lsyncd: CVE-2014-8990: Crash and/or code execution on `, $, " in file names

Debian Bug report logs - #767227
lsyncd: CVE-2014-8990: Crash and/or code execution on `, $, " in file names

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: "creshal" <creshal@sayaka.ad.tao.at>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: lsyncd: Crash and/or code execution on `, $, " in file names

Date: Wed, 29 Oct 2014 14:06:30 +0100

[Message part 1 (text/plain, inline)]

Package: lsyncd
Version: 2.0.7-3
Severity: important
Tags: security patch

cf. upstream bug report and fix at
 https://github.com/axkibe/lsyncd/issues/220

This is the same patch backported to the lsyncd version in stable.

-- System Information:
Debian Release: 7.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages lsyncd depends on:
ii  libc6        2.13-38+deb7u4
ii  liblua5.1-0  5.1.5-4+deb7u1
ii  lua5.1       5.1.5-4+deb7u1
ii  rsync        3.0.9-4

lsyncd recommends no packages.

lsyncd suggests no packages.

-- no debconf information

[fix-shell-escapes.patch (text/x-diff, attachment)]

Message #12 received at 767227@bugs.debian.org (full text, mbox, reply):

From: Murray McAllister <mmcallis@redhat.com>

To: oss-security@lists.openwall.com

Cc: 767227@bugs.debian.org

Subject: CVE request: lsyncd command injection

Date: Wed, 19 Nov 2014 11:13:52 +1100

Good morning,

There is a command injection flaw in lsyncd, a file change monitoring 
and synchronization daemon:

https://github.com/axkibe/lsyncd/issues/220

https://github.com/creshal/lsyncd/commit/18f02ad013b41a72753912155ae2ba72f2a53e52

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=767227

Could a CVE please be assigned?

Thanks,

--
Murray McAllister / Red Hat Product Security

Message #17 received at 767227@bugs.debian.org (full text, mbox, reply):

From: cve-assign@mitre.org

To: mmcallis@redhat.com

Cc: cve-assign@mitre.org, oss-security@lists.openwall.com, 767227@bugs.debian.org

Subject: Re: CVE request: lsyncd command injection

Date: Thu, 20 Nov 2014 01:55:09 -0500 (EST)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> There is a command injection flaw in lsyncd, a file change monitoring
> and synchronization daemon:
> 
> https://github.com/axkibe/lsyncd/issues/220
> 
> https://github.com/creshal/lsyncd/commit/18f02ad013b41a72753912155ae2ba72f2a53e52
> 
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=767227

Use CVE-2014-8990. The scope of this CVE ID includes both:

  1. code execution with ` characters or other characters that are
     special to a shell
  2. denial of service scenarios in which a user with write access
     to a local directory uses special characters to make
     synchronization fail (might have security relevance in some
     scenarios)

The MITRE CVE team does not have a Lua expert. The code change adds:

  local path4 = event.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$')
  local path4 = event2.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$')

This does not seem to be the typical fix approach for unsafe input to
a shell. Has anyone concluded that this is an incomplete fix that ought
to be modified before the 2.1.6 release?

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJUbY53AAoJEKllVAevmvmsovEH/RdJAnkv4IR3AiSZ9RUVjmn7
5U52az+5OPJLx3P3Z7MrEytMirvjrr3/tWYu06FDfOFRgwSc0lbt5DHjr2+dBemw
kSsuw7BUc7NBAploOFyX/HEqafSYNs4ykRCKxtYhrnqq9R/pa+E86Ol74lxqqXX+
0gwKt3j49qrs+t7Ll7QWn3BdnGgtLNjMn0Zh4kgczUnevZ4wY4ssohM5JQXC9ImS
IlbXuy0INovx9j1DBplNrGQ07p3ETjH0gcYcucb/MvS6r1RaJXXrrg3bd5CUVEpj
kwyDtPrs/LuSj+Gi+wq4xRBpzmXxLoJ2yc4Czg+ch5qFToXx0cu9Zo/LOJB9m9g=
=q6u/
-----END PGP SIGNATURE-----

Message #24 received at 767227@bugs.debian.org (full text, mbox, reply):

