Bug 1165078 (CVE-2014-8990)

Summary: CVE-2014-8990 lsyncd: command injection through backticks in a filename
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: anemec, filip, jtfas90, lkundrak, martin, pwouters, scenek, troxor0
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: lsyncd 2.1.6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-04-12 13:51:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1165079, 1165080, 1383855, 1383857    
Bug Blocks:    

Description Vasyl Kaigorodov 2014-11-18 09:51:06 UTC 
It was reported [1] that lsyncd is vulnerable to command injection.
If a filename has "`" (backticks), what betwwen backticks will be executed with lsyncd process privileges.
Upstream patch is at [2].

[1]: https://github.com/axkibe/lsyncd/issues/220
[2]: https://github.com/creshal/lsyncd/commit/18f02ad013b41a72753912155ae2ba72f2a53e52
Comment 1 Vasyl Kaigorodov 2014-11-18 09:51:34 UTC 
Created lsyncd tracking bugs for this issue:

Affects: epel-all [bug 1165079]
Affects: fedora-all [bug 1165080]
Comment 2 Murray McAllister 2014-11-19 00:14:35 UTC 
CVE request: http://www.openwall.com/lists/oss-security/2014/11/19/1
Comment 3 Martin Prpič 2014-11-20 08:52:49 UTC 
MITRE assigned CVE-2014-8990 to this issue:

http://seclists.org/oss-sec/2014/q4/699

Note that there is a concern from MITRE that the fix is incomplete:

The MITRE CVE team does not have a Lua expert. The code change adds:

  local path1 = event.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$')
  local path2 = event2.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$')

This does not seem to be the typical fix approach for unsafe input to
a shell. Has anyone concluded that this is an incomplete fix that ought
to be modified before the 2.1.6 release?
Comment 4 Martin Prpič 2014-11-26 09:30:04 UTC 
(In reply to Martin Prpic from comment #3)
> MITRE assigned CVE-2014-8990 to this issue:
> 
> http://seclists.org/oss-sec/2014/q4/699
> 
> Note that there is a concern from MITRE that the fix is incomplete:
> 

An alternate patch was proposed on oss-sec:

http://seclists.org/oss-sec/2014/q4/796
Comment 5 Fedora Update System 2014-12-03 01:01:07 UTC 
lsyncd-2.1.4-4.fc20.1 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2014-12-03 01:04:44 UTC 
lsyncd-2.1.4-4.fc19.1 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2014-12-06 10:10:08 UTC 
lsyncd-2.1.5-6.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2014-12-06 17:09:49 UTC 
lsyncd-2.1.5-6.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2014-12-06 17:10:27 UTC 
lsyncd-2.1.4-4.el5.1.1 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2014-12-06 17:11:33 UTC 
lsyncd-2.1.4-4.el6.1.1 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2015-06-29 18:38:46 UTC 
lsyncd-2.1.5-0.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Jason Taylor 2017-01-14 15:15:42 UTC 
This should be resolved now in all versions available in fedora/epel.