aboutsummaryrefslogtreecommitdiffstats
path: root/main/lsyncd/CVE-2014-8990.patch
blob: 7c3b88d7e9138b6e27a805df4c33d271443221a3 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
From 660438b485bcabac732ff4c63ee94826d66cf046 Mon Sep 17 00:00:00 2001
From: Sven Schwedas <sven.schwedas@tao.at>
Date: Wed, 29 Oct 2014 13:32:20 +0100
Subject: [PATCH 1/2] Sanitize mv arguments:
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1. Fixes crashes on file names containing `, $ or "
2. Also prevents shell execution of ``, $() … in file names, which can be
   used to gain remote shell access as lsyncd's (target) user.
---
 default-rsyncssh.lua | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/default-rsyncssh.lua b/default-rsyncssh.lua
index 90732f6..b775942 100644
--- a/default-rsyncssh.lua
+++ b/default-rsyncssh.lua
@@ -74,6 +74,9 @@ rsyncssh.action = function( inlet )
 	-- makes move local on target host
 	-- if the move fails, it deletes the source
 	if event.etype == 'Move' then
+		local path1 = event.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$')
+		local path2 = event2.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$')
+
 		log('Normal', 'Moving ',event.path,' -> ',event2.path)
 
 		spawn(
@@ -82,10 +85,10 @@ rsyncssh.action = function( inlet )
 			config.ssh._computed,
 			config.host,
 			'mv',
-			'\"' .. config.targetdir .. event.path .. '\"',
-			'\"' .. config.targetdir .. event2.path .. '\"',
+			'\"' .. config.targetdir .. path1 .. '\"',
+			'\"' .. config.targetdir .. path2 .. '\"',
 			'||', 'rm', '-rf',
-			'\"' .. config.targetdir .. event.path .. '\"')
+			'\"' .. config.targetdir .. path1 .. '\"')
 		return
 	end
 
-- 
2.2.2


From 396efd951ea3a20035cbf4ea52e1ff14ba018ef1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=81ngel=20Gonz=C3=A1lez?= <angel@16bits.net>
Date: Tue, 25 Nov 2014 23:49:25 +0100
Subject: [PATCH 2/2] Properly sanitize mv parameters (CVE-2014-8990)

When using -rsyncssh option, some filenames
could -in addition of not syncing correctly-
crash the service and execute arbitrary commands
under the credentials of the remote user.

These issues have been assigned CVE-2014-8990

This commit fixes the incomplete and lua5.2-incompatible
sanitization performed by 18f02ad0

Signed-off-by: Sven Schwedas <sven.schwedas@tao.at>
(cherry picked from commit e6016b3748370878778b8f0b568d5281cc248aa4)

Conflicts:
	default-rsyncssh.lua
---
 default-rsyncssh.lua | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/default-rsyncssh.lua b/default-rsyncssh.lua
index b775942..4361a6c 100644
--- a/default-rsyncssh.lua
+++ b/default-rsyncssh.lua
@@ -74,8 +74,10 @@ rsyncssh.action = function( inlet )
 	-- makes move local on target host
 	-- if the move fails, it deletes the source
 	if event.etype == 'Move' then
-		local path1 = event.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$')
-		local path2 = event2.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$')
+		local path1 = config.targetdir .. event.path
+		local path2 = config.targetdir .. event2.path
+		path1 = "'" .. path1:gsub ('\'', '\'"\'"\'') .. "'"
+		path2 = "'" .. path2:gsub ('\'', '\'"\'"\'') .. "'"
 
 		log('Normal', 'Moving ',event.path,' -> ',event2.path)
 
@@ -85,10 +87,12 @@ rsyncssh.action = function( inlet )
 			config.ssh._computed,
 			config.host,
 			'mv',
-			'\"' .. config.targetdir .. path1 .. '\"',
-			'\"' .. config.targetdir .. path2 .. '\"',
+			path1,
+			path2,
 			'||', 'rm', '-rf',
-			'\"' .. config.targetdir .. path1 .. '\"')
+			path1
+		)
+
 		return
 	end
 
-- 
2.2.2