From: Michael Samuel <mik@miknet.net>

To: oss-security@lists.openwall.com

Cc: cve-assign@mitre.org, 767227@bugs.debian.org

Subject: Re: [oss-security] Re: CVE request: lsyncd command injection

Date: Fri, 21 Nov 2014 22:24:21 +1100

On 20 November 2014 17:55,  <cve-assign@mitre.org> wrote:
> Use CVE-2014-8990. The scope of this CVE ID includes both:
>   2. denial of service scenarios in which a user with write access
>      to a local directory uses special characters to make
>      synchronization fail (might have security relevance in some
>      scenarios)

Note that you can still make synchronization fail, because it calls
rsync to perform the synchronization.

See https://github.com/therealmik/rsync-collision for some precomputed blocks

Regards,
  Michael

Message #29 received at 767227@bugs.debian.org (full text, mbox, reply):

From: Ángel González <angel@16bits.net>

To: oss-security@lists.openwall.com

Cc: mmcallis@redhat.com, cve-assign@mitre.org, 767227@bugs.debian.org, sven.schwedas@tao.at, axkibe@gmail.com

Subject: Re: [oss-security] Re: CVE request: lsyncd command injection

Date: Wed, 26 Nov 2014 00:18:13 +0100

[Message part 1 (text/plain, inline)]

On 20-11-2014 Mitre wrote:
> > There is a command injection flaw in lsyncd, a file change monitoring
> > and synchronization daemon:
> > 
> > https://github.com/axkibe/lsyncd/issues/220
> > 
> > https://github.com/creshal/lsyncd/commit/18f02ad013b41a72753912155ae2ba72f2a53e52
> > 
> > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=767227
> 
> Use CVE-2014-8990. The scope of this CVE ID includes both:
> 
>   1. code execution with ` characters or other characters that are
>      special to a shell
>   2. denial of service scenarios in which a user with write access
>      to a local directory uses special characters to make
>      synchronization fail (might have security relevance in some
>      scenarios)
> 
> The MITRE CVE team does not have a Lua expert. The code change adds:
> 
>   local path4 = event.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$')
>   local path4 = event2.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$')
> 
> This does not seem to be the typical fix approach for unsafe input to
> a shell. Has anyone concluded that this is an incomplete fix that ought
> to be modified before the 2.1.6 release?


It is indeed an incomplete fix:

* The gsub ('%$','\\%$') works in lua5.1, but under lua5.2 the second %
character makes lsyncd fail with the error "stdin:1: invalid use of '%'
in replacement string". Thus allowing a complete denial of service


* Not all metacharacters are filtered, so command execution is still
present. In particular, the escaped characters can be prefixed with a
backslash to bypass the filter.


The attached patch should hopefully solve these issues.

[0001-Properly-sanitize-mv-parameters-CVE-2014-8990.patch (text/x-patch, attachment)]

Message #34 received at 767227@bugs.debian.org (full text, mbox, reply):

From: Sven Schwedas <sven.schwedas@tao.at>

To: 767227@bugs.debian.org

Cc: Ángel González <angel@16bits.net>, oss-security@lists.openwall.com, mmcallis@redhat.com, cve-assign@mitre.org, axkibe@gmail.com

Subject: Re: [oss-security] Re: CVE request: lsyncd command injection

Date: Wed, 26 Nov 2014 13:22:43 +0100

[Message part 1 (text/plain, inline)]

