diff --git a/bz1428350-01-clufter.patch b/bz1428350-01-clufter.patch new file mode 100644 index 0000000..ef87d0e --- /dev/null +++ b/bz1428350-01-clufter.patch @@ -0,0 +1,138 @@ +From c5f8001c6f8aad82a6c54311d39111cfa64cd2b9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20Pokorn=C3=BD?= +Date: Mon, 20 Mar 2017 17:11:32 +0100 +Subject: [PATCH 1/3] cli: skip superfluous text -> bytes conversion on + clufter's output +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Respective outputs are already represented with bytes (as 'bytestring' +protocol suggests), and moreover, such bytes cannot be "encoded" in +Python 3 otherwise leading to AttributeError (bytes object has no +attribute encode) exception. + +Note that this is only relevant in Python 3 context, which pcs uses +by default in python3-charged distros (e.g. Fedora) and which is now +supported in clufter (which enabled a discovery of this discrepancy): +http://oss.clusterlabs.org/pipermail/users/2017-March/005323.html + +Signed-off-by: Jan Pokorný +--- + pcs/config.py | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/pcs/config.py b/pcs/config.py +index d7c30a21..8b5bb166 100644 +--- a/pcs/config.py ++++ b/pcs/config.py +@@ -698,14 +698,14 @@ def config_import_cman(argv): + config_backup_add_version_to_tarball(tarball) + utils.tar_add_file_data( + tarball, +- clufter_args_obj.cib["passout"].encode("utf-8"), ++ clufter_args_obj.cib["passout"], + "cib.xml", + **file_list["cib.xml"]["attrs"] + ) + if output_format == "cluster.conf": + utils.tar_add_file_data( + tarball, +- clufter_args_obj.ccs_pcmk["passout"].encode("utf-8"), ++ clufter_args_obj.ccs_pcmk["passout"], + "cluster.conf", + **file_list["cluster.conf"]["attrs"] + ) +@@ -726,7 +726,7 @@ def config_import_cman(argv): + )("bytestring") + utils.tar_add_file_data( + tarball, +- corosync_conf_data.encode("utf-8"), ++ corosync_conf_data, + "corosync.conf", + **file_list["corosync.conf"]["attrs"] + ) +@@ -744,7 +744,7 @@ def config_import_cman(argv): + )("bytestring") + utils.tar_add_file_data( + tarball, +- uidgid_data.encode("utf-8"), ++ uidgid_data, + "uidgid.d/" + filename, + **file_list["uidgid.d"]["attrs"] + ) +-- +2.11.0 + + +From 647fc814f482f14c70fb569fd4fd3b494e57d7c9 Mon Sep 17 00:00:00 2001 +From: Tomas Jelinek +Date: Wed, 22 Mar 2017 18:41:33 +0100 +Subject: [PATCH 2/3] fix writing clufter output to file with Python 3 + +--- + pcs/config.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/pcs/config.py b/pcs/config.py +index 8b5bb166..b42c5983 100644 +--- a/pcs/config.py ++++ b/pcs/config.py +@@ -676,7 +676,7 @@ def config_import_cman(argv): + if output_format in ("pcs-commands", "pcs-commands-verbose"): + ok, message = utils.write_file( + dry_run_output, +- clufter_args_obj.output["passout"] ++ clufter_args_obj.output["passout"].decode() + ) + if not ok: + utils.err(message) +@@ -845,7 +845,7 @@ def config_export_pcs_commands(argv, verbose=False): + if output_file: + ok, message = utils.write_file( + output_file, +- clufter_args_obj.output["passout"] ++ clufter_args_obj.output["passout"].decode() + ) + if not ok: + utils.err(message) +-- +2.11.0 + + +From c5d73581c8bacfe992f863b49e5902fc33198503 Mon Sep 17 00:00:00 2001 +From: Tomas Jelinek +Date: Wed, 22 Mar 2017 18:03:09 +0100 +Subject: [PATCH 3/3] do not colorize clufter output if saved to a file + +Clufter improved detecting if the color mode should be enabled so we can +left the decision to clufter completely. +--- + pcs/config.py | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/pcs/config.py b/pcs/config.py +index b42c5983..04ef02f1 100644 +--- a/pcs/config.py ++++ b/pcs/config.py +@@ -627,8 +627,6 @@ def config_import_cman(argv): + "batch": True, + "sys": "linux", + "dist": dist, +- # Make it work on RHEL6 as well for sure +- "color": "always" if sys.stdout.isatty() else "never" + } + if interactive: + if "EDITOR" not