[Debian-ha-commits] [pcs] 01/02: Add upstream fix for CVE-2018-1086

[Valentin Vidic]

This is an automated email from the git hooks/post-receive script.

vvidic-guest pushed a commit to annotated tag debian/0.9.155+dfsg-2+deb9u1
in repository pcs.

commit f67d8bfb4cb15ae2e9606fcbea9689e98cefff9c
Author: Valentin Vidic <Valentin.Vidic at CARNet.hr>
Date:   Mon Mar 26 20:34:14 2018 +0200

    Add upstream fix for CVE-2018-1086
---
 debian/patches/0013-CVE-2018-1086.patch | 49 +++++++++++++++++++++++++++++++++
 debian/patches/series                   |  1 +
 2 files changed, 50 insertions(+)

diff --git a/debian/patches/0013-CVE-2018-1086.patch b/debian/patches/0013-CVE-2018-1086.patch
new file mode 100644
index 0000000..4bffdc7
--- /dev/null
+++ b/debian/patches/0013-CVE-2018-1086.patch
@@ -0,0 +1,49 @@
+Description: CVE-2018-1086 Debug parameter removal bypass, allowing information disclosure
+ To prevent some information disclosure, pcsd actively removes '--debug'
+ from command requested over the REST interface, but this can be bypassed.
+ The information gained could then be used to gain higher privileges.
+Author: Tomas Jelinek <tojeline at redhat.com>
+Origin: upstream
+Reviewed-by: Valentin Vidic <Valentin.Vidic at CARNet.hr>
+Last-Update: 2018-03-26
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/pcsd/pcsd.rb
++++ b/pcsd/pcsd.rb
+@@ -232,8 +232,13 @@
+     }
+     return JSON.pretty_generate(result)
+   end
+-  # do not reveal potentialy sensitive information
+-  command_decoded.delete('--debug')
++  # Do not reveal potentially sensitive information: remove --debug and all its
++  # prefixes since getopt parser in pcs considers them equal to --debug.
++  debug_items = ["--de", "--deb", "--debu", "--debug"]
++  command_sanitized = []
++  command_decoded.each { |item|
++    command_sanitized << item unless debug_items.include?(item)
++  }
+ 
+   allowed_commands = {
+     ['cluster', 'auth', '...'] => {
+@@ -334,9 +339,9 @@
+   allowed = false
+   command_settings = {}
+   allowed_commands.each { |cmd, cmd_settings|
+-    if command_decoded == cmd \
++    if command_sanitized == cmd \
+       or \
+-      (cmd[-1] == '...' and cmd[0..-2] == command_decoded[0..(cmd.length - 2)])
++      (cmd[-1] == '...' and cmd[0..-2] == command_sanitized[0..(cmd.length - 2)])
+       then
+         allowed = true
+         command_settings = cmd_settings
+@@ -365,7 +370,7 @@
+   options = {}
+   options['stdin'] = std_in if std_in
+   std_out, std_err, retval = run_cmd_options(
+-    @auth_user, options, PCS, *command_decoded
++    @auth_user, options, PCS, *command_sanitized
+   )
+   result = {
+     'status' => 'ok',
diff --git a/debian/patches/series b/debian/patches/series
index ed481e1..051554a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -10,3 +10,4 @@
 0010-Replace-chkconfig.patch
 0011-Fix-python-lxml.patch
 0012-CVE-2017-2661.patch
+0013-CVE-2018-1086.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/debian-ha/pcs.git