may disclose presence of arbitrary files
Added tag(s) confirmed.

-- 
913801: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=913801
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#913801: stretch-pu: package mistral/3.0.0-4 CVE-2018-16849: std.ssh action may disclose presence of arbitrary files

2018-12-02 Thread Julien Cristau 
Control: tag -1 confirmed

On Thu, Nov 15, 2018 at 02:07:01PM +0100, Thomas Goirand wrote:
> diff --git a/debian/changelog b/debian/changelog
> index b2ce8602..06234034 100644
> --- a/debian/changelog
> +++ b/debian/changelog
> @@ -1,3 +1,11 @@
> +mistral (3.0.0-4+deb9u1) stretch-security; urgency=medium

Remove the -security bit.

> +
> +  * CVE-2018-16849: std.ssh action may disclose presence of arbitrary files,
> +applied upstream patch: remove extra information from std.ssh action.
> +(Closes: #912714).
> +
> + -- Thomas Goirand   Mon, 05 Nov 2018 14:38:44 +0100
> +
>  mistral (3.0.0-4) unstable; urgency=medium
>  
>* Add allow-sqla-1.1.patch to allow SQLA transition.

Other than that, looks ok to upload.

Cheers,
Julien

Bug#913801: stretch-pu: package mistral/3.0.0-4 CVE-2018-16849: std.ssh action may disclose presence of arbitrary files

2018-11-15 Thread Thomas Goirand 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Dear release team,

The security team doesn't wish to do a DSA for this CVE, and asked me to
deal with it with the release team. Here's the CVE description:

CVE-2018-16849: std.ssh action may disclose presence of arbitrary files,
applied upstream patch: remove extra information from std.ssh action.
(Closes: #912714).

Debdiff is attached. Please allow me to upload the fix to Stretch.

Cheers,

Thomas Goirand (zigo)
diff --git a/debian/changelog b/debian/changelog
index b2ce8602..06234034 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+mistral (3.0.0-4+deb9u1) stretch-security; urgency=medium
+
+  * CVE-2018-16849: std.ssh action may disclose presence of arbitrary files,
+applied upstream patch: remove extra information from std.ssh action.
+(Closes: #912714).
+
+ -- Thomas Goirand   Mon, 05 Nov 2018 14:38:44 +0100
+
 mistral (3.0.0-4) unstable; urgency=medium
 
   * Add allow-sqla-1.1.patch to allow SQLA transition.
diff --git 
a/debian/patches/CVE-2018-16849_Remove_extra_information_from_std.ssh_action.patch
 
b/debian/patches/CVE-2018-16849_Remove_extra_information_from_std.ssh_action.patch
new file mode 100644
index ..af601bbf
--- /dev/null
+++ 
b/debian/patches/CVE-2018-16849_Remove_extra_information_from_std.ssh_action.patch
@@ -0,0 +1,29 @@
+Description: CVE-2018-16849: Remove extra information from std.ssh action
+ The ssh error message can lead to information leak.
+ Removing the extra ssh message effects only the CLI call,
+ the full message is still being logged
+Author: apetrich 
+Date: Mon, 3 Sep 2018 14:00:22 +0200
+Change-Id: I0b28e1cb17d4ce3ae711a25b6eaffb4ebf00ccd6
+Bug-Ubuntu: https://launchpad.net/bugs/1783708
+Bug-Debian: https://bugs.debian.org/912714
+Origin: upstream, https://review.openstack.org/601214
+Last-Update: 2018-11-05
+
+Index: mistral/mistral/actions/std_actions.py
+===
+--- mistral.orig/mistral/actions/std_actions.py
 mistral/mistral/actions/std_actions.py
+@@ -358,8 +358,11 @@ class SSHAction(base.Action):
+ def raise_exc(parent_exc=None):
+ message = ("Failed to execute ssh cmd "
+"'%s' on %s" % (self.cmd, self.host))
++# We suppress the actual parent error messages in favor of
++# more generic ones as we might be leaking information to the CLI
+ if parent_exc:
+-message += "\nException: %s" % str(parent_exc)
++# The full error message needs to be logged regardless
++LOG.exception(message + " Exception: %s", str(parent_exc))
+ raise exc.ActionException(message)
+ 
+ try:
diff --git a/debian/patches/series b/debian/patches/series
index 7f9d7ed2..5017dfe7 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 allow-sqla-1.1.patch
+CVE-2018-16849_Remove_extra_information_from_std.ssh_action.patch