[Debian-ha-commits] [pcs] 01/02: Add upstream fix for CVE-2018-1086
Valentin Vidic
vvidic-guest at moszumanska.debian.org
Wed Apr 11 20:02:11 UTC 2018
This is an automated email from the git hooks/post-receive script.
vvidic-guest pushed a commit to annotated tag debian/0.9.155+dfsg-2+deb9u1
in repository pcs.
commit f67d8bfb4cb15ae2e9606fcbea9689e98cefff9c
Author: Valentin Vidic <Valentin.Vidic at CARNet.hr>
Date: Mon Mar 26 20:34:14 2018 +0200
Add upstream fix for CVE-2018-1086
---
debian/patches/0013-CVE-2018-1086.patch | 49 +++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 50 insertions(+)
diff --git a/debian/patches/0013-CVE-2018-1086.patch b/debian/patches/0013-CVE-2018-1086.patch
new file mode 100644
index 0000000..4bffdc7
--- /dev/null
+++ b/debian/patches/0013-CVE-2018-1086.patch
@@ -0,0 +1,49 @@
+Description: CVE-2018-1086 Debug parameter removal bypass, allowing information disclosure
+ To prevent some information disclosure, pcsd actively removes '--debug'
+ from command requested over the REST interface, but this can be bypassed.
+ The information gained could then be used to gain higher privileges.
+Author: Tomas Jelinek <tojeline at redhat.com>
+Origin: upstream
+Reviewed-by: Valentin Vidic <Valentin.Vidic at CARNet.hr>
+Last-Update: 2018-03-26
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/pcsd/pcsd.rb
++++ b/pcsd/pcsd.rb
+@@ -232,8 +232,13 @@
+ }
+ return JSON.pretty_generate(result)
+ end
+- # do not reveal potentialy sensitive information
+- command_decoded.delete('--debug')
++ # Do not reveal potentially sensitive information: remove --debug and all its
++ # prefixes since getopt parser in pcs considers them equal to --debug.
++ debug_items = ["--de", "--deb", "--debu", "--debug"]
++ command_sanitized = []
++ command_decoded.each { |item|
++ command_sanitized << item unless debug_items.include?(item)
++ }
+
+ allowed_commands = {
+ ['cluster', 'auth', '...'] => {
+@@ -334,9 +339,9 @@
+ allowed = false
+ command_settings = {}
+ allowed_commands.each { |cmd, cmd_settings|
+- if command_decoded == cmd \
++ if command_sanitized == cmd \
+ or \
+- (cmd[-1] == '...' and cmd[0..-2] == command_decoded[0..(cmd.length - 2)])
++ (cmd[-1] == '...' and cmd[0..-2] == command_sanitized[0..(cmd.length - 2)])
+ then
+ allowed = true
+ command_settings = cmd_settings
+@@ -365,7 +370,7 @@
+ options = {}
+ options['stdin'] = std_in if std_in
+ std_out, std_err, retval = run_cmd_options(
+- @auth_user, options, PCS, *command_decoded
++ @auth_user, options, PCS, *command_sanitized
+ )
+ result = {
+ 'status' => 'ok',
diff --git a/debian/patches/series b/debian/patches/series
index ed481e1..051554a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -10,3 +10,4 @@
0010-Replace-chkconfig.patch
0011-Fix-python-lxml.patch
0012-CVE-2017-2661.patch
+0013-CVE-2018-1086.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/debian-ha/pcs.git
More information about the Debian-HA-Commits
mailing list