Bug#929283: zookeeper: CVE-2019-0201: information disclosure vulnerability
Chris Lamb
lamby at debian.org
Fri May 24 09:19:00 BST 2019
tags 929283 + patch
thanks
Hi Moritz,
> > > zookeeper: CVE-2019-0201: information disclosure vulnerability
> >
> > Happy to prepare an update for stretch; I plan to do one for jessie
> > LTS (which, helpfully, has the same version...)
>
> Sounds good, we should fix that in Stretch. I've just added the reference
> to the upstream commit in the 3.4 branch to the Security Tracker.
Thanks. Here is my diff:
diff --git a/debian/changelog b/debian/changelog
index ea8c13e..6e92313 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+zookeeper (3.4.9-3+deb9u2) stretch-security; urgency=high
+
+ * CVE-2019-0201: Prevent an information disclosure vulnerability where users
+ who were not authorised to read data were able to view the access control
+ list. (Closes: #929283)
+
+ -- Chris Lamb <lamby at debian.org> Fri, 24 May 2019 08:57:53 +0100
+
zookeeper (3.4.9-3+deb9u1) stretch-security; urgency=high
* Team upload.
diff --git a/debian/patches/CVE-2019-11579.patch b/debian/patches/CVE-2019-11579.patch
new file mode 100644
index 0000000..e4c314c
--- /dev/null
+++ b/debian/patches/CVE-2019-11579.patch
@@ -0,0 +1,57 @@
+--- zookeeper-3.4.9.orig/src/java/main/org/apache/zookeeper/server/FinalRequestProcessor.java
++++ zookeeper-3.4.9/src/java/main/org/apache/zookeeper/server/FinalRequestProcessor.java
+@@ -20,6 +20,7 @@ package org.apache.zookeeper.server;
+
+ import java.io.IOException;
+ import java.nio.ByteBuffer;
++import java.util.ArrayList;
+ import java.util.List;
+
+ import org.apache.jute.Record;
+@@ -32,6 +33,7 @@ import org.apache.zookeeper.KeeperExcept
+ import org.apache.zookeeper.KeeperException.SessionMovedException;
+ import org.apache.zookeeper.ZooDefs.OpCode;
+ import org.apache.zookeeper.data.ACL;
++import org.apache.zookeeper.data.Id;
+ import org.apache.zookeeper.data.Stat;
+ import org.apache.zookeeper.proto.CreateResponse;
+ import org.apache.zookeeper.proto.ExistsRequest;
+@@ -308,10 +310,35 @@ public class FinalRequestProcessor imple
+ GetACLRequest getACLRequest = new GetACLRequest();
+ ByteBufferInputStream.byteBuffer2Record(request.request,
+ getACLRequest);
++ DataNode n = zks.getZKDatabase().getNode(getACLRequest.getPath());
++ if (n == null) {
++ throw new KeeperException.NoNodeException();
++ }
++ PrepRequestProcessor.checkACL(zks, zks.getZKDatabase().aclForNode(n),
++ ZooDefs.Perms.READ | ZooDefs.Perms.ADMIN,
++ request.authInfo);
++
+ Stat stat = new Stat();
+- List<ACL> acl =
+- zks.getZKDatabase().getACL(getACLRequest.getPath(), stat);
+- rsp = new GetACLResponse(acl, stat);
++ List<ACL> acl =
++ zks.getZKDatabase().getACL(getACLRequest.getPath(), stat);
++ try {
++ PrepRequestProcessor.checkACL(zks, zks.getZKDatabase().aclForNode(n),
++ ZooDefs.Perms.ADMIN,
++ request.authInfo);
++ rsp = new GetACLResponse(acl, stat);
++ } catch (KeeperException.NoAuthException e) {
++ List<ACL> acl1 = new ArrayList<ACL>(acl.size());
++ for (ACL a : acl) {
++ if ("digest".equals(a.getId().getScheme())) {
++ Id id = a.getId();
++ Id id1 = new Id(id.getScheme(), id.getId().replaceAll(":.*", ":x"));
++ acl1.add(new ACL(a.getPerms(), id1));
++ } else {
++ acl1.add(a);
++ }
++ }
++ rsp = new GetACLResponse(acl1, stat);
++ }
+ break;
+ }
+ case OpCode.getChildren: {
diff --git a/debian/patches/series b/debian/patches/series
index 9dd03d0..c0b9747 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -9,3 +9,4 @@
09-spell-check.patch
10-CVE-2017-5637.patch
CVE-2018-8012.patch
+CVE-2019-11579.patch
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby at debian.org 🍥 chris-lamb.co.uk
`-
More information about the pkg-java-maintainers
mailing list