diff --git a/0001-CVE-2024-24892.patch b/0001-CVE-2024-24892.patch new file mode 100644 index 0000000..25ac45a --- /dev/null +++ b/0001-CVE-2024-24892.patch @@ -0,0 +1,85 @@ +From 27f65f5c5e38b6d0cee28db3591784266a47de9e Mon Sep 17 00:00:00 2001 +From: lixin +Date: Tue, 12 Mar 2024 10:42:07 +0800 +Subject: [PATCH] CVE-2024-24892 + +--- + index.py | 50 ++++++++++++++++++++++++++++++++------------------ + 1 file changed, 32 insertions(+), 18 deletions(-) + +diff --git a/index.py b/index.py +index 239148e..f604fc2 100644 +--- a/index.py ++++ b/index.py +@@ -4,6 +4,7 @@ + # SPDX-License-Identifier: MulanPubL-2.0-or-later + import os + import json ++import paramiko + from func import share + from urls import server_mods + from flask import Flask, render_template, request, Response +@@ -202,29 +203,42 @@ def export_migration_reports(): + :return: + """ + mod = check_methods() +- f = open("/usr/lib/migration-tools-server/.passwd.txt", "r") +- password = f.read() +- f.close() + if mod: + data = request.get_data() + json_data = json.loads(data) +- mkdir_log_pwd = "/var/uos-migration/" +- isExists=os.path.exists(mkdir_log_pwd) +- if not isExists: +- try: +- os.makedirs(mkdir_log_pwd) +- print(mkdir_log_pwd) +- except: +- print("export report mkdir error:%s" % mkdir_log_pwd) +- ++ user = json_data.get('info').split("|")[0] + info = mod.split(',') +- scp_log = "sshpass -p '%s'" % password + " scp -r %s" % json_data.get('info').split("|")[0] + "@%s" % info[1] \ +- + ":/var/tmp/uos-migration/UOS*.tar.gz /var/uos-migration/" ++ ip = info[1].strip('"') ++ port = 22 ++ ++ with open("/usr/lib/migration-tools-server/.passwd.txt", "r") as f: ++ password = f.read() ++ ++ remote_dir = local_dir = "/var/tmp/uos-migration" ++ if not os.path.exists(local_dir): ++ os.makedirs(local_dir) ++ ++ client = paramiko.SSHClient() ++ client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) + try: +- os.system(scp_log) +- print(scp_log) +- except: +- print('export report scp error:%s' % scp_log) ++ client.connect(ip, port, user, password) ++ sftp = client.open_sftp() ++ ++ remote_files = sftp.listdir(remote_dir) ++ # 遍历远程文件列表 ++ for filename in remote_files: ++ if filename.endswith('.tar.gz'): ++ remote_file_path = os.path.join(remote_dir, filename) ++ local_file_path = os.path.join(local_dir, filename) ++ sftp.get(remote_file_path, local_file_path) ++ ++ except Exception as e: ++ print(f"Error: {e}") ++ ++ finally: ++ # 关闭连接 ++ if client: ++ client.close() + return Response(mod, content_type='application/json') + + +-- +2.41.0 + diff --git a/migration-tools.spec b/migration-tools.spec index 35d01ae..9d9dfa4 100644 --- a/migration-tools.spec +++ b/migration-tools.spec @@ -1,12 +1,16 @@ Name: migration-tools Version: 1.0.1 -Release: 1 +Release: 2 License: MulanPSL-2.0 Summary: A tool to help users migrate the Centos system to the UOS system and openEuler system Source0: migration-tools.tar.gz Source1: requires.tar.gz Source2: xlwt-1.3.0-py2.py3-none-any.whl + +# CVE patches: >= 100 +Patch100: 0001-CVE-2024-24892.patch + BuildArch: noarch %description UOS Migration Software @@ -36,7 +40,6 @@ Summary: migration-tools-server License: MulanPSL-2.0 Requires: python3 Requires: python3-pip -Requires: sshpass Requires: python3-paramiko Requires: python3-flask Requires: python3-requests @@ -48,6 +51,9 @@ Migration software server side %prep %setup -c +# cve patches +%patch 100 -p1 + %if 0%{?openEuler} cp -f %SOURCE1 agent-requires/ cp -f %SOURCE2 agent-requires/ @@ -112,6 +118,11 @@ rm -rf /usr/bin/migration-tools %endif %changelog +* Mon Mar 11 2024 lixin - 1.0.1-2 +- fix : CVE-2024-24892 +- use paramiko instead of sshpass to export migration log +- and data + * Tue Mar 05 2024 lixin - 1.0.1-1 - Supports migrations to OpenEuler system using the web-based interface.