main/lsyncd: fix CVE-2014-8990

1 files changed, 107 insertions, 0 deletions

diff --git a/main/lsyncd/CVE-2014-8990.patch b/main/lsyncd/CVE-2014-8990.patch
new file mode 100644
index 0000000000..7c3b88d7e9
--- /dev/null
+++ b/main/lsyncd/CVE-2014-8990.patch
@@ -0,0 +1,107 @@
+From 660438b485bcabac732ff4c63ee94826d66cf046 Mon Sep 17 00:00:00 2001
+From: Sven Schwedas <sven.schwedas@tao.at>
+Date: Wed, 29 Oct 2014 13:32:20 +0100
+Subject: [PATCH 1/2] Sanitize mv arguments:
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+1. Fixes crashes on file names containing `, $ or "
+2. Also prevents shell execution of ``, $() … in file names, which can be
+   used to gain remote shell access as lsyncd's (target) user.
+---
+ default-rsyncssh.lua | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/default-rsyncssh.lua b/default-rsyncssh.lua
+index 90732f6..b775942 100644
+--- a/default-rsyncssh.lua
++++ b/default-rsyncssh.lua
+@@ -74,6 +74,9 @@ rsyncssh.action = function( inlet )
+ 	-- makes move local on target host
+ 	-- if the move fails, it deletes the source
+ 	if event.etype == 'Move' then
++		local path1 = event.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$')
++		local path2 = event2.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$')
++
+ 		log('Normal', 'Moving ',event.path,' -> ',event2.path)
+ 
+ 		spawn(
+@@ -82,10 +85,10 @@ rsyncssh.action = function( inlet )
+ 			config.ssh._computed,
+ 			config.host,
+ 			'mv',
+-			'\"' .. config.targetdir .. event.path .. '\"',
+-			'\"' .. config.targetdir .. event2.path .. '\"',
++			'\"' .. config.targetdir .. path1 .. '\"',
++			'\"' .. config.targetdir .. path2 .. '\"',
+ 			'||', 'rm', '-rf',
+-			'\"' .. config.targetdir .. event.path .. '\"')
++			'\"' .. config.targetdir .. path1 .. '\"')
+ 		return
+ 	end
+ 
+-- 
+2.2.2
+
+
+From 396efd951ea3a20035cbf4ea52e1ff14ba018ef1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?=C3=81ngel=20Gonz=C3=A1lez?= <angel@16bits.net>
+Date: Tue, 25 Nov 2014 23:49:25 +0100
+Subject: [PATCH 2/2] Properly sanitize mv parameters (CVE-2014-8990)
+
+When using -rsyncssh option, some filenames
+could -in addition of not syncing correctly-
+crash the service and execute arbitrary commands
+under the credentials of the remote user.
+
+These issues have been assigned CVE-2014-8990
+
+This commit fixes the incomplete and lua5.2-incompatible
+sanitization performed by 18f02ad0
+
+Signed-off-by: Sven Schwedas <sven.schwedas@tao.at>
+(cherry picked from commit e6016b3748370878778b8f0b568d5281cc248aa4)
+
+Conflicts:
+	default-rsyncssh.lua
+---
+ default-rsyncssh.lua | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/default-rsyncssh.lua b/default-rsyncssh.lua
+index b775942..4361a6c 100644
+--- a/default-rsyncssh.lua
++++ b/default-rsyncssh.lua
+@@ -74,8 +74,10 @@ rsyncssh.action = function( inlet )
+ 	-- makes move local on target host
+ 	-- if the move fails, it deletes the source
+ 	if event.etype == 'Move' then
+-		local path1 = event.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$')
+-		local path2 = event2.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$')
++		local path1 = config.targetdir .. event.path
++		local path2 = config.targetdir .. event2.path
++		path1 = "'" .. path1:gsub ('\'', '\'"\'"\'') .. "'"
++		path2 = "'" .. path2:gsub ('\'', '\'"\'"\'') .. "'"
+ 
+ 		log('Normal', 'Moving ',event.path,' -> ',event2.path)
+ 
+@@ -85,10 +87,12 @@ rsyncssh.action = function( inlet )
+ 			config.ssh._computed,
+ 			config.host,
+ 			'mv',
+-			'\"' .. config.targetdir .. path1 .. '\"',
+-			'\"' .. config.targetdir .. path2 .. '\"',
++			path1,
++			path2,
+ 			'||', 'rm', '-rf',
+-			'\"' .. config.targetdir .. path1 .. '\"')
++			path1
++		)
++
+ 		return
+ 	end
+ 
+-- 
+2.2.2
+