Bug#1000485: marked as done (bullseye-pu: package btrbk/0.27.1-1.1+deb11u2)

Debian Bug Tracking System Sat, 18 Dec 2021 13:04:28 -0800

Your message dated Sat, 18 Dec 2021 20:57:56 +0000
with message-id 
<7c5e58422d4fd1d02cfae36eca731d5d90ba0743.ca...@adam-barratt.org.uk>
and subject line Closing bugs for p-u requests included in 11.2 (part the deux)
has caused the Debian Bug report #1000485,
regarding bullseye-pu: package btrbk/0.27.1-1.1+deb11u2
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1000485: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1000485
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu

The attached debdiff for btrbk fixes a regression of CVE-2021-38173 in
Bullseye.

The regression was reported in #996260 [1] and a pointer to the fix was

provided. There was at least one report about a now working version+deb10u2 in Buster, which is based on the same version as Bullseye.


  Thorsten

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=996260

diff -Nru btrbk-0.27.1/debian/changelog btrbk-0.27.1/debian/changelog
--- btrbk-0.27.1/debian/changelog       2021-08-29 19:03:02.000000000 +0200
+++ btrbk-0.27.1/debian/changelog       2021-11-23 20:03:02.000000000 +0100
@@ -1,3 +1,11 @@
+btrbk (0.27.1-1.1+deb11u2) bullseye; urgency=high
+
+  * Non-maintainer upload by the LTS Team.
+  * regression fix for CVE-2021-38173
+    (Closes: #996260, #996266)
+
+ -- Thorsten Alteholz <deb...@alteholz.de>  Tue, 23 Nov 2021 20:03:02 +0100
+
 btrbk (0.27.1-1.1+deb11u1) bullseye; urgency=high
 
   * Non-maintainer upload by the LTS Team.
diff -Nru btrbk-0.27.1/debian/patches/CVE-2021-38173-regression.patch 
btrbk-0.27.1/debian/patches/CVE-2021-38173-regression.patch
--- btrbk-0.27.1/debian/patches/CVE-2021-38173-regression.patch 1970-01-01 
01:00:00.000000000 +0100
+++ btrbk-0.27.1/debian/patches/CVE-2021-38173-regression.patch 2021-11-23 
20:03:02.000000000 +0100
@@ -0,0 +1,51 @@
+commit c03e960d9044961fcfbeaa5d5aeb5bcc1bc0cc7a
+Author: Axel Burri <a...@tty0.ch>
+Date:   Tue Nov 19 22:07:37 2019 +0100
+
+    ssh_filter_btrbk.sh: exclude "btrfs subvolume show|list" from restrict-path
+    
+    btrbk requires "btrfs subvolume list|show" queries from the mount
+    point in order to build btrfs trees. This conflicts with tightly set
+    --restrict-path.
+
+Index: btrbk-0.27.1/doc/ssh_filter_btrbk.1.asciidoc
+===================================================================
+--- btrbk-0.27.1.orig/doc/ssh_filter_btrbk.1.asciidoc  2021-11-23 
15:52:22.921452288 +0100
++++ btrbk-0.27.1/doc/ssh_filter_btrbk.1.asciidoc       2021-11-23 
15:52:22.917452292 +0100
+@@ -34,8 +34,8 @@
+ 
+ The following commands are always allowed:
+ 
+- - "btrfs subvolume show"
+- - "btrfs subvolume list"
++ - "btrfs subvolume show" (not affected by "--restrict-path")
++ - "btrfs subvolume list" (not affected by "--restrict-path")
+  - "readlink"
+  - "cat /proc/self/mountinfo"
+  - pipes through "gzip", "pigz", "bzip2", "pbzip2", "xz", "lzop",
+@@ -79,7 +79,8 @@
+     Allow btrfs receive command: "btrfs receive".
+ 
+ -p, --restrict-path <path>::
+-    Restrict btrfs commands to <path>.
++    Restrict commands to <path>. Note that "btrfs subvolume show",
++    "btrfs subvolume list" are NOT affected by this option.
+ 
+ -l, --log::
+     Log ACCEPT and REJECT messages to the system log.
+Index: btrbk-0.27.1/ssh_filter_btrbk.sh
+===================================================================
+--- btrbk-0.27.1.orig/ssh_filter_btrbk.sh      2021-11-23 15:52:22.921452288 
+0100
++++ btrbk-0.27.1/ssh_filter_btrbk.sh   2021-11-23 15:52:22.921452288 +0100
+@@ -161,8 +161,9 @@
+     shift
+ done
+ 
+-allow_cmd "${sudo_prefix}btrfs subvolume show"; # subvolume queries are 
always allowed
+-allow_exact_cmd "${sudo_prefix}btrfs subvolume list ${file_match}"; # 
subvolume queries are always allowed
++# NOTE: subvolume queries no NOT affected by "--restrict-path":
++# btrbk also calls show/list on the mount point of the subvolume
++allow_exact_cmd "${sudo_prefix}btrfs subvolume (show|list)( ${option_match})* 
${file_match}";
+ allow_cmd "${sudo_prefix}readlink"              # used to resolve mountpoints
+ allow_exact_cmd "cat /proc/self/mountinfo"      # used to resolve mountpoints
+ allow_exact_cmd "cat /proc/self/mounts"         # legacy, for btrbk < 0.27.0
diff -Nru btrbk-0.27.1/debian/patches/series btrbk-0.27.1/debian/patches/series
--- btrbk-0.27.1/debian/patches/series  2021-08-29 19:03:02.000000000 +0200
+++ btrbk-0.27.1/debian/patches/series  2021-11-23 20:03:02.000000000 +0100
@@ -1 +1,2 @@
 CVE-2021-38173.patch
+CVE-2021-38173-regression.patch

--- End Message ---

--- Begin Message ---

Package: release.debian.org
Version: 11.2

Hi,

Each of the updates referenced by these requests was included in
today's bullseye point release, but my original closure mail failed to
correctly handle 7-digit bug numbers. Fixing that omission now.

Regards,

Adam

--- End Message ---

Bug#1000485: marked as done (bullseye-pu: package btrbk/0.27.1-1.1+deb11u2)

Reply via email to