[Pkg-ganeti-devel] [SCM] Ganeti packaging branch, lenny, updated. debian/1.2.6-3+lenny1-1-ge462567

Iustin Pop iusty at k1024.org
Thu Dec 24 13:06:45 UTC 2009 

The following commit has been merged in the lenny branch:
commit e4625672a4ce7c539cc4b4327f8a116c51d10769
Author: Raphael Geissert <geissert at debian.org>
Date:   Thu Dec 17 14:49:01 2009 -0600

    Imported Debian patch 1.2.6-3+lenny2

diff --git a/debian/changelog b/debian/changelog
index 673abd1..331951f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+ganeti (1.2.6-3+lenny2) stable-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * CVE-2009-4261: Add missing validation of script name.
+
+ -- Raphael Geissert <geissert at debian.org>  Thu, 17 Dec 2009 14:49:01 -0600
+
 ganeti (1.2.6-3+lenny1) stable; urgency=low
 
   * Fix hvmloader path to match Lenny's xen-utils-3.2-1
diff --git a/debian/patches/03-move-the-hooks-file-mask-into-constants.py.patch b/debian/patches/03-move-the-hooks-file-mask-into-constants.py.patch
new file mode 100644
index 0000000..54c7523
--- /dev/null
+++ b/debian/patches/03-move-the-hooks-file-mask-into-constants.py.patch
@@ -0,0 +1,59 @@
+From: Iustin Pop <iustin at google.com>
+Date: Tue, 1 Dec 2009 13:02:12 +0000 (+0100)
+Subject: Move the hooks file mask into constants.py
+X-Git-Tag: v1.2.9~2
+X-Git-Url: http://git.ganeti.org/?p=ganeti.git;a=commitdiff_plain;h=c899750fde9828d76526eed47935a46335124d88;hp=b78789501ee8091c4b1c33c93aa38421309530dd
+
+Move the hooks file mask into constants.py
+
+This will allow reuse of the same mask for multiple validations.
+
+Signed-off-by: Iustin Pop <iustin at google.com>
+Reviewed-by: Michael Hanselmann <hansmi at google.com>
+---
+
+diff --git a/lib/backend.py b/lib/backend.py
+index 94b6216..6244e5d 100644
+--- a/lib/backend.py
++++ b/lib/backend.py
+@@ -1761,8 +1761,6 @@ class HooksRunner(object):
+   the master side.
+ 
+   """
+-  RE_MASK = re.compile("^[a-zA-Z0-9_-]+$")
+-
+   def __init__(self, hooks_base_dir=None):
+     """Constructor for hooks runner.
+ 
+@@ -1847,7 +1845,7 @@ class HooksRunner(object):
+     for relname in dir_contents:
+       fname = os.path.join(dir_name, relname)
+       if not (os.path.isfile(fname) and os.access(fname, os.X_OK) and
+-          self.RE_MASK.match(relname) is not None):
++              constants.EXT_PLUGIN_MASK.match(relname) is not None):
+         rrval = constants.HKR_SKIP
+         output = ""
+       else:
+diff --git a/lib/constants.py b/lib/constants.py
+index 8afa3d0..65bb83e 100644
+--- a/lib/constants.py
++++ b/lib/constants.py
+@@ -21,6 +21,8 @@
+ 
+ """Module holding different constants."""
+ 
++import re
++
+ from ganeti import _autoconf
+ 
+ # various versions
+@@ -74,6 +76,9 @@ VALUE_AUTO = "auto"
+ VALUE_GENERATE = "generate"
+ VALUE_NONE = "none"
+ 
++# External script validation mask
++EXT_PLUGIN_MASK = re.compile("^[a-zA-Z0-9_-]+$")
++
+ # hooks-related constants
+ HOOKS_BASE_DIR = _autoconf.SYSCONFDIR + "/ganeti/hooks"
+ HOOKS_PHASE_PRE = "pre"
diff --git a/debian/patches/04-add-validation-of-script-names.patch b/debian/patches/04-add-validation-of-script-names.patch
new file mode 100644
index 0000000..aab10b6
--- /dev/null
+++ b/debian/patches/04-add-validation-of-script-names.patch
@@ -0,0 +1,58 @@
+From: Iustin Pop <iustin at google.com>
+Date: Tue, 1 Dec 2009 14:08:29 +0000 (+0100)
+Subject: Security issue: add validation of script names
+X-Git-Tag: v1.2.9~1
+X-Git-Url: http://git.ganeti.org/?p=ganeti.git;a=commitdiff_plain;h=b0fc8c8943764d182fe2cc1876747ea2c2e4df09;hp=c899750fde9828d76526eed47935a46335124d88
+
+Security issue: add validation of script names
+
+This patch unifies the search for external script to always go through
+utils.FindFile and implements in that function a restriction on valid
+chars in file names and (additionally) that the passed name is the
+basename of the final (absolute) name.
+
+Signed-off-by: Iustin Pop <iustin at google.com>
+Reviewed-by: Michael Hanselmann <hansmi at google.com>
+---
+
+diff --git a/lib/backend.py b/lib/backend.py
+index 6244e5d..f8e72c3 100644
+--- a/lib/backend.py
++++ b/lib/backend.py
+@@ -1214,10 +1214,11 @@ def OSFromDisk(name, base_dir=None):
+ 
+   if base_dir is None:
+     os_dir = utils.FindFile(name, constants.OS_SEARCH_PATH, os.path.isdir)
+-    if os_dir is None:
+-      raise errors.InvalidOS(name, None, "OS dir not found in search path")
+   else:
+-    os_dir = os.path.sep.join([base_dir, name])
++    os_dir = utils.FindFile(name, [base_dir], os.path.isdir)
++
++  if os_dir is None:
++    raise errors.InvalidOS(name, None, "OS dir not found in search path")
+ 
+   api_versions = _OSOndiskVersion(name, os_dir)
+ 
+diff --git a/lib/utils.py b/lib/utils.py
+index f6c00ee..6dc5d14 100644
+--- a/lib/utils.py
++++ b/lib/utils.py
+@@ -1190,8 +1190,16 @@ def FindFile(name, search_path, test=os.path.exists):
+     - None otherwise
+ 
+   """
++  # validate the filename mask
++  if constants.EXT_PLUGIN_MASK.match(name) is None:
++    logger.Error("Invalid value passed for external script name: '%s'" %
++                 name)
++    return None
++
+   for dir_name in search_path:
+     item_name = os.path.sep.join([dir_name, name])
+-    if test(item_name):
++    # check the user test and that we're indeed resolving to the given
++    # basename
++    if test(item_name) and os.path.basename(item_name) == name:
+       return item_name
+   return None

-- 
Ganeti packaging

More information about the Pkg-ganeti-devel mailing list