On 2014-11-26 00:18, Ángel González wrote:
> On 20-11-2014 Mitre wrote:
>>> There is a command injection flaw in lsyncd, a file change monitoring
>>> and synchronization daemon:
>>>
>>> https://github.com/axkibe/lsyncd/issues/220
>>>
>>> https://github.com/creshal/lsyncd/commit/18f02ad013b41a72753912155ae2ba72f2a53e52
>>>
>>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=767227
>>
>> Use CVE-2014-8990. The scope of this CVE ID includes both:
>>
>>   1. code execution with ` characters or other characters that are
>>      special to a shell
>>   2. denial of service scenarios in which a user with write access
>>      to a local directory uses special characters to make
>>      synchronization fail (might have security relevance in some
>>      scenarios)
>>
>> The MITRE CVE team does not have a Lua expert. The code change adds:
>>
>>   local path4 = event.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$')
>>   local path4 = event2.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$')
>>
>> This does not seem to be the typical fix approach for unsafe input to
>> a shell. Has anyone concluded that this is an incomplete fix that ought
>> to be modified before the 2.1.6 release?
> 
> 
> It is indeed an incomplete fix:
> 
> * The gsub ('%$','\\%$') works in lua5.1, but under lua5.2 the second %
> character makes lsyncd fail with the error "stdin:1: invalid use of '%'
> in replacement string". Thus allowing a complete denial of service
> 
> 
> * Not all metacharacters are filtered, so command execution is still
> present. In particular, the escaped characters can be prefixed with a
> backslash to bypass the filter.
> 
> 
> The attached patch should hopefully solve these issues.

Thank you. I've tested the patch locally and it appears to be working
correctly (mine was more a quick hack to get our own lsyncd instances
running again).
It also has been merged upstream:

> https://github.com/axkibe/lsyncd/commit/e9ffda07f0145f50f2756f8ee3fb0775b455122b

Attached is the patch adapted for Wheezy's lsyncd 2.0.7-3.

-- 
Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas
Systemadministrator
TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz
Mail/XMPP: sven.schwedas@tao.at | +43 (0)680 301 7167
http://software.tao.at

[0001-Properly-sanitize-mv-parameters-CVE-2014-8990.patch (text/x-patch, attachment)]

[signature.asc (application/pgp-signature, attachment)]

Message #39 received at 767227@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: 767227@bugs.debian.org

Subject: Re: [oss-security] Re: CVE request: lsyncd command injection

Date: Mon, 29 Dec 2014 02:34:40 +0100

On Wed, Nov 26, 2014 at 12:18:13AM +0100, Ángel González wrote:
> On 20-11-2014 Mitre wrote:
> > > There is a command injection flaw in lsyncd, a file change monitoring
> > > and synchronization daemon:
> > > 
> > > https://github.com/axkibe/lsyncd/issues/220
> > > 
> > > https://github.com/creshal/lsyncd/commit/18f02ad013b41a72753912155ae2ba72f2a53e52
> > > 
> > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=767227
> > 
> > Use CVE-2014-8990. The scope of this CVE ID includes both:

What's the status for jessie?

Cheers,
        Moritz

Message #44 received at 767227@bugs.debian.org (full text, mbox, reply):

From: Jan Dittberner <jandd@debian.org>

To: Moritz Mühlenhoff <jmm@inutil.org>, 767227@bugs.debian.org

Subject: Re: Bug#767227: [oss-security] Re: CVE request: lsyncd command injection

Date: Mon, 29 Dec 2014 11:55:35 +0100

[Message part 1 (text/plain, inline)]

On Mon, Dec 29, 2014 at 02:34:40AM +0100, Moritz Mühlenhoff wrote:
> On Wed, Nov 26, 2014 at 12:18:13AM +0100, Ángel González wrote:
> > On 20-11-2014 Mitre wrote:
> > > > There is a command injection flaw in lsyncd, a file change monitoring
> > > > and synchronization daemon:
> > > > 
> > > > https://github.com/axkibe/lsyncd/issues/220
> > > > 
> > > > https://github.com/creshal/lsyncd/commit/18f02ad013b41a72753912155ae2ba72f2a53e52
> > > > 
> > > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=767227
> > > 
> > > Use CVE-2014-8990. The scope of this CVE ID includes both:
> 
> What's the status for jessie?

Hello,

I just finished packages for Wheezy and Jessie but did not upload them yet.

Attached are the .dsc's, the debian.tar.{gz,xz} and debdiffs for
convenience.

I'll ask the release team for a pre-approval for a Jessie unblock before
uploading to unstable.


