diff --git a/SOURCES/openwsman-2.6.5-CVE-2019-3816.patch b/SOURCES/openwsman-2.6.5-CVE-2019-3816.patch new file mode 100644 index 0000000..ba91ba7 --- /dev/null +++ b/SOURCES/openwsman-2.6.5-CVE-2019-3816.patch @@ -0,0 +1,79 @@ +diff -up openwsman-2.6.5/src/server/shttpd/shttpd.c.orig openwsman-2.6.5/src/server/shttpd/shttpd.c +--- openwsman-2.6.5/src/server/shttpd/shttpd.c.orig 2019-03-13 10:20:07.376527798 +0100 ++++ openwsman-2.6.5/src/server/shttpd/shttpd.c 2019-03-13 10:20:07.380527801 +0100 +@@ -336,10 +336,12 @@ date_to_epoch(const char *s) + } + + static void +-remove_double_dots(char *s) ++remove_all_leading_dots(char *s) + { + char *p = s; + ++ while (*s != '\0' && *s == '.') s++; ++ + while (*s != '\0') { + *p++ = *s++; + if (s[-1] == '/' || s[-1] == '\\') +@@ -546,7 +548,7 @@ decide_what_to_do(struct conn *c) + *c->query++ = '\0'; + + _shttpd_url_decode(c->uri, strlen(c->uri), c->uri, strlen(c->uri) + 1); +- remove_double_dots(c->uri); ++ remove_all_leading_dots(c->uri); + + root = c->ctx->options[OPT_ROOT]; + if (strlen(c->uri) + strlen(root) >= sizeof(path)) { +@@ -556,6 +558,7 @@ decide_what_to_do(struct conn *c) + + (void) _shttpd_snprintf(path, sizeof(path), "%s%s", root, c->uri); + ++ DBG(("decide_what_to_do -> processed path: [%s]", path)); + /* User may use the aliases - check URI for mount point */ + if (is_alias(c->ctx, c->uri, &alias_uri, &alias_path) != NULL) { + (void) _shttpd_snprintf(path, sizeof(path), "%.*s%s", +@@ -572,7 +575,10 @@ decide_what_to_do(struct conn *c) + if ((ruri = _shttpd_is_registered_uri(c->ctx, c->uri)) != NULL) { + _shttpd_setup_embedded_stream(c, + ruri->callback, ruri->callback_data); +- } else ++ } else { ++ _shttpd_send_server_error(c, 403, "Forbidden"); ++ } ++#if 0 + if (strstr(path, HTPASSWD)) { + /* Do not allow to view passwords files */ + _shttpd_send_server_error(c, 403, "Forbidden"); +@@ -656,6 +662,7 @@ decide_what_to_do(struct conn *c) + } else { + _shttpd_send_server_error(c, 500, "Internal Error"); + } ++#endif + } + + static int +diff -up openwsman-2.6.5/src/server/wsmand.c.orig openwsman-2.6.5/src/server/wsmand.c +--- openwsman-2.6.5/src/server/wsmand.c.orig 2017-11-28 09:32:15.000000000 +0100 ++++ openwsman-2.6.5/src/server/wsmand.c 2019-03-13 10:20:07.380527801 +0100 +@@ -198,6 +198,10 @@ static void daemonize(void) + int fd; + char *pid; + ++ /* Change our CWD to / */ ++ i = chdir("/"); ++ assert(i == 0); ++ + if (wsmand_options_get_foreground_debug() > 0) { + return; + } +@@ -214,10 +218,6 @@ static void daemonize(void) + log_pid = 0; + setsid(); + +- /* Change our CWD to / */ +- i=chdir("/"); +- assert(i == 0); +- + /* Close all file descriptors. */ + for (i = getdtablesize(); i >= 0; --i) + close(i); diff --git a/SPECS/openwsman.spec b/SPECS/openwsman.spec index 7709a72..55b1b0b 100644 --- a/SPECS/openwsman.spec +++ b/SPECS/openwsman.spec @@ -3,7 +3,7 @@ Name: openwsman Version: 2.6.5 -Release: 4%{?dist} +Release: 5%{?dist} Summary: Open source Implementation of WS-Management License: BSD @@ -20,6 +20,7 @@ Patch2: openwsman-2.4.12-ruby-binding-build.patch Patch3: openwsman-2.6.2-openssl-1.1-fix.patch Patch4: openwsman-2.6.5-http-status-line.patch Patch5: openwsman-2.6.5-fix-set-cipher-list-retval-check.patch +Patch6: openwsman-2.6.5-CVE-2019-3816.patch BuildRequires: swig BuildRequires: libcurl-devel libxml2-devel pam-devel sblim-sfcc-devel BuildRequires: python3 python3-devel ruby ruby-devel rubygems-devel perl-interpreter @@ -126,6 +127,7 @@ You can use it to send shell commands to a remote Windows hosts. %patch3 -p1 -b .openssl-1.1-fix %patch4 -p1 -b .http-status-line %patch5 -p1 -b .fix-set-cipher-list-retval-check +%patch6 -p1 -b .CVE-2019-3816 %build # Removing executable permissions on .c and .h files to fix rpmlint warnings. @@ -282,6 +284,11 @@ rm -f /var/log/wsmand.log %{_bindir}/winrs %changelog +* Mon Apr 01 2019 Vitezslav Crhonek - 2.6.5-5 +- Fix CVE-2019-3816 + Resolves: #1693972 +- Remove Dist Tag from the oldest changelog entry + * Thu Sep 20 2018 Tomas Orsava - 2.6.5-4 - Require the Python interpreter directly instead of using the package name - Related: rhbz#1619153 @@ -581,5 +588,5 @@ rm -f /var/log/wsmand.log * Mon Sep 22 2008 Matt Domsch - 2.1.0-1 - update to 2.1.0, resolves security issues -* Tue Aug 19 2008 - 2.0.0-1%{?dist} +* Tue Aug 19 2008 - 2.0.0-1 - Modified the spec file to adhere to fedora packaging guidelines.