From: Denis V. Meltsaykin Date: Tue, 6 Feb 2018 16:11:45 +0000 (+0100) Subject: Fix for cve-2017-1000469 X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=refs%2Fheads%2F9.0;p=packages%2Fcentos7%2Fcobbler.git Fix for cve-2017-1000469 Since cobbler uses shell when calling external commands it's needed to wrap arguments so shell doesn't treat them as separate commands. Change-Id: I04f7438abcab12d77f04e697e20c49cb2d7d38b7 Closes-Bug: #1742098 --- diff --git a/Mirantis-cve-2017-1000469.patch b/Mirantis-cve-2017-1000469.patch new file mode 100644 index 0000000..f9bcc2c --- /dev/null +++ b/Mirantis-cve-2017-1000469.patch @@ -0,0 +1,20 @@ +--- a/cobbler/action_reposync.py 2018-02-06 16:33:36.000000000 +0100 ++++ b/cobbler/action_reposync.py 2018-02-06 17:03:52.000000000 +0100 +@@ -234,7 +234,7 @@ + dest_path = os.path.join(self.settings.webdir + "/repo_mirror", repo.name) + + # FIXME: wrapper for subprocess that logs to logger +- cmd = "wget -N -np -r -l inf -nd -P %s %s" % (dest_path, repo_mirror) ++ cmd = "wget -N -np -r -l inf -nd -P '%s' '%s'" % (dest_path, repo_mirror) + rc = utils.subprocess_call(self.logger, cmd) + + if rc != 0: +@@ -268,7 +268,7 @@ + repo.mirror = "%s/" % repo.mirror + + # FIXME: wrapper for subprocess that logs to logger +- cmd = "rsync -rltDv --copy-unsafe-links --delete-after %s --delete --exclude-from=/etc/cobbler/rsync.exclude %s %s" % (spacer, repo.mirror, dest_path) ++ cmd = "rsync -rltDv --copy-unsafe-links --delete-after %s --delete --exclude-from=/etc/cobbler/rsync.exclude '%s' '%s'" % (spacer, repo.mirror, dest_path) + rc = utils.subprocess_call(self.logger, cmd) + + if rc !=0: diff --git a/cobbler.spec b/cobbler.spec index 5f07c56..09c113a 100644 --- a/cobbler.spec +++ b/cobbler.spec @@ -16,7 +16,7 @@ Name: cobbler License: GPLv2+ AutoReq: no Version: 2.6.9 -Release: 1%{?dist}~mos12 +Release: 1%{?dist}~mos13 Source0: https://github.com/cobbler/cobbler/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz Source1: cobblerd.logrotate # Support newer virt-install - https://bugzilla.redhat.com/show_bug.cgi?id=1188424 @@ -31,6 +31,8 @@ Patch2: cobbler-django17.patch Patch3: Mirantis-Add-ALLOWED_HOSTS-for-settings.patch # Bugfix for mangling kernel options with the key --in-place Patch4: Mirantis-mangling-kopts-bugfix.patch +# Bugfix for cve-2017-1000469 +Patch5: Mirantis-cve-2017-1000469.patch Group: Applications/System BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot @@ -97,6 +99,7 @@ other applications. %patch2 -p1 -b .django17 %patch3 -p1 %patch4 -p1 +%patch5 -p1 %endif %build @@ -296,6 +299,9 @@ sed -i -e "s/SECRET_KEY = ''/SECRET_KEY = \'$RAND_SECRET\'/" /usr/share/cobbler/ %changelog +* Tue Feb 6 2018 Denis Meltsaykin - 2.6.9-1~mos13 +- Fix for CVE-2017-1000469 + * Wed Jul 27 2016 Albert Syriy - 2.6.9-1~mos11 - Bug fix for mangling kernel options with the key --in-place LP#1603615