[bcfg2/f15] " Wed Sep 07 2011 Fabian Affolter <fabian at bernewireless.net> - 1.1.2-2 - Added patch to fix CVE-2011
Fabian Affolter
fab at fedoraproject.org
Wed Sep 7 20:47:13 UTC 2011
commit 54243c7d1c182f7c6dc0902e80cd9460527e1613
Author: Fabian Affolter <fabian at bernewireless.net>
Date: Wed Sep 7 22:46:28 2011 +0200
" Wed Sep 07 2011 Fabian Affolter <fabian at bernewireless.net> - 1.1.2-2
- Added patch to fix CVE-2011-3211
.gitignore | 1 +
bcfg2-1.1.2-unescaped-shell-command-fixes.patch | 170 +++++++++++++++++++++++
bcfg2.spec | 8 +-
3 files changed, 178 insertions(+), 1 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 1c3c5d1..d8b3d22 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
/bcfg2-1.1.2.tar.gz
/bcfg2-1.1.2.tar.gz.gpg
+/bcfg2-1.1.2-unescaped-shell-command-fixes.patch
diff --git a/bcfg2-1.1.2-unescaped-shell-command-fixes.patch b/bcfg2-1.1.2-unescaped-shell-command-fixes.patch
new file mode 100644
index 0000000..fcda3a4
--- /dev/null
+++ b/bcfg2-1.1.2-unescaped-shell-command-fixes.patch
@@ -0,0 +1,170 @@
+--- a/src/lib/Server/Admin/Viz.py
++++ b/src/lib/Server/Admin/Viz.py
+@@ -1,5 +1,6 @@
+ import getopt
+ from subprocess import Popen, PIPE
++import pipes
+ import Bcfg2.Server.Admin
+
+ class Viz(Bcfg2.Server.Admin.MetadataCore):
+@@ -62,7 +63,8 @@ class Viz(Bcfg2.Server.Admin.MetadataCore):
+
+ data = self.Visualize(self.get_repo_path(), hset, bset,
+ kset, outputfile)
+- print data
++ if data:
++ print(data)
+ raise SystemExit, 0
+
+ def Visualize(self, repopath, hosts=False,
+@@ -73,11 +75,21 @@ class Viz(Bcfg2.Server.Admin.MetadataCore):
+ else:
+ format = 'png'
+
+- cmd = "dot -T%s" % (format)
++ cmd = ["dot", "-T", format]
+ if output:
+- cmd += " -o %s" % output
+- dotpipe = Popen(cmd, shell=True, stdin=PIPE,
+- stdout=PIPE, close_fds=True)
++ cmd.extend(["-o", output])
++ try:
++ dotpipe = Popen(cmd, stdin=PIPE, stdout=PIPE, close_fds=True)
++ except OSError:
++ # on some systems (RHEL 6), you cannot run dot with
++ # shell=True. on others (Gentoo with Python 2.7), you
++ # must. In yet others (RHEL 5), either way works. I have
++ # no idea what the difference is, but it's kind of a PITA.
++ cmd = ["dot", "-T", pipes.quote(format)]
++ if output:
++ cmd.extend(["-o", pipes.quote(output)])
++ dotpipe = Popen(cmd, shell=True,
++ stdin=PIPE, stdout=PIPE, close_fds=True)
+ try:
+ dotpipe.stdin.write("digraph groups {\n")
+ except:
+diff --git a/src/lib/Server/Plugins/Cfg.py b/src/lib/Server/Plugins/Cfg.py
+index dd1e792..07be42c 100644
+--- a/src/lib/Server/Plugins/Cfg.py
++++ b/src/lib/Server/Plugins/Cfg.py
+@@ -7,6 +7,7 @@ import lxml
+ import os
+ import re
+ import tempfile
++from subprocess import Popen, PIPE
+
+ import Bcfg2.Server.Plugin
+
+@@ -32,17 +33,16 @@ def process_delta(data, delta):
+ basefile.write(data)
+ basefile.close()
+ os.close(basehandle)
+- dhandle, dname = tempfile.mkstemp()
+- dfile = open(dname, 'w')
+- dfile.write(delta.data)
+- dfile.close()
+- os.close(dhandle)
+- ret = os.system("patch -uf %s < %s > /dev/null 2>&1" \
+- % (basefile.name, dfile.name))
++
++ cmd = ["patch", "-u", "-f", basefile.name]
++ patch = Popen(cmd, stdin=PIPE, stdout=PIPE, stderr=PIPE)
++ stderr = patch.communicate(input=delta.data)[1]
++ ret = patch.wait()
+ output = open(basefile.name, 'r').read()
+- [os.unlink(fname) for fname in [basefile.name, dfile.name]]
++ os.unlink(basefile.name)
+ if ret >> 8 != 0:
+- raise Bcfg2.Server.Plugin.PluginExecutionError, ('delta', delta)
++ logger.error("Error applying diff %s: %s" % (delta.name, stderr))
++ raise Bcfg2.Server.Plugin.PluginExecutionError('delta', delta)
+ return output
+
+ class CfgMatcher:
+diff --git a/src/lib/Server/Plugins/Hg.py b/src/lib/Server/Plugins/Hg.py
+index 3f2864a..70e33ef 100644
+--- a/src/lib/Server/Plugins/Hg.py
++++ b/src/lib/Server/Plugins/Hg.py
+@@ -1,6 +1,5 @@
+ import os
+ from mercurial import ui, hg
