mistral: CVE-2018-16849: std.ssh action may disclose presence of arbitrary files

Debian Bug report logs - #912714
mistral: CVE-2018-16849: std.ssh action may disclose presence of arbitrary files

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: mistral: CVE-2018-16849: std.ssh action may disclose presence of arbitrary files

Date: Sat, 03 Nov 2018 08:26:31 +0100

Source: mistral
Version: 7.0.0-1
Severity: grave
Tags: patch security upstream
Forwarded: https://bugs.launchpad.net/mistral/+bug/1783708

Hi,

The following vulnerability was published for mistral.

CVE-2018-16849[0]:
| A flaw was found in openstack-mistral. By manipulating the SSH private
| key filename, the std.ssh action can be used to disclose the presence
| of arbitrary files within the filesystem of the executor running the
| action. Since std.ssh private_key_filename can take an absolute path,
| it can be used to assess whether or not a file exists on the
| executor's filesystem.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-16849
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16849
[1] https://bugs.launchpad.net/mistral/+bug/1783708

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #8 received at 912714-submitter@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>

To: 912714-submitter@bugs.debian.org

Subject: Bug #912714 in mistral marked as pending

Date: Mon, 05 Nov 2018 13:39:58 +0000

Control: tag -1 pending

Hello,

Bug #912714 in mistral reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below, and you can check the diff of the fix at:

https://salsa.debian.org/openstack-team/services/mistral/commit/a9ed372faad22ce141fc7b8d765888553ccad0e8

------------------------------------------------------------------------
  * CVE-2018-16849: std.ssh action may disclose presence of arbitrary files,
    applied upstream patch: remove extra information from std.ssh action.
    (Closes: #912714).

------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/912714

Message #13 received at 912714-submitter@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>

To: 912714-submitter@bugs.debian.org

Subject: Bug #912714 in mistral marked as pending

Date: Mon, 05 Nov 2018 13:39:59 +0000

Control: tag -1 pending

Hello,

Bug #912714 in mistral reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below, and you can check the diff of the fix at:

https://salsa.debian.org/openstack-team/services/mistral/commit/3775850e20befca2286969df3d221bb6cbc52738

------------------------------------------------------------------------
  * CVE-2018-16849: std.ssh action may disclose presence of arbitrary files,
    applied upstream patch: remove extra information from std.ssh action.
    (Closes: #912714).

------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/912714

Message #16 received at 912714-submitter@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>

To: 912714-submitter@bugs.debian.org

Subject: Bug #912714 in mistral marked as pending

Date: Mon, 05 Nov 2018 14:38:05 +0000

Control: tag -1 pending

Hello,

Bug #912714 in mistral reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below, and you can check the diff of the fix at:

https://salsa.debian.org/openstack-team/services/mistral/commit/da953cf769defe9115dd93706047ab48ce0c6ecc

------------------------------------------------------------------------
  * CVE-2018-16849: add upstream patch "remove extra information from std.ssh
    action" (Closes: #912714).

------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/912714

Message #21 received at 912714@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 912714@bugs.debian.org, security@debian.org

Subject: Re: Bug#912714: mistral: CVE-2018-16849: std.ssh action may disclose presence of arbitrary files

Date: Mon, 5 Nov 2018 15:52:57 +0100

On 11/3/18 8:26 AM, Salvatore Bonaccorso wrote:
> Source: mistral
> Version: 7.0.0-1
> Severity: grave
> Tags: patch security upstream
> Forwarded: https://bugs.launchpad.net/mistral/+bug/1783708
> 
> Hi,
> 
> The following vulnerability was published for mistral.
> 
> CVE-2018-16849[0]:
> | A flaw was found in openstack-mistral. By manipulating the SSH private
> | key filename, the std.ssh action can be used to disclose the presence
> | of arbitrary files within the filesystem of the executor running the
> | action. Since std.ssh private_key_filename can take an absolute path,
> | it can be used to assess whether or not a file exists on the
> | executor's filesystem.
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2018-16849
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16849
> [1] https://bugs.launchpad.net/mistral/+bug/1783708
> 
> Please adjust the affected versions in the BTS as needed.
> 
> Regards,
> Salvatore

Hi Salvatore,

I have fixed the package in Sid, and uploaded a fixed version at:
http://sid.gplhost.com/stretch-proposed-updates/mistral/

The debdiff is here:
http://sid.gplhost.com/stretch-proposed-updates/mistral/mistral_3.0.0-4+deb9u1.debdiff

It's basically a one liner that is outputing on the log instead of
stdout, so trivial to review. Let me know if I should upload (in which
case, I'll need to rebuild with --force-orig-source, I believe).

