[Debian-ha-commits] [pcs] 01/02: Add upstream fix for CVE-2017-2661 (Closes: #858379)

Tue Mar 21 20:02:05 UTC 2017

This is an automated email from the git hooks/post-receive script.

vvidic-guest pushed a commit to branch master
in repository pcs.

commit 588cae9cf682fac98871e57d48c382278b9c49f1
Author: Valentin Vidic <Valentin.Vidic at CARNet.hr>
Date:   Tue Mar 21 20:34:46 2017 +0100

    Add upstream fix for CVE-2017-2661 (Closes: #858379)
---
 debian/patches/0012-CVE-2017-2661.patch | 41 +++++++++++++++++++++++++++++++++
 debian/patches/series                   |  1 +
 2 files changed, 42 insertions(+)

diff --git a/debian/patches/0012-CVE-2017-2661.patch b/debian/patches/0012-CVE-2017-2661.patch
new file mode 100644
index 0000000..1beaf95
--- /dev/null
+++ b/debian/patches/0012-CVE-2017-2661.patch
@@ -0,0 +1,41 @@
+From: Ondrej Mular <omular at redhat.com>
+Date: Sat, 4 Mar 2017 14:01:43 +0100
+Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1428948
+Subject: [PATCH] web UI: fixed XSS vulnerability
+
+---
+ pcsd/public/js/nodes-ember.js | 4 ++--
+ pcsd/public/js/pcsd.js        | 2 +-
+ 3 files changed, 7 insertions(+), 3 deletions(-)
+
+--- a/pcsd/public/js/nodes-ember.js
++++ b/pcsd/public/js/nodes-ember.js
+@@ -75,7 +75,7 @@
+     var banned_options = ["SBD_OPTS", "SBD_WATCHDOG_DEV", "SBD_PACEMAKER"];
+     $.each(this.get("sbd_config"), function(opt, val) {
+       if (banned_options.indexOf(opt) == -1) {
+-        out += '<tr><td>' + opt + '</td><td>' + val + '</td></tr>\n';
++        out += '<tr><td>' + htmlEncode(opt) + '</td><td>' + htmlEncode(val) + '</td></tr>\n';
+       }
+     });
+     return out + '</table>';
+@@ -879,7 +879,7 @@
+   }.property("status_val"),
+   show_status: function() {
+     return '<span style="' + this.get('status_style') + '">'
+-      + this.get('status') + (this.get("is_unmanaged") ? " (unmanaged)" : "")
++      + htmlEncode(this.get('status')) + (this.get("is_unmanaged") ? " (unmanaged)" : "")
+       + '</span>';
+   }.property("status_style", "disabled"),
+   status_class: function() {
+--- a/pcsd/public/js/pcsd.js
++++ b/pcsd/public/js/pcsd.js
+@@ -822,7 +822,7 @@
+ 
+   dialog_obj.find('#auth_nodes_list').empty();
+   unauth_nodes.forEach(function(node) {
+-    dialog_obj.find('#auth_nodes_list').append("\t\t\t<tr><td>" + node + '</td><td><input type="password" name="' + node + '-pass"></td></tr>\n');
++    dialog_obj.find('#auth_nodes_list').append("\t\t\t<tr><td>" + htmlEncode(node) + '</td><td><input type="password" name="' + htmlEncode(node) + '-pass"></td></tr>\n');
+   });
+ 
+ }
diff --git a/debian/patches/series b/debian/patches/series
index c11d762..ed481e1 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -9,3 +9,4 @@
 0009-Fix-testsuite.patch
 0010-Replace-chkconfig.patch
 0011-Fix-python-lxml.patch
+0012-CVE-2017-2661.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/debian-ha/pcs.git

