Version in base suite: 0.27.1-1.1+deb11u1 Base version: btrbk_0.27.1-1.1+deb11u1 Target version: btrbk_0.27.1-1.1+deb11u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/b/btrbk/btrbk_0.27.1-1.1+deb11u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/b/btrbk/btrbk_0.27.1-1.1+deb11u2.dsc changelog | 8 +++++ patches/CVE-2021-38173-regression.patch | 51 ++++++++++++++++++++++++++++++++ patches/series | 1 3 files changed, 60 insertions(+) diff -Nru btrbk-0.27.1/debian/changelog btrbk-0.27.1/debian/changelog --- btrbk-0.27.1/debian/changelog 2021-08-29 17:03:02.000000000 +0000 +++ btrbk-0.27.1/debian/changelog 2021-11-23 19:03:02.000000000 +0000 @@ -1,3 +1,11 @@ +btrbk (0.27.1-1.1+deb11u2) bullseye; urgency=high + + * Non-maintainer upload by the LTS Team. + * regression fix for CVE-2021-38173 + (Closes: #996260, #996266) + + -- Thorsten Alteholz Tue, 23 Nov 2021 20:03:02 +0100 + btrbk (0.27.1-1.1+deb11u1) bullseye; urgency=high * Non-maintainer upload by the LTS Team. diff -Nru btrbk-0.27.1/debian/patches/CVE-2021-38173-regression.patch btrbk-0.27.1/debian/patches/CVE-2021-38173-regression.patch --- btrbk-0.27.1/debian/patches/CVE-2021-38173-regression.patch 1970-01-01 00:00:00.000000000 +0000 +++ btrbk-0.27.1/debian/patches/CVE-2021-38173-regression.patch 2021-11-23 19:03:02.000000000 +0000 @@ -0,0 +1,51 @@ +commit c03e960d9044961fcfbeaa5d5aeb5bcc1bc0cc7a +Author: Axel Burri +Date: Tue Nov 19 22:07:37 2019 +0100 + + ssh_filter_btrbk.sh: exclude "btrfs subvolume show|list" from restrict-path + + btrbk requires "btrfs subvolume list|show" queries from the mount + point in order to build btrfs trees. This conflicts with tightly set + --restrict-path. + +Index: btrbk-0.27.1/doc/ssh_filter_btrbk.1.asciidoc +=================================================================== +--- btrbk-0.27.1.orig/doc/ssh_filter_btrbk.1.asciidoc 2021-11-23 23:50:53.129796659 +0100 ++++ btrbk-0.27.1/doc/ssh_filter_btrbk.1.asciidoc 2021-11-23 23:50:53.125796659 +0100 +@@ -34,8 +34,8 @@ + + The following commands are always allowed: + +- - "btrfs subvolume show" +- - "btrfs subvolume list" ++ - "btrfs subvolume show" (not affected by "--restrict-path") ++ - "btrfs subvolume list" (not affected by "--restrict-path") + - "readlink" + - "cat /proc/self/mountinfo" + - pipes through "gzip", "pigz", "bzip2", "pbzip2", "xz", "lzop", +@@ -79,7 +79,8 @@ + Allow btrfs receive command: "btrfs receive". + + -p, --restrict-path :: +- Restrict btrfs commands to . ++ Restrict commands to . Note that "btrfs subvolume show", ++ "btrfs subvolume list" are NOT affected by this option. + + -l, --log:: + Log ACCEPT and REJECT messages to the system log. +Index: btrbk-0.27.1/ssh_filter_btrbk.sh +=================================================================== +--- btrbk-0.27.1.orig/ssh_filter_btrbk.sh 2021-11-23 23:50:53.129796659 +0100 ++++ btrbk-0.27.1/ssh_filter_btrbk.sh 2021-12-11 01:15:51.396526184 +0100 +@@ -161,8 +161,9 @@ + shift + done + +-allow_cmd "${sudo_prefix}btrfs subvolume show"; # subvolume queries are always allowed +-allow_exact_cmd "${sudo_prefix}btrfs subvolume list ${file_match}"; # subvolume queries are always allowed ++# NOTE: subvolume queries are NOT affected by "--restrict-path": ++# btrbk also calls show/list on the mount point of the subvolume ++allow_exact_cmd "${sudo_prefix}btrfs subvolume (show|list)( ${option_match})* ${file_match}"; + allow_cmd "${sudo_prefix}readlink" # used to resolve mountpoints + allow_exact_cmd "cat /proc/self/mountinfo" # used to resolve mountpoints + allow_exact_cmd "cat /proc/self/mounts" # legacy, for btrbk < 0.27.0 diff -Nru btrbk-0.27.1/debian/patches/series btrbk-0.27.1/debian/patches/series --- btrbk-0.27.1/debian/patches/series 2021-08-29 17:03:02.000000000 +0000 +++ btrbk-0.27.1/debian/patches/series 2021-11-23 19:03:02.000000000 +0000 @@ -1 +1,2 @@ CVE-2021-38173.patch +CVE-2021-38173-regression.patch