Cheers,

Thomas Goirand (zigo)

Message #26 received at 912714-close@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>

To: 912714-close@bugs.debian.org

Subject: Bug#912714: fixed in mistral 7.0.0-2

Date: Mon, 05 Nov 2018 14:57:56 +0000

Source: mistral
Source-Version: 7.0.0-2

We believe that the bug you reported is fixed in the latest version of
mistral, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 912714@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated mistral package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 05 Nov 2018 15:32:27 +0100
Source: mistral
Binary: mistral-api mistral-common mistral-engine mistral-event-engine mistral-executor python3-mistral
Architecture: source all
Version: 7.0.0-2
Distribution: unstable
Urgency: high
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description:
 mistral-api - OpenStack Workflow service - API
 mistral-common - OpenStack Workflow service - common files
 mistral-engine - OpenStack Workflow service - Engine
 mistral-event-engine - OpenStack Workflow service - Event Engine
 mistral-executor - OpenStack Workflow service - Executor
 python3-mistral - OpenStack Workflow Service - Python libraries
Closes: 912714
Changes:
 mistral (7.0.0-2) unstable; urgency=high
 .
   * CVE-2018-16849: add upstream patch "remove extra information from std.ssh
     action" (Closes: #912714).
Checksums-Sha1:
 690b36aaef4d1ea65208fbcee8438161023450e0 4599 mistral_7.0.0-2.dsc
 9ad0f4e39fc710978bef6938aaef6ecc88c237f9 7372 mistral_7.0.0-2.debian.tar.xz
 a9a0c15b7d9e20753b99aee25a1a8f78cb3d2823 20672 mistral-api_7.0.0-2_all.deb
 76ae067852d749165dd3806de171a49f8cc284ca 38984 mistral-common_7.0.0-2_all.deb
 7164356359e3b5974ef1c82f59d7a905eb8340ab 7288 mistral-engine_7.0.0-2_all.deb
 90534926575e6215630e74eb097d12764e8c6093 7328 mistral-event-engine_7.0.0-2_all.deb
 4495271f8be9e83b44cab0ce6a299c8c69e0da9f 7284 mistral-executor_7.0.0-2_all.deb
 ee8166f3282c875094999c4dca7bfbdf185958f7 17272 mistral_7.0.0-2_amd64.buildinfo
 bf296a24275b67dca154314bcfbead0e3317491e 280060 python3-mistral_7.0.0-2_all.deb
Checksums-Sha256:
 d673e99a12949ce23a87a4628e739be91e8b6ea1983686f669a1b6734bb20218 4599 mistral_7.0.0-2.dsc
 83ddd3dcfa9ba068da4427a8b045a9ba8adea7eac06489832f81b388d174cbdd 7372 mistral_7.0.0-2.debian.tar.xz
