CVE-2020-14019

NameCVE-2020-14019
DescriptionOpen-iSCSI rtslib-fb through 2.1.72 has weak permissions for /etc/target/saveconfig.json because shutil.copyfile (instead of shutil.copy) is used, and thus permissions are not preserved.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs972227

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-rtslib-fb (PTS)buster2.1.66-2fixed
bullseye2.1.71-3fixed
bookworm2.1.75-2.1fixed
trixie, sid2.1.76-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-rtslib-fbsourcejessie(not affected)
python-rtslib-fbsourcestretch(not affected)
python-rtslib-fbsourcebuster(not affected)
python-rtslib-fbsource(unstable)2.1.71-3972227

Notes

[buster] - python-rtslib-fb <not-affected> (Introduced in 2.1.70)
[stretch] - python-rtslib-fb <not-affected> (vulnerable code introduced later, shutil.copyfile is not used)
[jessie] - python-rtslib-fb <not-affected> (vulnerable code introduced later, shutil.copyfile is not used)
https://github.com/open-iscsi/rtslib-fb/pull/162
https://github.com/open-iscsi/rtslib-fb/commit/75e73778dce1cb7a2816a936240ef75adfbd6ed9
Search for package or bug name: Reporting problems