Bug#788471: elasticsearch: CVE-2015-4165: unspecified arbitrary files modification vulnerability

[Hilko Bengen]

* Salvatore Bonaccorso:

> Did you had a chance to get more details on it?

,----[ http://seclists.org/bugtraq/2015/Jun/53 ]
| Elasticsearch versions 1.0.0 - 1.5.2 are vulnerable to an engineered
| attack on other applications on the system. The snapshot API may be used
| indirectly to place snapshot metadata files into locations that are
| writeable by the user running the Elasticsearch process. It is possible
| to create a file that another application could read and take action on,
| such as code execution.
`----

Looking at upstream's commits leading to 1.6.0, this seems like a
candidate:

,----
| commit dedbe528d5da95fdb6cccd1d0483aa0ca2c07563
| Author: jaymode <jay.modi at elasticsearch.com>
| Date:   Fri May 29 11:14:46 2015 -0400
| 
|     Snapshot/Restore: fix check for locations in a repository path
|     
|     Currently, when trying to determine if a location is within one of the configured repository
|     paths, we compare a canonical path against an absolute path. These are not always
|     equivalent and this check will fail even when the same directory is used. This changes
|     the logic to to follow that of master, where we use normalized absolute path comparisons. A
|     test has been added that failed with the old code and now passes with the updated method.
`----

Cheers,
-Hilko