rpms/pcs
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Fixed CVE-2017-2661, support python3-clufter

Browse Source
This commit is contained in:
Tomas Jelinek 2017-03-21 12:10:42 +01:00
parent 195f96ae8d
commit d9cf0440bb
3 changed files with 198 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

138
bz1428350-01-clufter.patch Normal file
View File

@ -0,0 +1,138 @@
From c5f8001c6f8aad82a6c54311d39111cfa64cd2b9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Pokorn=C3=BD?= <jpokorny@redhat.com>
Date: Mon, 20 Mar 2017 17:11:32 +0100
Subject: [PATCH 1/3] cli: skip superfluous text -> bytes conversion on
clufter's output
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Respective outputs are already represented with bytes (as 'bytestring'
protocol suggests), and moreover, such bytes cannot be "encoded" in
Python 3 otherwise leading to AttributeError (bytes object has no
attribute encode) exception.
Note that this is only relevant in Python 3 context, which pcs uses
by default in python3-charged distros (e.g. Fedora) and which is now
supported in clufter (which enabled a discovery of this discrepancy):
http://oss.clusterlabs.org/pipermail/users/2017-March/005323.html
Signed-off-by: Jan Pokorný <jpokorny@redhat.com>
---
pcs/config.py | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/pcs/config.py b/pcs/config.py
index d7c30a21..8b5bb166 100644
--- a/pcs/config.py
+++ b/pcs/config.py
@@ -698,14 +698,14 @@ def config_import_cman(argv):
config_backup_add_version_to_tarball(tarball)
utils.tar_add_file_data(
tarball,
- clufter_args_obj.cib["passout"].encode("utf-8"),
+ clufter_args_obj.cib["passout"],
"cib.xml",
**file_list["cib.xml"]["attrs"]
)
if output_format == "cluster.conf":
utils.tar_add_file_data(
tarball,
- clufter_args_obj.ccs_pcmk["passout"].encode("utf-8"),
+ clufter_args_obj.ccs_pcmk["passout"],
"cluster.conf",
**file_list["cluster.conf"]["attrs"]
)
@@ -726,7 +726,7 @@ def config_import_cman(argv):
)("bytestring")
utils.tar_add_file_data(
tarball,
- corosync_conf_data.encode("utf-8"),
+ corosync_conf_data,
"corosync.conf",
**file_list["corosync.conf"]["attrs"]
)
@@ -744,7 +744,7 @@ def config_import_cman(argv):
)("bytestring")
utils.tar_add_file_data(
tarball,
- uidgid_data.encode("utf-8"),
+ uidgid_data,
"uidgid.d/" + filename,
**file_list["uidgid.d"]["attrs"]
)
--
2.11.0
From 647fc814f482f14c70fb569fd4fd3b494e57d7c9 Mon Sep 17 00:00:00 2001
From: Tomas Jelinek <tojeline@redhat.com>
Date: Wed, 22 Mar 2017 18:41:33 +0100
Subject: [PATCH 2/3] fix writing clufter output to file with Python 3
---
pcs/config.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/pcs/config.py b/pcs/config.py
index 8b5bb166..b42c5983 100644
--- a/pcs/config.py
+++ b/pcs/config.py
@@ -676,7 +676,7 @@ def config_import_cman(argv):
if output_format in ("pcs-commands", "pcs-commands-verbose"):
ok, message = utils.write_file(
dry_run_output,
- clufter_args_obj.output["passout"]
+ clufter_args_obj.output["passout"].decode()
)
if not ok:
utils.err(message)
@@ -845,7 +845,7 @@ def config_export_pcs_commands(argv, verbose=False):
if output_file:
ok, message = utils.write_file(
output_file,
- clufter_args_obj.output["passout"]
+ clufter_args_obj.output["passout"].decode()
)
if not ok:
utils.err(message)
--
2.11.0
From c5d73581c8bacfe992f863b49e5902fc33198503 Mon Sep 17 00:00:00 2001
From: Tomas Jelinek <tojeline@redhat.com>
Date: Wed, 22 Mar 2017 18:03:09 +0100
Subject: [PATCH 3/3] do not colorize clufter output if saved to a file
Clufter improved detecting if the color mode should be enabled so we can
left the decision to clufter completely.
---
pcs/config.py | 4 ----
1 file changed, 4 deletions(-)
diff --git a/pcs/config.py b/pcs/config.py
index b42c5983..04ef02f1 100644
--- a/pcs/config.py
+++ b/pcs/config.py
@@ -627,8 +627,6 @@ def config_import_cman(argv):
"batch": True,
"sys": "linux",
"dist": dist,
- # Make it work on RHEL6 as well for sure
- "color": "always" if sys.stdout.isatty() else "never"
}
if interactive:
if "EDITOR" not in os.environ:
@@ -802,8 +800,6 @@ def config_export_pcs_commands(argv, verbose=False):
"batch": True,
"sys": "linux",
"dist": dist,
- # Make it work on RHEL6 as well for sure
- "color": "always" if sys.stdout.isatty() else "never",
"coro": settings.corosync_conf_file,
"ccs": settings.cluster_conf_file,
"start_wait": "60",
--
2.11.0

