Bug 1269782
| Summary: | lsyncd: Direct mode allwos injecting unauthorized filesystem operations [epel-all] | ||
|---|---|---|---|
| Product: | [Fedora] Fedora EPEL | Reporter: | Adam Mariš <amaris> |
| Component: | lsyncd | Assignee: | Jason Taylor <jtfas90> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | el6 | CC: | filip, jtfas90, lkundrak, martin, pwouters, scenek, troxor0 |
| Target Milestone: | --- | Keywords: | Security, SecurityTracking |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Release Note | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-03-05 00:29:51 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1269780 | ||
|
Description
Adam Mariš
2015-10-08 08:11:02 UTC
Use the following template to for the 'fedpkg update' request to submit an update for this issue as it contains the top-level parent bug(s) as well as this tracking bug. This will ensure that all associated bugs get updated when new packages are pushed to stable. ===== # bugfix, security, enhancement, newpackage (required) type=security # testing, stable request=testing # Bug numbers: 1234,9876 bugs=1269780,1269782 # Description of your update notes=Security fix for # Enable request automation based on the stable/unstable karma thresholds autokarma=True stable_karma=3 unstable_karma=-3 # Automatically close bugs when this marked as stable close_bugs=True # Suggest that users restart after update suggest_reboot=False ====== Additionally, you may opt to use the bodhi update submission link instead: https://admin.fedoraproject.org/updates/new/?type_=security&bugs=1269780,1269782 We should be able to close this ticket since default-direct.lua doesn't get installed in epel versions of lsyncd: [jason@cent7 ~]$ rpm -qi lsyncd Name : lsyncd Version : 2.1.5 Release : 6.el7 Architecture: x86_64 Install Date: Sat 14 Jan 2017 01:23:48 PM EST Group : Applications/Internet Size : 210392 License : GPLv2+ Signature : RSA/SHA256, Wed 19 Nov 2014 12:02:22 AM EST, Key ID 6a2faea2352c64e5 Source RPM : lsyncd-2.1.5-6.el7.src.rpm Build Date : Tue 18 Nov 2014 10:44:51 AM EST Build Host : buildhw-08.phx2.fedoraproject.org Relocations : (not relocatable) Packager : Fedora Project Vendor : Fedora Project URL : http://code.google.com/p/lsyncd/ Summary : File change monitoring and synchronization daemon Description : Lsyncd watches a local directory trees event monitor interface (inotify). It aggregates and combines events for a few seconds and then spawns one (or more) process(es) to synchronize the changes. By default this is rsync. Lsyncd is thus a light-weight live mirror solution that is comparatively easy to install not requiring new file systems or block devices and does not hamper local file system performance. [jason@cent7 ~]$ rpm -ql lsyncd /etc/logrotate.d/lsyncd /etc/lsyncd.conf /etc/sysconfig/lsyncd /usr/bin/lsyncd /usr/lib/systemd/system/lsyncd.service /usr/share/doc/lsyncd-2.1.5 /usr/share/doc/lsyncd-2.1.5/COPYING /usr/share/doc/lsyncd-2.1.5/ChangeLog /usr/share/doc/lsyncd-2.1.5/examples /usr/share/doc/lsyncd-2.1.5/examples/lbash.lua /usr/share/doc/lsyncd-2.1.5/examples/lecho.lua /usr/share/doc/lsyncd-2.1.5/examples/lgforce.lua /usr/share/doc/lsyncd-2.1.5/examples/limagemagic.lua /usr/share/doc/lsyncd-2.1.5/examples/lpostcmd.lua /usr/share/doc/lsyncd-2.1.5/examples/lrsync.lua /usr/share/doc/lsyncd-2.1.5/examples/lrsyncssh.lua /usr/share/man/man1/lsyncd.1.gz [jason@localhost ~]$ rpm -qi lsyncd Name : lsyncd Relocations: (not relocatable) Version : 2.1.5 Vendor: Fedora Project Release : 0.el6 Build Date: Fri 12 Jun 2015 01:15:21 PM EDT Install Date: Sat 14 Jan 2017 12:33:19 PM EST Build Host: buildvm-21.phx2.fedoraproject.org Group : Applications/Internet Source RPM: lsyncd-2.1.5-0.el6.src.rpm Size : 209441 License: GPLv2+ Signature : RSA/8, Sat 13 Jun 2015 01:03:44 PM EDT, Key ID 3b49df2a0608b895 Packager : Fedora Project URL : http://code.google.com/p/lsyncd/ Summary : File change monitoring and synchronization daemon Description : Lsyncd watches a local directory trees event monitor interface (inotify). It aggregates and combines events for a few seconds and then spawns one (or more) process(es) to synchronize the changes. By default this is rsync. Lsyncd is thus a light-weight live mirror solution that is comparatively easy to install not requiring new file systems or block devices and does not hamper local file system performance. [jason@localhost ~]$ rpm -ql lsyncd /etc/logrotate.d/lsyncd /etc/lsyncd.conf /etc/rc.d/init.d/lsyncd /etc/sysconfig/lsyncd /usr/bin/lsyncd /usr/share/doc/lsyncd-2.1.5 /usr/share/doc/lsyncd-2.1.5/COPYING /usr/share/doc/lsyncd-2.1.5/ChangeLog /usr/share/doc/lsyncd-2.1.5/examples /usr/share/doc/lsyncd-2.1.5/examples/lbash.lua /usr/share/doc/lsyncd-2.1.5/examples/lecho.lua /usr/share/doc/lsyncd-2.1.5/examples/lgforce.lua /usr/share/doc/lsyncd-2.1.5/examples/limagemagic.lua /usr/share/doc/lsyncd-2.1.5/examples/lpostcmd.lua /usr/share/doc/lsyncd-2.1.5/examples/lrsync.lua /usr/share/doc/lsyncd-2.1.5/examples/lrsyncssh.lua /usr/share/man/man1/lsyncd.1.gz /var/log/lsyncd /var/run/lsyncd [jason@localhost ~]$ [jason@localhost ~]$ rpm -qi lsyncd Name : lsyncd Relocations: (not relocatable) Version : 2.1.4 Vendor: Fedora Project Release : 4.el5.1.1 Build Date: Tue 18 Nov 2014 11:11:43 AM EST Install Date: Sat 14 Jan 2017 01:20:59 PM EST Build Host: buildhw-11.phx2.fedoraproject.org Group : Applications/Internet Source RPM: lsyncd-2.1.4-4.el5.1.1.src.rpm Size : 208694 License: GPLv2+ Signature : DSA/SHA1, Wed 19 Nov 2014 12:05:33 AM EST, Key ID 119cc036217521f6 Packager : Fedora Project URL : http://code.google.com/p/lsyncd/ Summary : File change monitoring and synchronization daemon Description : Lsyncd watches a local directory trees event monitor interface (inotify). It aggregates and combines events for a few seconds and then spawns one (or more) process(es) to synchronize the changes. By default this is rsync. Lsyncd is thus a light-weight live mirror solution that is comparatively easy to install not requiring new file systems or block devices and does not hamper local file system performance. [jason@localhost ~]$ rpm -ql lsyncd /etc/logrotate.d/lsyncd /etc/lsyncd.conf /etc/rc.d/init.d/lsyncd /etc/sysconfig/lsyncd /usr/bin/lsyncd /usr/share/doc/lsyncd-2.1.4 /usr/share/doc/lsyncd-2.1.4/COPYING /usr/share/doc/lsyncd-2.1.4/ChangeLog /usr/share/doc/lsyncd-2.1.4/examples /usr/share/doc/lsyncd-2.1.4/examples/lbash.lua /usr/share/doc/lsyncd-2.1.4/examples/lecho.lua /usr/share/doc/lsyncd-2.1.4/examples/lgforce.lua /usr/share/doc/lsyncd-2.1.4/examples/limagemagic.lua /usr/share/doc/lsyncd-2.1.4/examples/lpostcmd.lua /usr/share/doc/lsyncd-2.1.4/examples/lrsync.lua /usr/share/doc/lsyncd-2.1.4/examples/lrsyncssh.lua /usr/share/man/man1/lsyncd.1.gz /var/log/lsyncd /var/run/lsyncd |