Bug 1269780

Summary: lsyncd: Direct mode allwos injecting unauthorized filesystem operations
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: filip, jtfas90, lkundrak, martin, pwouters, scenek, troxor0
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-01-26 01:09:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1269781, 1269782    
Bug Blocks:    

Description Adam Mariš 2015-10-08 08:10:25 UTC 
In the default-direct.lua file in the "event.etype == 'Move'" branch, instead of using a direct fork/exec, a shell is spawned. Its arguments aren't quoted so one can inject additional parameters using whitespace characters.

Original bug report containing reproducer and proposed patch:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=801263
Comment 1 Adam Mariš 2015-10-08 08:11:10 UTC 
Created lsyncd tracking bugs for this issue:

Affects: fedora-all [bug 1269781]
Affects: epel-all [bug 1269782]
Comment 2 Jason Taylor 2017-04-12 13:53:50 UTC 
I believe this issue can be closed as the versions in fedora/epel have all been patched/updated.

JT