 aef0f6aa27543d2167aff15350b3d506ba286e33d478c54f83d9e95a0617f14d 20672 mistral-api_7.0.0-2_all.deb
 73f8d636b351d91ae437deca711f822a61dbfbda64fb58349d2e7706d44bb148 38984 mistral-common_7.0.0-2_all.deb
 d50a38f7a04652b9d6b493eaebb6524f530db5616e0163e9c1514aa426ceab90 7288 mistral-engine_7.0.0-2_all.deb
 ac7cdcd697bc927a4ead0796fb0e65aea2d811ef2f8c73ee1b0dfe8cbbf3483b 7328 mistral-event-engine_7.0.0-2_all.deb
 dad5b3d88ce6b943aae9cb28aea655fcffd23c95945c353282fee2eb2ed2afd2 7284 mistral-executor_7.0.0-2_all.deb
 21bc2d509adea1ec84751421e449130387f25eb55e3347343ba04b556813aad6 17272 mistral_7.0.0-2_amd64.buildinfo
 b6e483b43316131fe5e6fe2452a07b5a9b86ca1054437f0dc36bbc1879bccfc4 280060 python3-mistral_7.0.0-2_all.deb
Files:
 2ab36b8064b8df62ebef536abee60278 4599 net optional mistral_7.0.0-2.dsc
 a0bd1164770871a40ec23c5af10730f3 7372 net optional mistral_7.0.0-2.debian.tar.xz
 da79c8e8ff70f8f7919992045422a599 20672 net optional mistral-api_7.0.0-2_all.deb
 684948e8ec80c9e6e977299cf5643f84 38984 net optional mistral-common_7.0.0-2_all.deb
 79d156043dc501d5d9e8c58f1d44868d 7288 net optional mistral-engine_7.0.0-2_all.deb
 e6de3e4c4c35bbe60cb8979ded8a720d 7328 net optional mistral-event-engine_7.0.0-2_all.deb
 10becfc8bc27b7a5c4b2c29bbf1d4b2e 7284 net optional mistral-executor_7.0.0-2_all.deb
 2278f52aab03b21e3c63301f35ab4f4c 17272 net optional mistral_7.0.0-2_amd64.buildinfo
 a34a63cbafdf0f21428a80840a63ef4e 280060 python optional python3-mistral_7.0.0-2_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEtKCq/KhshgVdBnYUq1PlA1hod6YFAlvgVWMACgkQq1PlA1ho
d6YQvA/+NEpHcB8G0Ok1ElI931EuvwLzFiqBl2QNEJLozOyeZMfnM7N0KZvzbDzW
CC+XzEGj09cUmAP9dQXeOi8u7DX1GWI+9E9aTOrpdXlpAxzx8IRCnW8xzRplZl1y
zsNDhjMdgfP6Ix15xcU69jspDMutbXby2DxIzO0NQ+UOmvZ7U6JUDkmYMAIYTnLm
zGfjOpcwUCvuyUsXbIZImvJF0Lq9AhnqF56RNrJY96EdGYpsT7d8mEe0PtPTvtEJ
RTwlPlc/z1V2Pv589sacoCylxXYwRPLaoBdwWLLtzmSESu17B01hTtyystzBFDXt
8di0UnXGr8Y1NM+LQADTtCeOiIH1fArdgpIAcFuXRolFJyvZcY5UVDdMLN636AcI
Tkx4pHRXpCHTTxRltsJUXxHFCIE10EYmyzlAwhzuGoHN4iXkMR/Z2ZsYC+L9zqqQ
fVA8iEzxnHUsaKUrE+oXtx2IIH2mmn3GFcfXI5u8whYURdYArl2MhzEny4GttnlF
Ua67b2ILeWbdsqP/hOWkGSHZIwuXqkEHDD9D93HiZZJVPHzAw8yEdmVt8Pn3JzVP
4DJQXWIeWj4LQqiYbyUvQ1U1NKGvkqijNGh5kDphc3Sc8VJK8WTbs7ONFCSZbJwc
WqI3v7utthBGOhuIleKV0/YeYoTzzR2jmuv86pJjFvxrMvuE/o4=
=p1w1
-----END PGP SIGNATURE-----

