Fix for cve-2017-1000469

author Denis V. Meltsaykin <dmeltsaykin@mirantis.com>

Tue, 6 Feb 2018 16:11:45 +0000 (17:11 +0100)

committer Denis V. Meltsaykin <dmeltsaykin@mirantis.com>

Tue, 6 Feb 2018 16:19:41 +0000 (17:19 +0100)
author Denis V. Meltsaykin <dmeltsaykin@mirantis.com>
Tue, 6 Feb 2018 16:11:45 +0000 (17:11 +0100)
committer Denis V. Meltsaykin <dmeltsaykin@mirantis.com>
Tue, 6 Feb 2018 16:19:41 +0000 (17:19 +0100)
diff --git a/Mirantis-cve-2017-1000469.patch b/Mirantis-cve-2017-1000469.patch

new file mode 100644 (file)

index 0000000..f9bcc2c
--- /dev/null
+++ b/Mirantis-cve-2017-1000469.patch
@@ -0,0 +1,20 @@
+--- a/cobbler/action_reposync.py       2018-02-06 16:33:36.000000000 +0100
++++ b/cobbler/action_reposync.py       2018-02-06 17:03:52.000000000 +0100
+@@ -234,7 +234,7 @@
+         dest_path = os.path.join(self.settings.webdir + "/repo_mirror", repo.name)
+ 
+         # FIXME: wrapper for subprocess that logs to logger
+-        cmd = "wget -N -np -r -l inf -nd -P %s %s" % (dest_path, repo_mirror)
++        cmd = "wget -N -np -r -l inf -nd -P '%s' '%s'" % (dest_path, repo_mirror)
+         rc = utils.subprocess_call(self.logger, cmd)
+ 
+         if rc != 0:
+@@ -268,7 +268,7 @@
+             repo.mirror = "%s/" % repo.mirror
+ 
+         # FIXME: wrapper for subprocess that logs to logger
+-        cmd = "rsync -rltDv --copy-unsafe-links --delete-after %s --delete --exclude-from=/etc/cobbler/rsync.exclude %s %s" % (spacer, repo.mirror, dest_path)
++        cmd = "rsync -rltDv --copy-unsafe-links --delete-after %s --delete --exclude-from=/etc/cobbler/rsync.exclude '%s' '%s'" % (spacer, repo.mirror, dest_path)
+         rc = utils.subprocess_call(self.logger, cmd)
+ 
+         if rc !=0:
diff --git a/cobbler.spec b/cobbler.spec

index 5f07c563205a091dcf7afb6ab28e6f78d8539a5f..09c113a5bcdc01ee2c6c1b05709946a84c9687e3 100644 (file)
--- a/cobbler.spec
+++ b/cobbler.spec
@@ -16,7 +16,7 @@ Name: cobbler
  License: GPLv2+
  AutoReq: no
  Version: 2.6.9
-Release: 1%{?dist}~mos12
+Release: 1%{?dist}~mos13
  Source0: https://github.com/cobbler/cobbler/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
  Source1: cobblerd.logrotate
  # Support newer virt-install - https://bugzilla.redhat.com/show_bug.cgi?id=1188424
@@ -31,6 +31,8 @@ Patch2: cobbler-django17.patch
  Patch3: Mirantis-Add-ALLOWED_HOSTS-for-settings.patch
  # Bugfix for mangling kernel options with the key --in-place
  Patch4: Mirantis-mangling-kopts-bugfix.patch
+# Bugfix for cve-2017-1000469
+Patch5: Mirantis-cve-2017-1000469.patch
  
  Group: Applications/System
  BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot
@@ -97,6 +99,7 @@ other applications.
  %patch2 -p1 -b .django17
  %patch3 -p1
  %patch4 -p1
+%patch5 -p1
  %endif
  
  %build
@@ -296,6 +299,9 @@ sed -i -e "s/SECRET_KEY = ''/SECRET_KEY = \'$RAND_SECRET\'/" /usr/share/cobbler/
  
  
  %changelog
+* Tue Feb 6 2018 Denis Meltsaykin <dmeltsaykin@mirantis.com> - 2.6.9-1~mos13
+- Fix for CVE-2017-1000469
+
  * Wed Jul 27 2016 Albert Syriy <mos-linux-team@mirantis.com> - 2.6.9-1~mos11
  - Bug fix for mangling kernel options with the key --in-place LP#1603615
author	Denis V. Meltsaykin <dmeltsaykin@mirantis.com>
	Tue, 6 Feb 2018 16:11:45 +0000 (17:11 +0100)
committer	Denis V. Meltsaykin <dmeltsaykin@mirantis.com>
	Tue, 6 Feb 2018 16:19:41 +0000 (17:19 +0100)
Mirantis-cve-2017-1000469.patch	[new file with mode: 0644]	patch \| blob
cobbler.spec		patch \| blob \| history