Package: lsyncd Version: 2.0.7-3 Severity: important Tags: security patch cf. upstream bug report and fix at https://github.com/axkibe/lsyncd/issues/220
This is the same patch backported to the lsyncd version in stable. -- System Information: Debian Release: 7.6 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages lsyncd depends on: ii libc6 2.13-38+deb7u4 ii liblua5.1-0 5.1.5-4+deb7u1 ii lua5.1 5.1.5-4+deb7u1 ii rsync 3.0.9-4 lsyncd recommends no packages. lsyncd suggests no packages. -- no debconf information
Sanitize mv arguments: 1. Fixes crashes on file names containing `, $ or " 2. Also prevents shell execution of ``, $() … in file names, which can be used to gain remote shell access as lsyncd's (target) user. Index: lsyncd-2.0.7/default-rsyncssh.lua =================================================================== --- lsyncd-2.0.7.orig/default-rsyncssh.lua 2012-02-16 08:24:20.000000000 +0100 +++ lsyncd-2.0.7/default-rsyncssh.lua 2014-10-29 13:59:51.165553255 +0100 @@ -29,14 +29,17 @@ -- makes move local on host -- if fails deletes the source... if event.etype == 'Move' then - log('Normal', 'Moving ',event.path,' -> ',event2.path) + local path1 = event.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$') + local path2 = event2.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$') + log('Normal', 'Moving ',path1,' -> ',path2) + spawn(event, '/usr/bin/ssh', config.host, 'mv', - '\"' .. config.targetdir .. event.path .. '\"', - '\"' .. config.targetdir .. event2.path .. '\"', + '\"' .. config.targetdir .. path1 .. '\"', + '\"' .. config.targetdir .. path2 .. '\"', '||', 'rm', '-rf', - '\"' .. config.targetdir .. event.path .. '\"') + '\"' .. config.targetdir .. path1 .. '\"') return end