Message #31 received at 912714@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Thomas Goirand <zigo@debian.org>

Cc: 912714@bugs.debian.org, security@debian.org

Subject: Re: Bug#912714: mistral: CVE-2018-16849: std.ssh action may disclose presence of arbitrary files

Date: Mon, 5 Nov 2018 21:42:01 +0100

Hi Thomas,

On Mon, Nov 05, 2018 at 03:52:57PM +0100, Thomas Goirand wrote:
> On 11/3/18 8:26 AM, Salvatore Bonaccorso wrote:
> > Source: mistral
> > Version: 7.0.0-1
> > Severity: grave
> > Tags: patch security upstream
> > Forwarded: https://bugs.launchpad.net/mistral/+bug/1783708
> > 
> > Hi,
> > 
> > The following vulnerability was published for mistral.
> > 
> > CVE-2018-16849[0]:
> > | A flaw was found in openstack-mistral. By manipulating the SSH private
> > | key filename, the std.ssh action can be used to disclose the presence
> > | of arbitrary files within the filesystem of the executor running the
> > | action. Since std.ssh private_key_filename can take an absolute path,
> > | it can be used to assess whether or not a file exists on the
> > | executor's filesystem.
> > 
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> > 
> > For further information see:
> > 
> > [0] https://security-tracker.debian.org/tracker/CVE-2018-16849
> >     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16849
> > [1] https://bugs.launchpad.net/mistral/+bug/1783708
> > 
> > Please adjust the affected versions in the BTS as needed.
> > 
> > Regards,
> > Salvatore
> 
> Hi Salvatore,
> 
> I have fixed the package in Sid, and uploaded a fixed version at:
> http://sid.gplhost.com/stretch-proposed-updates/mistral/

Thanks, I have updated the tracker information.

> The debdiff is here:
> http://sid.gplhost.com/stretch-proposed-updates/mistral/mistral_3.0.0-4+deb9u1.debdiff
> 
> It's basically a one liner that is outputing on the log instead of
> stdout, so trivial to review. Let me know if I should upload (in which
> case, I'll need to rebuild with --force-orig-source, I believe).

The issue was determined to be not severe enough to warrant a DSA (on
its own).  Might you reschedule an update for the next (9.6 is now to
late) point release of stretch?

Thanks already!

Regards,
Salvatore

Message #36 received at 912714-close@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>