Best regards
Jan

-- 
Jan Dittberner - Debian Developer
GPG-key: 4096R/558FB8DD 2009-05-10
         B2FF 1D95 CE8F 7A22 DF4C  F09B A73E 0055 558F B8DD
https://portfolio.debian.net/ - https://people.debian.org/~jandd/

[lsyncd_2.1.5-2.dsc (text/plain, attachment)]

[lsyncd_2.1.5-2.debian.tar.xz (application/x-xz, attachment)]

[lsyncd_2.1.5-1_to_2.1.5-2.debdiff (text/plain, attachment)]

[lsyncd_2.0.7-3+deb7u1.dsc (text/plain, attachment)]

[lsyncd_2.0.7-3+deb7u1.debian.tar.gz (application/gzip, attachment)]

[lsyncd_2.0.7-3_to_2.0.7-3+deb7u1.debdiff (text/plain, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #49 received at 767227-close@bugs.debian.org (full text, mbox, reply):

From: Jan Dittberner <jandd@debian.org>

To: 767227-close@bugs.debian.org

Subject: Bug#767227: fixed in lsyncd 2.1.5-2

Date: Mon, 29 Dec 2014 11:33:54 +0000

Source: lsyncd
Source-Version: 2.1.5-2

We believe that the bug you reported is fixed in the latest version of
lsyncd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 767227@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jan Dittberner <jandd@debian.org> (supplier of updated lsyncd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 29 Dec 2014 11:36:43 +0100
Source: lsyncd
Binary: lsyncd
Architecture: source amd64
Version: 2.1.5-2
Distribution: unstable
Urgency: high
Maintainer: Jan Dittberner <jandd@debian.org>
Changed-By: Jan Dittberner <jandd@debian.org>
Description:
 lsyncd     - daemon to synchronize local directories using rsync
Closes: 767227
Changes:
 lsyncd (2.1.5-2) unstable; urgency=high
 .
   * fix security issue CVE-2014-8990 that allows code execution via shell
     characters in file names and denial of service scenarios by applying
     debian/patches/fix-CVE-2014-8990-shell-escapes.patch (Closes: #767227)
Checksums-Sha1:
 dae3ac0e5f0015a061111766603fddc44d53a330 1608 lsyncd_2.1.5-2.dsc
 a5e2176e3f1c40849933c92a637d8aed5553a372 5492 lsyncd_2.1.5-2.debian.tar.xz
 8487b5289e02c95772c1c4df8abfa16e38ad6769 61858 lsyncd_2.1.5-2_amd64.deb
Checksums-Sha256:
 345755eaf9f94015371d2eac75a587e85c9d5b813362c2bc5bbf25f4e99a2bce 1608 lsyncd_2.1.5-2.dsc
 33de0865276248db19734029a33ebf4e8085ace860c7324e5f76347b5d5ae64a 5492 lsyncd_2.1.5-2.debian.tar.xz
 907a2aeb3e8fefc020cdac095b353e415f42126dcc59a3a14c116c19b4bd95a9 61858 lsyncd_2.1.5-2_amd64.deb
Files:
 787c7abea6eaf7f6142634c75b6eeea1 1608 admin optional lsyncd_2.1.5-2.dsc
 9805dd5c92ba7a19584cb6ce4cc721ef 5492 admin optional lsyncd_2.1.5-2.debian.tar.xz
 cac114703e3a0bcee4d6a349b383e797 61858 admin optional lsyncd_2.1.5-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCgAGBQJUoTGYAAoJEA15HcjXN8HZwpAIALAxJXXT5PmExHvWEDC3FRku
+gU1w1pl32h4WZweQHqIrGAthcIrHXafgcVpAclJE4bzkCZlwSMZt/rpmxICLqFG
dHkjlabxYXvz5m/QHqomfufF5Aonw2PPlsbsChe+UnJfK2wo8al4BgDHqfalk1sO
6of12WFgjh69zbTItMOmnLZbR0tUX57oGT3WKKlJgSR8Zn++PwHlMzFRF8qDchIp
TOKp3BcI073HFNhzBhvEJeGOsT1+oWAj4ufrH2F0lRXwRj6N59t3tsELZyhUBXGo
cpxOxfTw5DOSnA1Yna8/BO83wUhLP8QFj8TYQdtIAljVV3vL3YKc2v+z8d07GC4=
=RG8N
-----END PGP SIGNATURE-----

