Bug#993898: buster-pu: package btrbk/0.27.1-1+deb10u1

Tue, 07 Sep 2021 14:33:14 -0700 

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu


The attached debdiff for btrbk fixes CVE-2021-38173 in Buster.

This CVE is marked as no-dsa by the security team.

The same patch was already uploaded to unstable with version 0.27.1-2.

  Thorsten


diff -Nru btrbk-0.27.1/debian/changelog btrbk-0.27.1/debian/changelog
--- btrbk-0.27.1/debian/changelog       2018-12-05 22:27:30.000000000 +0100
+++ btrbk-0.27.1/debian/changelog       2021-08-29 19:03:02.000000000 +0200
@@ -1,3 +1,12 @@
+btrbk (0.27.1-1+deb10u1) buster; urgency=high
+
+  * Non-maintainer upload by the LTS Team.
+  * CVE-2021-38173
+    fixes a security vulnerability which would have allowed for an
+    arbitrary code execution
+
+ -- Thorsten Alteholz <deb...@alteholz.de>  Sun, 29 Aug 2021 19:03:02 +0200
+
 btrbk (0.27.1-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru btrbk-0.27.1/debian/patches/CVE-2021-38173.patch 
btrbk-0.27.1/debian/patches/CVE-2021-38173.patch
--- btrbk-0.27.1/debian/patches/CVE-2021-38173.patch    1970-01-01 
01:00:00.000000000 +0100
+++ btrbk-0.27.1/debian/patches/CVE-2021-38173.patch    2021-08-29 
19:03:02.000000000 +0200
@@ -0,0 +1,32 @@
+From 58212de771c381cd4fa05625927080bf264e9584 Mon Sep 17 00:00:00 2001
+From: Axel Burri <a...@tty0.ch>
+Date: Sun, 21 Mar 2021 12:53:22 +0100
+Subject: [PATCH] ssh_filter_btrbk.sh: fix alternation regex
+
+Security vulnerability fixed in alternation regex. Specialy crafted
+commands may be executed without being propely checked.
+
+Affects all versions >= btrbk-v0.23.0
+
+Regression from:
+
+   ccb5ed5e71 ssh_filter_btrbk: allow "realpath" and "cat /proc/self/mounts" 
on targets
+
+Reported by: @protree (responsible disclosure)
+---
+ ssh_filter_btrbk.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: btrbk-0.27.1/ssh_filter_btrbk.sh
+===================================================================
+--- btrbk-0.27.1.orig/ssh_filter_btrbk.sh      2021-08-30 15:04:39.595339393 
+0200
++++ btrbk-0.27.1/ssh_filter_btrbk.sh   2021-08-30 15:04:39.591339393 +0200
+@@ -87,7 +87,7 @@
+         return 0
+     fi
+ 
+-    exact_cmd_match="^${allow_exact_list}$";
++    exact_cmd_match="^(${allow_exact_list})$";
+     if [[ $SSH_ORIGINAL_COMMAND =~ $exact_cmd_match ]] ; then
+         return 0
+     fi
diff -Nru btrbk-0.27.1/debian/patches/series btrbk-0.27.1/debian/patches/series
--- btrbk-0.27.1/debian/patches/series  1970-01-01 01:00:00.000000000 +0100
+++ btrbk-0.27.1/debian/patches/series  2021-08-29 19:03:02.000000000 +0200
@@ -0,0 +1 @@
+CVE-2021-38173.patch

Reply via email to