From 655d521104ae64806748d619c3e3394c4974aa55 Mon Sep 17 00:00:00 2001 From: Natanael Copa Date: Fri, 23 Jan 2015 13:17:06 +0000 Subject: main/lsyncd: fix CVE-2014-8990 --- main/lsyncd/APKBUILD | 6 ++- main/lsyncd/CVE-2014-8990.patch | 107 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 112 insertions(+), 1 deletion(-) create mode 100644 main/lsyncd/CVE-2014-8990.patch (limited to 'main') diff --git a/main/lsyncd/APKBUILD b/main/lsyncd/APKBUILD index 312831cbc1..c6c83b13e6 100644 --- a/main/lsyncd/APKBUILD +++ b/main/lsyncd/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa pkgname=lsyncd pkgver=2.1.5 -pkgrel=2 +pkgrel=3 pkgdesc="Live Syncing (Mirror) Daemon" url="http://code.google.com/p/lsyncd/" arch="all" @@ -15,6 +15,7 @@ subpackages="$pkgname-doc" source="http://lsyncd.googlecode.com/files/lsyncd-$pkgver.tar.gz fix-realpath.patch lpostcmd.patch + CVE-2014-8990.patch $pkgname.initd" _builddir="$srcdir"/lsyncd-$pkgver @@ -56,12 +57,15 @@ package() { md5sums="fb10547494ec5ec662fe88343047c364 lsyncd-2.1.5.tar.gz a14565df7274ebd0b605301ca39ae885 fix-realpath.patch 2d1ff04792a8b8188afe1d3d11069443 lpostcmd.patch +8f3d89a6594e62a3e4ed5732ce22bda7 CVE-2014-8990.patch c9e77dddc6dc3eef6f35bf2d23658818 lsyncd.initd" sha256sums="4a793056c4ed833edb59436d7711bb65f7e38a4d8d44371cc9dc5eb91fbc461f lsyncd-2.1.5.tar.gz 26454c77bb005c165c10b05b232c587669d35ab98e0ac889a11923106126f98e fix-realpath.patch 3972481b8369db8b71bed82982c5b827dcd22b177c6843c03a45f31b9d257e2d lpostcmd.patch +0896409e11c7e2d464cdca6dbd4493477d7858fe58d7dcf5eb63a01609892fad CVE-2014-8990.patch 770b2c123d062ddcbf7c9eb709c56f9dd812cce66bf5e76b88a86609cc9925b0 lsyncd.initd" sha512sums="7be939e979525f8e4687432ffe952b1d09b8a34b4d7f92ebe86b5cddb765dbd602258682612529e9cc51305d6d001e72de9e6da62761397df23ecda30fd6a12b lsyncd-2.1.5.tar.gz 2cebaf59d960321c2eda4ef1e0d850f62eb7eedb7ba8922a5db33a7f78c769d1a52839fbb597ae06ba576632e2abc7b92a6ba2eaf58b71b93bc877db83e25576 fix-realpath.patch 1d31787059e427b49aee572a91e5ba315e4d06c7f8238415ded76144a8fb48286917d3a1dedb3ec82c6ad8bf4d058462c10b2ffa99f4dd0a2f48655e2fc2535a lpostcmd.patch +43d3b511d3242be65e3e9aece581d0caa59b43025087b5bdd856cf833ce84438bde90f926c657332414cb45393a3a78433ae2c5b4c8be652f9a4ac80891e09e7 CVE-2014-8990.patch e283f81c4d8c2c5b7cc333920a7f69f059846eb537a1c8700bfaf9e07f65740e76afe4726348d785c00fae11067fabb0917cacb42193b96d550807cc9b65a445 lsyncd.initd" diff --git a/main/lsyncd/CVE-2014-8990.patch b/main/lsyncd/CVE-2014-8990.patch new file mode 100644 index 0000000000..7c3b88d7e9 --- /dev/null +++ b/main/lsyncd/CVE-2014-8990.patch @@ -0,0 +1,107 @@ +From 660438b485bcabac732ff4c63ee94826d66cf046 Mon Sep 17 00:00:00 2001 +From: Sven Schwedas +Date: Wed, 29 Oct 2014 13:32:20 +0100 +Subject: [PATCH 1/2] Sanitize mv arguments: +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +1. Fixes crashes on file names containing `, $ or " +2. Also prevents shell execution of ``, $() … in file names, which can be + used to gain remote shell access as lsyncd's (target) user. +--- + default-rsyncssh.lua | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/default-rsyncssh.lua b/default-rsyncssh.lua +index 90732f6..b775942 100644 +--- a/default-rsyncssh.lua ++++ b/default-rsyncssh.lua +@@ -74,6 +74,9 @@ rsyncssh.action = function( inlet ) + -- makes move local on target host + -- if the move fails, it deletes the source + if event.etype == 'Move' then ++ local path1 = event.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$') ++ local path2 = event2.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$') ++ + log('Normal', 'Moving ',event.path,' -> ',event2.path) + + spawn( +@@ -82,10 +85,10 @@ rsyncssh.action = function( inlet ) + config.ssh._computed, + config.host, + 'mv', +- '\"' .. config.targetdir .. event.path .. '\"', +- '\"' .. config.targetdir .. event2.path .. '\"', ++ '\"' .. config.targetdir .. path1 .. '\"', ++ '\"' .. config.targetdir .. path2 .. '\"', + '||', 'rm', '-rf', +- '\"' .. config.targetdir .. event.path .. '\"') ++ '\"' .. config.targetdir .. path1 .. '\"') + return + end + +-- +2.2.2 + + +From 396efd951ea3a20035cbf4ea52e1ff14ba018ef1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=C3=81ngel=20Gonz=C3=A1lez?= +Date: Tue, 25 Nov 2014 23:49:25 +0100 +Subject: [PATCH 2/2] Properly sanitize mv parameters (CVE-2014-8990) + +When using -rsyncssh option, some filenames +could -in addition of not syncing correctly- +crash the service and execute arbitrary commands +under the credentials of the remote user. + +These issues have been assigned CVE-2014-8990 + +This commit fixes the incomplete and lua5.2-incompatible +sanitization performed by 18f02ad0 + +Signed-off-by: Sven Schwedas +(cherry picked from commit e6016b3748370878778b8f0b568d5281cc248aa4) + +Conflicts: + default-rsyncssh.lua +--- + default-rsyncssh.lua | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/default-rsyncssh.lua b/default-rsyncssh.lua +index b775942..4361a6c 100644 +--- a/default-rsyncssh.lua ++++ b/default-rsyncssh.lua +@@ -74,8 +74,10 @@ rsyncssh.action = function( inlet ) + -- makes move local on target host + -- if the move fails, it deletes the source + if event.etype == 'Move' then +- local path1 = event.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$') +- local path2 = event2.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$') ++ local path1 = config.targetdir .. event.path ++ local path2 = config.targetdir .. event2.path ++ path1 = "'" .. path1:gsub ('\'', '\'"\'"\'') .. "'" ++ path2 = "'" .. path2:gsub ('\'', '\'"\'"\'') .. "'" + + log('Normal', 'Moving ',event.path,' -> ',event2.path) + +@@ -85,10 +87,12 @@ rsyncssh.action = function( inlet ) + config.ssh._computed, + config.host, + 'mv', +- '\"' .. config.targetdir .. path1 .. '\"', +- '\"' .. config.targetdir .. path2 .. '\"', ++ path1, ++ path2, + '||', 'rm', '-rf', +- '\"' .. config.targetdir .. path1 .. '\"') ++ path1 ++ ) ++ + return + end + +-- +2.2.2 + -- cgit v1.2.3