aboutsummaryrefslogtreecommitdiffstats
path: root/main/lsyncd
diff options
context:
space:
mode:
Diffstat (limited to 'main/lsyncd')
-rw-r--r--main/lsyncd/APKBUILD6
-rw-r--r--main/lsyncd/CVE-2014-8990.patch107
2 files changed, 112 insertions, 1 deletions
diff --git a/main/lsyncd/APKBUILD b/main/lsyncd/APKBUILD
index 312831cbc1..c6c83b13e6 100644
--- a/main/lsyncd/APKBUILD
+++ b/main/lsyncd/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=lsyncd
pkgver=2.1.5
-pkgrel=2
+pkgrel=3
pkgdesc="Live Syncing (Mirror) Daemon"
url="http://code.google.com/p/lsyncd/"
arch="all"
@@ -15,6 +15,7 @@ subpackages="$pkgname-doc"
source="http://lsyncd.googlecode.com/files/lsyncd-$pkgver.tar.gz
fix-realpath.patch
lpostcmd.patch
+ CVE-2014-8990.patch
$pkgname.initd"
_builddir="$srcdir"/lsyncd-$pkgver
@@ -56,12 +57,15 @@ package() {
md5sums="fb10547494ec5ec662fe88343047c364 lsyncd-2.1.5.tar.gz
a14565df7274ebd0b605301ca39ae885 fix-realpath.patch
2d1ff04792a8b8188afe1d3d11069443 lpostcmd.patch
+8f3d89a6594e62a3e4ed5732ce22bda7 CVE-2014-8990.patch
c9e77dddc6dc3eef6f35bf2d23658818 lsyncd.initd"
sha256sums="4a793056c4ed833edb59436d7711bb65f7e38a4d8d44371cc9dc5eb91fbc461f lsyncd-2.1.5.tar.gz
26454c77bb005c165c10b05b232c587669d35ab98e0ac889a11923106126f98e fix-realpath.patch
3972481b8369db8b71bed82982c5b827dcd22b177c6843c03a45f31b9d257e2d lpostcmd.patch
+0896409e11c7e2d464cdca6dbd4493477d7858fe58d7dcf5eb63a01609892fad CVE-2014-8990.patch
770b2c123d062ddcbf7c9eb709c56f9dd812cce66bf5e76b88a86609cc9925b0 lsyncd.initd"
sha512sums="7be939e979525f8e4687432ffe952b1d09b8a34b4d7f92ebe86b5cddb765dbd602258682612529e9cc51305d6d001e72de9e6da62761397df23ecda30fd6a12b lsyncd-2.1.5.tar.gz
2cebaf59d960321c2eda4ef1e0d850f62eb7eedb7ba8922a5db33a7f78c769d1a52839fbb597ae06ba576632e2abc7b92a6ba2eaf58b71b93bc877db83e25576 fix-realpath.patch
1d31787059e427b49aee572a91e5ba315e4d06c7f8238415ded76144a8fb48286917d3a1dedb3ec82c6ad8bf4d058462c10b2ffa99f4dd0a2f48655e2fc2535a lpostcmd.patch
+43d3b511d3242be65e3e9aece581d0caa59b43025087b5bdd856cf833ce84438bde90f926c657332414cb45393a3a78433ae2c5b4c8be652f9a4ac80891e09e7 CVE-2014-8990.patch
e283f81c4d8c2c5b7cc333920a7f69f059846eb537a1c8700bfaf9e07f65740e76afe4726348d785c00fae11067fabb0917cacb42193b96d550807cc9b65a445 lsyncd.initd"
diff --git a/main/lsyncd/CVE-2014-8990.patch b/main/lsyncd/CVE-2014-8990.patch
new file mode 100644
index 0000000000..7c3b88d7e9
--- /dev/null
+++ b/main/lsyncd/CVE-2014-8990.patch
@@ -0,0 +1,107 @@
+From 660438b485bcabac732ff4c63ee94826d66cf046 Mon Sep 17 00:00:00 2001
+From: Sven Schwedas <sven.schwedas@tao.at>
+Date: Wed, 29 Oct 2014 13:32:20 +0100
+Subject: [PATCH 1/2] Sanitize mv arguments:
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+1. Fixes crashes on file names containing `, $ or "
+2. Also prevents shell execution of ``, $() … in file names, which can be
+ used to gain remote shell access as lsyncd's (target) user.