in os.environ: +@@ -802,8 +800,6 @@ def config_export_pcs_commands(argv, verbose=False): + "batch": True, + "sys": "linux", + "dist": dist, +- # Make it work on RHEL6 as well for sure +- "color": "always" if sys.stdout.isatty() else "never", + "coro": settings.corosync_conf_file, + "ccs": settings.cluster_conf_file, + "start_wait": "60", +-- +2.11.0 + diff --git a/bz1434111-01-web-UI-fixed-XSS-vulnerability-CVE-2017-2661.patch b/bz1434111-01-web-UI-fixed-XSS-vulnerability-CVE-2017-2661.patch new file mode 100644 index 0000000..34b95c2 --- /dev/null +++ b/bz1434111-01-web-UI-fixed-XSS-vulnerability-CVE-2017-2661.patch @@ -0,0 +1,48 @@ +From 3b23bdc378b6b5a7a5d254e3b4a35bcc10b7e81a Mon Sep 17 00:00:00 2001 +From: Ondrej Mular +Date: Sat, 4 Mar 2017 14:01:43 +0100 +Subject: [PATCH] web UI: fixed XSS vulnerability CVE-2017-2661 + +--- + pcsd/public/js/nodes-ember.js | 4 ++-- + pcsd/public/js/pcsd.js | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/pcsd/public/js/nodes-ember.js b/pcsd/public/js/nodes-ember.js +index cb2f4d16..41fede89 100644 +--- a/pcsd/public/js/nodes-ember.js ++++ b/pcsd/public/js/nodes-ember.js +@@ -75,7 +75,7 @@ Pcs = Ember.Application.createWithMixins({ + var banned_options = ["SBD_OPTS", "SBD_WATCHDOG_DEV", "SBD_PACEMAKER"]; + $.each(this.get("sbd_config"), function(opt, val) { + if (banned_options.indexOf(opt) == -1) { +- out += '' + opt + '' + val + '\n'; ++ out += '' + htmlEncode(opt) + '' + htmlEncode(val) + '\n'; + } + }); + return out + ''; +@@ -879,7 +879,7 @@ Pcs.ResourceObj = Ember.Object.extend({ + }.property("status_val"), + show_status: function() { + return '' +- + this.get('status') + (this.get("is_unmanaged") ? " (unmanaged)" : "") ++ + htmlEncode(this.get('status')) + (this.get("is_unmanaged") ? " (unmanaged)" : "") + + ''; + }.property("status_style", "disabled"), + status_class: function() { +diff --git a/pcsd/public/js/pcsd.js b/pcsd/public/js/pcsd.js +index c96f9baa..6f57de0f 100644 +--- a/pcsd/public/js/pcsd.js ++++ b/pcsd/public/js/pcsd.js +@@ -821,7 +821,7 @@ function auth_nodes_dialog(unauth_nodes, callback_success, callback_success_one) + + dialog_obj.find('#auth_nodes_list').empty(); + unauth_nodes.forEach(function(node) { +- dialog_obj.find('#auth_nodes_list').append("\t\t\t" + node + '\n'); ++ dialog_obj.find('#auth_nodes_list').append("\t\t\t" + htmlEncode(node) + '\n'); + }); + + } +-- +2.11.0 + diff --git a/pcs.spec b/pcs.spec index 986ca77..a952d7a 100644 --- a/pcs.spec +++ b/pcs.spec @@ -1,6 +1,6 @@ Name: pcs Version: 0.9.156 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2 URL: https://github.com/ClusterLabs/pcs Group: System Environment/Base @@ -21,6 +21,8 @@ Patch0: fedfix.patch Patch1: fix-test.patch Patch2: fix-libcurl-issues-in-python3.patch Patch3: fix-linking-fonts-to-pcsd.patch +Patch4: bz1434111-01-web-UI-fixed-XSS-vulnerability-CVE-2017-2661.patch +Patch5: bz1428350-01-clufter.patch # git for patches BuildRequires: git @@ -96,8 +98,7 @@ Requires: openssl Requires: corosync Requires: pacemaker Requires: pacemaker-cli -# clufter currently doesn't have python3 package -Requires: python-clufter => 0.59.0 +Requires: python3-clufter => 0.70.0 # for post, preun and postun macros Requires(post): systemd Requires(preun): systemd @@ -142,6 +143,10 @@ UpdateTimestamps -p1 %{PATCH1} UpdateTimestamps -p1 %{PATCH2} %patch3 -p1 UpdateTimestamps -p1 %{PATCH3} +%patch4 -p1 +UpdateTimestamps -p1 %{PATCH4} +%patch5 -p1 +UpdateTimestamps -p1 %{PATCH5} mkdir -p pcsd/.bundle cp -f %SOURCE1 pcsd/.bundle/config @@ -280,6 +285,10 @@ end %exclude %{python3_sitelib}/pcs/pcs %changelog +* Thu Mar 23 2017 Tomas Jelinek - 0.9.156-2 +- Fixed Cross-site scripting (XSS) vulnerability in web UI CVE-2017-2661 +- Re-added support for clufter as it is now available for Python 3 + * Wed Feb 22 2017 Tomas Jelinek - 0.9.156-1 - Rebased to latest upstream sources (see CHANGELOG.md)