+-from subprocess import Popen, PIPE
+ import Bcfg2.Server.Plugin
+
+ # for debugging output only
+diff --git a/src/lib/Server/Plugins/SSHbase.py b/src/lib/Server/Plugins/SSHbase.py
+index 6d68ecb..e3470d5 100644
+--- a/src/lib/Server/Plugins/SSHbase.py
++++ b/src/lib/Server/Plugins/SSHbase.py
+@@ -3,6 +3,7 @@ __revision__ = '$Revision$'
+
+ import binascii
+ import os
++import sys
+ import socket
+ import shutil
+ import tempfile
+@@ -162,8 +163,7 @@ class SSHbase(Bcfg2.Server.Plugin.Plugin,
+ self.ipcache[client] = (ipaddr, client)
+ return (ipaddr, client)
+ except socket.gaierror:
+- cmd = "getent hosts %s" % client
+- ipaddr = Popen(cmd, shell=True, \
++ ipaddr = Popen(["getent", "hosts", client],
+ stdout=PIPE).stdout.read().strip().split()
+ if ipaddr:
+ self.ipcache[client] = (ipaddr, client)
+@@ -252,10 +252,18 @@ class SSHbase(Bcfg2.Server.Plugin.Plugin,
+ "H_%s" % client])
+ tempdir = tempfile.mkdtemp()
+ temploc = "%s/%s" % (tempdir, hostkey)
+- cmd = 'ssh-keygen -q -f %s -N "" -t %s -C root@%s < /dev/null'
+- os.system(cmd % (temploc, keytype, client))
+- shutil.copy(temploc, fileloc)
+- shutil.copy("%s.pub" % temploc, publoc)
++ cmd = ["ssh-keygen", "-q", "-f", temploc, "-N", "",
++ "-t", keytype, "-C", "root@%s" % client]
++ proc = Popen(cmd, stdout=PIPE, stdin=PIPE)
++ proc.communicate()
++ proc.wait()
++
++ try:
++ shutil.copy(temploc, fileloc)
++ shutil.copy("%s.pub" % temploc, publoc)
++ except IOError:
++ err = sys.exc_info()[1]
++ self.logger.error("Temporary SSH keys not found: %s" % err)
+ self.AddEntry(hostkey)
+ self.AddEntry(".".join([hostkey.split('.')[0]]+['pub', "H_%s" \
+ % client]))
+@@ -264,7 +272,9 @@ class SSHbase(Bcfg2.Server.Plugin.Plugin,
+ os.unlink("%s.pub" % temploc)
+ os.rmdir(tempdir)
+ except OSError:
+- self.logger.error("Failed to unlink temporary ssh keys")
++ err = sys.exc_info()[1]
++ self.logger.error("Failed to unlink temporary ssh keys: %s"
++ % err)
+
+ def AcceptChoices(self, _, metadata):
+ return [Bcfg2.Server.Plugin.Specificity(hostname=metadata.hostname)]
+diff --git a/src/lib/Server/Plugins/Svn.py b/src/lib/Server/Plugins/Svn.py
+index cb4ab64..9fd6f10 100644
+--- a/src/lib/Server/Plugins/Svn.py
++++ b/src/lib/Server/Plugins/Svn.py
+@@ -1,4 +1,5 @@
+ import os
++import pipes
+ from subprocess import Popen, PIPE
+ import Bcfg2.Server.Plugin
+
+@@ -35,7 +36,7 @@ class Svn(Bcfg2.Server.Plugin.Plugin,
+ """Read svn revision information for the Bcfg2 repository."""
+ try:
+ data = Popen(("env LC_ALL=C svn info %s" %
+- (self.datastore)), shell=True,
++ pipes.quote(self.datastore)), shell=True,
+ stdout=PIPE).communicate()[0].split('\n')
+ return [line.split(': ')[1] for line in data \
+ if line[:9] == 'Revision:'][-1]
+--
diff --git a/bcfg2.spec b/bcfg2.spec
index 24383e4..e7c998e 100644
--- a/bcfg2.spec
+++ b/bcfg2.spec
@@ -4,7 +4,7 @@
Name: bcfg2
Version: 1.1.2
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: Configuration management system
Group: Applications/System
@@ -12,6 +12,7 @@ License: BSD
URL: http://bcfg2.org
Source0: ftp://ftp.mcs.anl.gov/pub/bcfg/bcfg2-%{version}.tar.gz
Source1: ftp://ftp.mcs.anl.gov/pub/bcfg/bcfg2-%{version}.tar.gz.gpg
+Patch0: bcfg2-1.1.2-unescaped-shell-command-fixes.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildArch: noarch
@@ -100,6 +101,8 @@ do
%{__sed} -i -e '/^#!/,1d' $f
done
+%patch0 -p0 -b .unescaped-shell-command-fixes
+
%build
%{__python} -c 'import setuptools; execfile("setup.py")' build
@@ -205,6 +208,9 @@ fi
%dir %{_var}/lib/bcfg2
%changelog
+* Wed Sep 07 2011 Fabian Affolter <fabian at bernewireless.net> - 1.1.2-2
+- Added patch to fix CVE-2011-3211
+
* Thu Jun 02 2011 Fabian Affolter <fabian at bernewireless.net> - 1.1.2-1
- Updated to new upstream version 1.1.2
- Pooled file section entries to reduce future maintenance
More information about the scm-commits
mailing list