packages/migration-tools
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!17 fix CVE-2024-24892

Browse Source 
From: @f16lx 
Reviewed-by: @xingwei-liu 
Signed-off-by: @xingwei-liu
This commit is contained in:
openeuler-ci-bot 2024-03-12 05:35:16 +00:00 committed by Gitee
commit 85c0169494
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 98 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

85
0001-CVE-2024-24892.patch Normal file
View File

@ -0,0 +1,85 @@
From 27f65f5c5e38b6d0cee28db3591784266a47de9e Mon Sep 17 00:00:00 2001
From: lixin <lixinb@uniontech.com>
Date: Tue, 12 Mar 2024 10:42:07 +0800
Subject: [PATCH] CVE-2024-24892
---
index.py | 50 ++++++++++++++++++++++++++++++++------------------
1 file changed, 32 insertions(+), 18 deletions(-)
diff --git a/index.py b/index.py
index 239148e..f604fc2 100644
--- a/index.py
+++ b/index.py
@@ -4,6 +4,7 @@
# SPDX-License-Identifier: MulanPubL-2.0-or-later
import os
import json
+import paramiko
from func import share
from urls import server_mods
from flask import Flask, render_template, request, Response
@@ -202,29 +203,42 @@ def export_migration_reports():
:return:
"""
mod = check_methods()
- f = open("/usr/lib/migration-tools-server/.passwd.txt", "r")
- password = f.read()
- f.close()
if mod:
data = request.get_data()
json_data = json.loads(data)
- mkdir_log_pwd = "/var/uos-migration/"
- isExists=os.path.exists(mkdir_log_pwd)
- if not isExists:
- try:
- os.makedirs(mkdir_log_pwd)
- print(mkdir_log_pwd)
- except:
- print("export report mkdir error:%s" % mkdir_log_pwd)
-
+ user = json_data.get('info').split("|")[0]
info = mod.split(',')
- scp_log = "sshpass -p '%s'" % password + " scp -r %s" % json_data.get('info').split("|")[0] + "@%s" % info[1] \
- + ":/var/tmp/uos-migration/UOS*.tar.gz /var/uos-migration/"
+ ip = info[1].strip('"')
+ port = 22
+
+ with open("/usr/lib/migration-tools-server/.passwd.txt", "r") as f:
+ password = f.read()
+
+ remote_dir = local_dir = "/var/tmp/uos-migration"
+ if not os.path.exists(local_dir):
+ os.makedirs(local_dir)
+
+ client = paramiko.SSHClient()
+ client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
try:
- os.system(scp_log)
- print(scp_log)
- except:
- print('export report scp error:%s' % scp_log)
+ client.connect(ip, port, user, password)
+ sftp = client.open_sftp()
+
+ remote_files = sftp.listdir(remote_dir)
+ # 遍历远程文件列表
+ for filename in remote_files:
+ if filename.endswith('.tar.gz'):
+ remote_file_path = os.path.join(remote_dir, filename)
+ local_file_path = os.path.join(local_dir, filename)
+ sftp.get(remote_file_path, local_file_path)
+
+ except Exception as e:
+ print(f"Error: {e}")
+
+ finally:
+ # 关闭连接
+ if client:
+ client.close()
return Response(mod, content_type='application/json')
--
2.41.0

15
migration-tools.spec
View File

@ -1,12 +1,16 @@
Name: migration-tools
Version: 1.0.1
Release: 1
Release: 2
License: MulanPSL-2.0
Summary: A tool to help users migrate the Centos system to the UOS system and openEuler system
Source0: migration-tools.tar.gz
Source1: requires.tar.gz
Source2: xlwt-1.3.0-py2.py3-none-any.whl
# CVE patches: >= 100
Patch100: 0001-CVE-2024-24892.patch
BuildArch: noarch
%description
UOS Migration Software
@ -36,7 +40,6 @@ Summary: migration-tools-server
License: MulanPSL-2.0
Requires: python3
Requires: python3-pip
Requires: sshpass
Requires: python3-paramiko
Requires: python3-flask
Requires: python3-requests
@ -48,6 +51,9 @@ Migration software server side
%prep
%setup -c
# cve patches
%patch 100 -p1
%if 0%{?openEuler}
cp -f %SOURCE1 agent-requires/
cp -f %SOURCE2 agent-requires/
@ -112,6 +118,11 @@ rm -rf /usr/bin/migration-tools
%endif
%changelog
* Mon Mar 11 2024 lixin <lixinb@uniontech.com> - 1.0.1-2
- fix : CVE-2024-24892
- use paramiko instead of sshpass to export migration log
- and data
* Tue Mar 05 2024 lixin <lixinb@uniontech.com> - 1.0.1-1
- Supports migrations to OpenEuler system using the web-based interface.