From b3a75ed6dbdcc3503abb39f1679eebad81e806ec Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Apr 10 2018 08:06:43 +0000 Subject: import pcs-0.9.162-5.el7_5.1 --- diff --git a/.gitignore b/.gitignore index 970d968..149f560 100644 --- a/.gitignore +++ b/.gitignore @@ -9,7 +9,7 @@ SOURCES/orderedhash-0.0.6.gem SOURCES/pcs-0.9.162.tar.gz SOURCES/pyagentx-0.4.pcs.1.tar.gz SOURCES/rack-1.6.4.gem -SOURCES/rack-protection-1.5.3.gem +SOURCES/rack-protection-1.5.5.gem SOURCES/rack-test-0.7.0.gem SOURCES/rpam-ruby19-1.2.1.gem SOURCES/sinatra-1.4.8.gem diff --git a/.pcs.metadata b/.pcs.metadata index e7a6117..8920f4a 100644 --- a/.pcs.metadata +++ b/.pcs.metadata @@ -9,7 +9,7 @@ f4d122fe287c5199040abbcd24c8082e1b0cdf93 SOURCES/multi_json-1.12.2.gem c088d3046113a6f2a6aed22fd1e1fb3daf43b5b5 SOURCES/pcs-0.9.162.tar.gz 276a92c6d679a71bd0daaf12cb7b3616f1a89b72 SOURCES/pyagentx-0.4.pcs.1.tar.gz 0a1eea6d7bb903d8c075688534480e87d4151470 SOURCES/rack-1.6.4.gem -1c28529c1d7376c61faed80f3d3297905a14c2b3 SOURCES/rack-protection-1.5.3.gem +f80ea6672253a90fa031db0c1e2e1fe056582118 SOURCES/rack-protection-1.5.5.gem 3f41699c1c19ff2e2353583afa70799ced351a36 SOURCES/rack-test-0.7.0.gem a90e5a60d99445404a3c29a66d953a5e9918976d SOURCES/rpam-ruby19-1.2.1.gem 3377f6140321523d7751bed3b2cc8a5201d8ec9f SOURCES/sinatra-1.4.8.gem diff --git a/SOURCES/bz1557253-01-get-rid-of-debug-when-calling-local-pcsd.patch b/SOURCES/bz1557253-01-get-rid-of-debug-when-calling-local-pcsd.patch new file mode 100644 index 0000000..1f0a51f --- /dev/null +++ b/SOURCES/bz1557253-01-get-rid-of-debug-when-calling-local-pcsd.patch @@ -0,0 +1,53 @@ +From b14467358acacb5ff492f2df29c2c76abb9df180 Mon Sep 17 00:00:00 2001 +From: Tomas Jelinek +Date: Tue, 20 Mar 2018 15:39:40 +0100 +Subject: [PATCH 1/3] get rid of --debug when calling local pcsd + +--- + pcsd/pcsd.rb | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/pcsd/pcsd.rb b/pcsd/pcsd.rb +index 8f5ad819..b6a7435c 100644 +--- a/pcsd/pcsd.rb ++++ b/pcsd/pcsd.rb +@@ -239,8 +239,13 @@ post '/run_pcs' do + } + return JSON.pretty_generate(result) + end +- # do not reveal potentialy sensitive information +- command_decoded.delete('--debug') ++ # Do not reveal potentially sensitive information: remove --debug and all its ++ # prefixes since getopt parser in pcs considers them equal to --debug. ++ debug_items = ["--de", "--deb", "--debu", "--debug"] ++ command_sanitized = [] ++ command_decoded.each { |item| ++ command_sanitized << item unless debug_items.include?(item) ++ } + + allowed_commands = { + ['cluster', 'auth', '...'] => { +@@ -341,9 +346,9 @@ post '/run_pcs' do + allowed = false + command_settings = {} + allowed_commands.each { |cmd, cmd_settings| +- if command_decoded == cmd \ ++ if command_sanitized == cmd \ + or \ +- (cmd[-1] == '...' and cmd[0..-2] == command_decoded[0..(cmd.length - 2)]) ++ (cmd[-1] == '...' and cmd[0..-2] == command_sanitized[0..(cmd.length - 2)]) + then + allowed = true + command_settings = cmd_settings +@@ -372,7 +377,7 @@ post '/run_pcs' do + options = {} + options['stdin'] = std_in if std_in + std_out, std_err, retval = run_cmd_options( +- @auth_user, options, PCS, *command_decoded ++ @auth_user, options, PCS, *command_sanitized + ) + result = { + 'status' => 'ok', +-- +2.13.6 + diff --git a/SOURCES/bz1557253-02-sanitize-path-when-saving-booth-config-files.patch b/SOURCES/bz1557253-02-sanitize-path-when-saving-booth-config-files.patch new file mode 100644 index 0000000..429c3be --- /dev/null +++ b/SOURCES/bz1557253-02-sanitize-path-when-saving-booth-config-files.patch @@ -0,0 +1,28 @@ +From b2cdeb7a94cd1051a05d9de9a34bfbb54dd1a1df Mon Sep 17 00:00:00 2001 +From: Tomas Jelinek +Date: Tue, 20 Mar 2018 15:44:59 +0100 +Subject: [PATCH 2/3] sanitize path when saving booth config files + +--- + pcsd/pcsd_file.rb | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/pcsd/pcsd_file.rb b/pcsd/pcsd_file.rb +index de7d3553..4f1604a8 100644 +--- a/pcsd/pcsd_file.rb ++++ b/pcsd/pcsd_file.rb +@@ -104,6 +104,11 @@ module PcsdFile + if @file[:name].empty? + raise PcsdExchangeFormat::Error.for_item('file', @id, "'name' is empty") + end ++ if @file[:name].include?