+---
+ default-rsyncssh.lua | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/default-rsyncssh.lua b/default-rsyncssh.lua
+index 90732f6..b775942 100644
+--- a/default-rsyncssh.lua
++++ b/default-rsyncssh.lua
+@@ -74,6 +74,9 @@ rsyncssh.action = function( inlet )
+ -- makes move local on target host
+ -- if the move fails, it deletes the source
+ if event.etype == 'Move' then
++ local path1 = event.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$')
++ local path2 = event2.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$')
++
+ log('Normal', 'Moving ',event.path,' -> ',event2.path)
+
+ spawn(
+@@ -82,10 +85,10 @@ rsyncssh.action = function( inlet )
+ config.ssh._computed,
+ config.host,
+ 'mv',
+- '\"' .. config.targetdir .. event.path .. '\"',
+- '\"' .. config.targetdir .. event2.path .. '\"',
++ '\"' .. config.targetdir .. path1 .. '\"',
++ '\"' .. config.targetdir .. path2 .. '\"',
+ '||', 'rm', '-rf',
+- '\"' .. config.targetdir .. event.path .. '\"')
++ '\"' .. config.targetdir .. path1 .. '\"')
+ return
+ end
+
+--
+2.2.2
+
+
+From 396efd951ea3a20035cbf4ea52e1ff14ba018ef1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?=C3=81ngel=20Gonz=C3=A1lez?= <angel@16bits.net>
+Date: Tue, 25 Nov 2014 23:49:25 +0100
+Subject: [PATCH 2/2] Properly sanitize mv parameters (CVE-2014-8990)
+
+When using -rsyncssh option, some filenames
+could -in addition of not syncing correctly-
+crash the service and execute arbitrary commands
+under the credentials of the remote user.
+
+These issues have been assigned CVE-2014-8990
+
+This commit fixes the incomplete and lua5.2-incompatible
+sanitization performed by 18f02ad0
+
+Signed-off-by: Sven Schwedas <sven.schwedas@tao.at>
+(cherry picked from commit e6016b3748370878778b8f0b568d5281cc248aa4)
+
+Conflicts:
+ default-rsyncssh.lua
+---
+ default-rsyncssh.lua | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/default-rsyncssh.lua b/default-rsyncssh.lua
+index b775942..4361a6c 100644
+--- a/default-rsyncssh.lua
++++ b/default-rsyncssh.lua
+@@ -74,8 +74,10 @@ rsyncssh.action = function( inlet )
+ -- makes move local on target host
+ -- if the move fails, it deletes the source
+ if event.etype == 'Move' then
+- local path1 = event.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$')
+- local path2 = event2.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$')
++ local path1 = config.targetdir .. event.path
++ local path2 = config.targetdir .. event2.path
++ path1 = "'" .. path1:gsub ('\'', '\'"\'"\'') .. "'"
++ path2 = "'" .. path2:gsub ('\'', '\'"\'"\'') .. "'"
+
+ log('Normal', 'Moving ',event.path,' -> ',event2.path)
+
+@@ -85,10 +87,12 @@ rsyncssh.action = function( inlet )
+ config.ssh._computed,
+ config.host,
+ 'mv',
+- '\"' .. config.targetdir .. path1 .. '\"',
+- '\"' .. config.targetdir .. path2 .. '\"',
++ path1,
++ path2,
+ '||', 'rm', '-rf',
+- '\"' .. config.targetdir .. path1 .. '\"')
++ path1
++ )
++
+ return
+ end
+
+--
+2.2.2
+