48
bz1434111-01-web-UI-fixed-XSS-vulnerability-CVE-2017-2661.patch Normal file
View File

@ -0,0 +1,48 @@
From 3b23bdc378b6b5a7a5d254e3b4a35bcc10b7e81a Mon Sep 17 00:00:00 2001
From: Ondrej Mular <omular@redhat.com>
Date: Sat, 4 Mar 2017 14:01:43 +0100
Subject: [PATCH] web UI: fixed XSS vulnerability CVE-2017-2661
---
pcsd/public/js/nodes-ember.js | 4 ++--
pcsd/public/js/pcsd.js | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/pcsd/public/js/nodes-ember.js b/pcsd/public/js/nodes-ember.js
index cb2f4d16..41fede89 100644
--- a/pcsd/public/js/nodes-ember.js
+++ b/pcsd/public/js/nodes-ember.js
@@ -75,7 +75,7 @@ Pcs = Ember.Application.createWithMixins({
var banned_options = ["SBD_OPTS", "SBD_WATCHDOG_DEV", "SBD_PACEMAKER"];
$.each(this.get("sbd_config"), function(opt, val) {
if (banned_options.indexOf(opt) == -1) {
- out += '<tr><td>' + opt + '</td><td>' + val + '</td></tr>\n';
+ out += '<tr><td>' + htmlEncode(opt) + '</td><td>' + htmlEncode(val) + '</td></tr>\n';
}
});
return out + '</table>';
@@ -879,7 +879,7 @@ Pcs.ResourceObj = Ember.Object.extend({
}.property("status_val"),
show_status: function() {
return '<span style="' + this.get('status_style') + '">'
- + this.get('status') + (this.get("is_unmanaged") ? " (unmanaged)" : "")
+ + htmlEncode(this.get('status')) + (this.get("is_unmanaged") ? " (unmanaged)" : "")
+ '</span>';
}.property("status_style", "disabled"),
status_class: function() {
diff --git a/pcsd/public/js/pcsd.js b/pcsd/public/js/pcsd.js
index c96f9baa..6f57de0f 100644
--- a/pcsd/public/js/pcsd.js
+++ b/pcsd/public/js/pcsd.js
@@ -821,7 +821,7 @@ function auth_nodes_dialog(unauth_nodes, callback_success, callback_success_one)
dialog_obj.find('#auth_nodes_list').empty();
unauth_nodes.forEach(function(node) {
- dialog_obj.find('#auth_nodes_list').append("\t\t\t<tr><td>" + node + '</td><td><input type="password" name="' + node + '-pass"></td></tr>\n');
+ dialog_obj.find('#auth_nodes_list').append("\t\t\t<tr><td>" + htmlEncode(node) + '</td><td><input type="password" name="' + htmlEncode(node) + '-pass"></td></tr>\n');
});
}
--
2.11.0

15
pcs.spec
View File

@ -1,6 +1,6 @@
Name: pcs
Version: 0.9.156
Release: 1%{?dist}
Release: 2%{?dist}
License: GPLv2
URL: https://github.com/ClusterLabs/pcs
Group: System Environment/Base
@ -21,6 +21,8 @@ Patch0: fedfix.patch
Patch1: fix-test.patch
Patch2: fix-libcurl-issues-in-python3.patch
Patch3: fix-linking-fonts-to-pcsd.patch
Patch4: bz1434111-01-web-UI-fixed-XSS-vulnerability-CVE-2017-2661.patch
Patch5: bz1428350-01-clufter.patch
# git for patches
BuildRequires: git
@ -96,8 +98,7 @@ Requires: openssl
Requires: corosync
Requires: pacemaker
Requires: pacemaker-cli
# clufter currently doesn't have python3 package
Requires: python-clufter => 0.59.0
Requires: python3-clufter => 0.70.0
# for post, preun and postun macros
Requires(post): systemd
Requires(preun): systemd
@ -142,6 +143,10 @@ UpdateTimestamps -p1 %{PATCH1}
UpdateTimestamps -p1 %{PATCH2}
%patch3 -p1
UpdateTimestamps -p1 %{PATCH3}
%patch4 -p1
UpdateTimestamps -p1 %{PATCH4}
%patch5 -p1
UpdateTimestamps -p1 %{PATCH5}
mkdir -p pcsd/.bundle
cp -f %SOURCE1 pcsd/.bundle/config
@ -280,6 +285,10 @@ end
%exclude %{python3_sitelib}/pcs/pcs
%changelog
* Thu Mar 23 2017 Tomas Jelinek <tojeline@redhat.com> - 0.9.156-2
- Fixed Cross-site scripting (XSS) vulnerability in web UI CVE-2017-2661
- Re-added support for clufter as it is now available for Python 3
* Wed Feb 22 2017 Tomas Jelinek <tojeline@redhat.com> - 0.9.156-1
- Rebased to latest upstream sources (see CHANGELOG.md)