('/') ++ raise PcsdExchangeFormat::Error.for_item( ++ 'file', @id, "'name' cannot contain '/'" ++ ) ++ end + end + + def dir() +-- +2.13.6 + diff --git a/SOURCES/bz1557253-03-use-rubygem-rack-protection-1.5.5.patch b/SOURCES/bz1557253-03-use-rubygem-rack-protection-1.5.5.patch new file mode 100644 index 0000000..511f687 --- /dev/null +++ b/SOURCES/bz1557253-03-use-rubygem-rack-protection-1.5.5.patch @@ -0,0 +1,25 @@ +From d9737919ae15880da163b768d223cf5149cb8cf4 Mon Sep 17 00:00:00 2001 +From: Ondrej Mular +Date: Wed, 21 Mar 2018 08:09:07 +0100 +Subject: [PATCH 3/3] use rubygem rack-protection 1.5.5 + +--- + pcsd/Gemfile.lock | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/pcsd/Gemfile.lock b/pcsd/Gemfile.lock +index fd5a8dcc..06bfa76c 100644 +--- a/pcsd/Gemfile.lock ++++ b/pcsd/Gemfile.lock +@@ -8,7 +8,7 @@ GEM + open4 (1.3.4) + orderedhash (0.0.6) + rack (1.6.4) +- rack-protection (1.5.3) ++ rack-protection (1.5.5) + rack + rack-test (0.7.0) + rack (>= 1.0) +-- +2.13.6 + diff --git a/SPECS/pcs.spec b/SPECS/pcs.spec index f455b64..0e38af2 100644 --- a/SPECS/pcs.spec +++ b/SPECS/pcs.spec @@ -1,6 +1,6 @@ Name: pcs Version: 0.9.162 -Release: 5%{?dist} +Release: 5%{?dist}.1 License: GPLv2 URL: https://github.com/ClusterLabs/pcs Group: System Environment/Base @@ -23,7 +23,7 @@ Source11: https://rubygems.org/downloads/backports-3.9.1.gem Source12: https://rubygems.org/downloads/multi_json-1.12.2.gem Source13: https://rubygems.org/downloads/open4-1.3.4.gem Source14: https://rubygems.org/downloads/orderedhash-0.0.6.gem -Source15: https://rubygems.org/downloads/rack-protection-1.5.3.gem +Source15: https://rubygems.org/downloads/rack-protection-1.5.5.gem Source16: https://rubygems.org/downloads/rack-test-0.7.0.gem Source17: https://rubygems.org/downloads/rack-1.6.4.gem Source18: https://rubygems.org/downloads/rpam-ruby19-1.2.1.gem @@ -52,6 +52,9 @@ Patch100: rhel7.patch #rhel7 gui Patch101: change-cman-to-rhel6-in-messages.patch Patch102: show-only-warning-when-crm_mon-xml-is-invalid.patch +Patch103: bz1557253-01-get-rid-of-debug-when-calling-local-pcsd.patch +Patch104: bz1557253-02-sanitize-path-when-saving-booth-config-files.patch +Patch105: bz1557253-03-use-rubygem-rack-protection-1.5.5.patch # git for patches BuildRequires: git @@ -121,7 +124,7 @@ Provides: bundled(rubygem-multi_json) = 1.12.1 Provides: bundled(rubygem-open4) = 1.3.4 Provides: bundled(rubygem-orderedhash) = 0.0.6 Provides: bundled(rubygem-rack) = 1.6.4 -Provides: bundled(rubygem-rack-protection) = 1.5.3 +Provides: bundled(rubygem-rack-protection) = 1.5.5 Provides: bundled(rubygem-rack-test) = 0.6.3 Provides: bundled(rubygem-rpam-ruby19) = 1.2.1 Provides: bundled(rubygem-sinatra) = 1.4.8 @@ -185,6 +188,9 @@ UpdateTimestamps -p1 %{PATCH99} UpdateTimestamps -p1 %{PATCH100} UpdateTimestamps -p1 %{PATCH101} UpdateTimestamps -p1 %{PATCH102} +UpdateTimestamps -p1 %{PATCH103} +UpdateTimestamps -p1 %{PATCH104} +UpdateTimestamps -p1 %{PATCH105} cp -f %SOURCE1 pcsd/public/images @@ -420,6 +426,12 @@ run_all_tests %doc pyagentx_README.md %changelog +* Wed Mar 21 2018 Ondrej Mular - 0.9.162-5.el7_5.1 +- Fixed CVE-2018-1086 pcs: Debug parameter removal bypass, allowing information disclosure +- Fixed CVE-2018-1079 pcs: Privilege escalation via authorized user malicious REST call +- Fixed CVE-2018-1000119 rack-protection: Timing attack in authenticity_token.rb +- Resolves: rhbz#1557253 + * Mon Feb 05 2018 Ondrej Mular - 0.9.162-5 - Fixed `pcs cluster auth` in a cluster when not authenticated and using a non-default port - Fixed `pcs cluster auth` in a cluster when previously authenticated using a non-default port and reauthenticating using an implicit default port