Message #54 received at 767227-close@bugs.debian.org (full text, mbox, reply):

From: Jan Dittberner <jandd@debian.org>

To: 767227-close@bugs.debian.org

Subject: Bug#767227: fixed in lsyncd 2.0.7-3+deb7u1

Date: Sat, 17 Jan 2015 11:47:05 +0000

Source: lsyncd
Source-Version: 2.0.7-3+deb7u1

We believe that the bug you reported is fixed in the latest version of
lsyncd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 767227@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jan Dittberner <jandd@debian.org> (supplier of updated lsyncd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 29 Dec 2014 11:29:15 +0100
Source: lsyncd
Binary: lsyncd
Architecture: source amd64
Version: 2.0.7-3+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Jan Dittberner <jandd@debian.org>
Changed-By: Jan Dittberner <jandd@debian.org>
Description: 
 lsyncd     - daemon to synchronize local directories using rsync
Closes: 767227
Changes: 
 lsyncd (2.0.7-3+deb7u1) wheezy-security; urgency=high
 .
   * fix security issue CVE-2014-8990 that allows code execution via shell
     characters in file names and denial of service scenarios by applying
     debian/patches/fix-CVE-2014-8990-shell-escapes.patch (Closes: #767227)
Checksums-Sha1: 
 de9aad1b0735b7299e7742727509b6548ad594a4 1616 lsyncd_2.0.7-3+deb7u1.dsc
 b8e64ea9c83da5546109b8ea47d7fb1ac35ed90c 141498 lsyncd_2.0.7.orig.tar.gz
 bad47ab7f3d96f6e3c6a4ac04f1bfb0c921ddddb 5704 lsyncd_2.0.7-3+deb7u1.debian.tar.gz
 779f22baa1ee40f6d33bc87596707fa1d71e226f 68702 lsyncd_2.0.7-3+deb7u1_amd64.deb
Checksums-Sha256: 
 15cfb8ad316f6854a483136369ca374025628ca69630ca67ad7428ffe50da722 1616 lsyncd_2.0.7-3+deb7u1.dsc
 3c76a6e8acfceea742154afd21f74b220277e54b1ffdb71ee1dc2eb104b0bbde 141498 lsyncd_2.0.7.orig.tar.gz
 59fab8573ba35fb6fd74e020b06e76e632590e6b1372a86399e7132d990fb940 5704 lsyncd_2.0.7-3+deb7u1.debian.tar.gz
 608b1e881981a8a4e516b36e2916fe2577d12954498efdeda48d0da4638c0fb6 68702 lsyncd_2.0.7-3+deb7u1_amd64.deb
Files: 
 46c5dd89069117dd0149705d4f16df32 1616 admin optional lsyncd_2.0.7-3+deb7u1.dsc
 4ef8787f6e3a402a9a2bcb84c123fb17 141498 admin optional lsyncd_2.0.7.orig.tar.gz
 37c43bf253f704a4d9f789a76d45718a 5704 admin optional lsyncd_2.0.7-3+deb7u1.debian.tar.gz
 32a154600e5a347addddd1126d1fea00 68702 admin optional lsyncd_2.0.7-3+deb7u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCgAGBQJUoyN9AAoJEA15HcjXN8HZk5kIAMo/9eZQDwUsTciXYfuqsJVN
t5sGbgQdmqzFebnhNAvZTsfscXGQPLPOH4nSUi7RCm5rcxo5/XfeZUwzHBKAEtt2
dWtcIXGw/ukrleleqqUhXstDpll+BGFm2QKgAQc08GuZglyDwX5Dnkdh9GMCGhTj
js9FTygWkJmaDMWNyr0C+ksIq8/Wd442ErQJ5kParb4oZFgLIH9tVxT0f8MZG/qX
vkELCFqRM71xk4JG1wUfPDEcFMXwBIAc5jnpQ1h+jKcOMtb9pmZsdTILTvYBf2td
/ZISUJGhnpSfUg+2VMlVWJ407jRk25oiOYHc2nAAJmb7pfvvego61DUQiW/rTJw=
=eYo+
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.