To: 912714-close@bugs.debian.org

Subject: Bug#912714: fixed in mistral 3.0.0-4+deb9u1

Date: Mon, 03 Dec 2018 21:47:09 +0000

Source: mistral
Source-Version: 3.0.0-4+deb9u1

We believe that the bug you reported is fixed in the latest version of
mistral, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 912714@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated mistral package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 05 Nov 2018 14:38:44 +0100
Source: mistral
Binary: python-mistral mistral-common mistral-engine mistral-executor mistral-api
Architecture: source all
Version: 3.0.0-4+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: PKG OpenStack <openstack-devel@lists.alioth.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description:
 mistral-api - OpenStack Workflow service - API
 mistral-common - OpenStack Workflow service - common files
 mistral-engine - OpenStack Workflow service - Engine
 mistral-executor - OpenStack Workflow service - Executor
 python-mistral - OpenStack Workflow Service - Python libraries
Closes: 912714
Changes:
 mistral (3.0.0-4+deb9u1) stretch; urgency=medium
 .
   * CVE-2018-16849: std.ssh action may disclose presence of arbitrary files,
     applied upstream patch: remove extra information from std.ssh action.
     (Closes: #912714).
Checksums-Sha1:
 741d733e1377fc5dff95660ba3d460f5d4894bf2 4150 mistral_3.0.0-4+deb9u1.dsc
 cdf093a7dcbb9a884c5189368fde7977f161eade 28544 mistral_3.0.0-4+deb9u1.debian.tar.xz
 3d68e566416118cc006b2b8cc1238a032be7afc3 27530 mistral-api_3.0.0-4+deb9u1_all.deb
 86f8fa3cf4923239c2f1ec08c42bcdac00dfde17 38760 mistral-common_3.0.0-4+deb9u1_all.deb
 d959bc676bbf6f8a55146a85a045d27a74c30c46 6480 mistral-engine_3.0.0-4+deb9u1_all.deb
 1852242531ee91b08880a80b0ed85bbfd651a88d 6492 mistral-executor_3.0.0-4+deb9u1_all.deb
 d0c9e8bbc938db5b4d65d3b21deba553bd39c3d7 15730 mistral_3.0.0-4+deb9u1_amd64.buildinfo
 8885f7e338326d2e1ba6248cc83be1a6ed494a47 217596 python-mistral_3.0.0-4+deb9u1_all.deb
Checksums-Sha256:
 9b3555def899fd5c4f8385ea530958534f0bb079902ef8ba4cab161a44a2478b 4150 mistral_3.0.0-4+deb9u1.dsc
 ec14c52108a1f18d16b6d6c4e122c2a79ab632410e661adb65ba58d23efa75cd 28544 mistral_3.0.0-4+deb9u1.debian.tar.xz
 de7b27bfbd835626c25757b2f7965503e6f4ffba04894ac212728de5eb27f593 27530 mistral-api_3.0.0-4+deb9u1_all.deb
 6a25778a8b14e5f3e40b7cb0d8f9a2269f01fc7f23b39fe649d8121bd1ae8cce 38760 mistral-common_3.0.0-4+deb9u1_all.deb
 392d9482505ce3fd31d9a840adb960c09d1f358237a34c70db4ab08f86c53d9b 6480 mistral-engine_3.0.0-4+deb9u1_all.deb
 55591519805f70b16af32ac28672f6c0ceabeca3bb3abab3f7cfb261674d7323 6492 mistral-executor_3.0.0-4+deb9u1_all.deb
 a7f2f12f9b784307f50af5a8dd6b1013cb58020ffc0742ebb8f5251f8f075077 15730 mistral_3.0.0-4+deb9u1_amd64.buildinfo
 4a444ba60fde7b37dd4da08187c93977260a596fbf707b67a46d474cee74a7b4 217596 python-mistral_3.0.0-4+deb9u1_all.deb
Files:
 a4c689a6c4dfd45e09c001288ef43715 4150 net extra mistral_3.0.0-4+deb9u1.dsc
 e0a757ab0d8d057a376f8cd0c06e6928 28544 net extra mistral_3.0.0-4+deb9u1.debian.tar.xz
 f588ae8d8688e7d666fe8c641af41a1a 27530 net extra mistral-api_3.0.0-4+deb9u1_all.deb
 ccb0ca88802e43b68e6d0d1dc9248b84 38760 net extra mistral-common_3.0.0-4+deb9u1_all.deb
 0eb591f55700a448fcf549a5117b2566 6480 net extra mistral-engine_3.0.0-4+deb9u1_all.deb
 d93dc4e3c3ce384e1d6a9e2a37447281 6492 net extra mistral-executor_3.0.0-4+deb9u1_all.deb
 ebb0edfcb90e660d5c55ce31af39d3f3 15730 net extra mistral_3.0.0-4+deb9u1_amd64.buildinfo
 0a0fcc854df44313e811d5706f5ca6b5 217596 python extra python-mistral_3.0.0-4+deb9u1_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEtKCq/KhshgVdBnYUq1PlA1hod6YFAlwE428ACgkQq1PlA1ho
d6a1QhAAjOjcYEUr4xzpK0+lPKx6WvQ1MnXJ3Lt9LZvXdu/O2WlgAp6b+RYUe4H8
mpzTrOSPSdpBw6yWM3tsWa55m6H21Kp1lP59m14CuxOLD9vJ2mux1zqqqVUrTjIG
F+2JuM5tqTitaSBGmGt0CfQcXdJ9FuR4Svyh4CZ2B4pT/NnH/U2gQPr0FJ7Eaox4
YKjD5LoQ7VV0pgewlAgKEaB0J06MYOzt5Dy4GuKnXSIE5cLZm0hFjLfHoGnKoinh
dDb2NtOxP7voe4qtrggbzjxuOjtjn9pshCMRasyWVkac1zDN1SEwsq6sSXRyjsrP
S7pzvnohVYYih4fO2GGlzhgcgRci/Z0U6CHWcGrJd2j/0cMUZVB1Cxx3MqT7G0D7
/KyMgY0TYn2BGjlFHCrpxPa2ntLEwjvRzToVgAPsp/HZFK5Mg9ygUQjwzHRfwfzN
Dr98U1ykazwD6/8ZF6KoF912b0SwzzHEGOWw5JcJPX/1tlrwfeIqJUqgrOqaP4+u
0H6QKUBa9D1qXMMmx+ivt24GawrJfUdrbRwY9j2f8KpJe637vvzD2GjTM50Knu4X
0pupNuLr4iT+8zd7bWQFcFRJlaP1bG9+gUCsmjn306oSpDYOh0xnyhUIBQjcwQVK
u1RY7WglHUhrZPQ1bEkUGy7mVIBGlZE9Uy+kTo+rlea4FWmz+JQ=
=qCHL
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.