From b1c9b5a909c2460848b57b4d61b17b352b6999a4 Mon Sep 17 00:00:00 2001 From: mgb01105731 Date: Mon, 3 Jun 2024 17:58:33 +0800 Subject: [PATCH] fix CVE-2023-43040 --- 0027-fix-CVE-2023-43040.patch | 49 +++++++++++++++++++++++++++++++++++ ceph.spec | 9 ++++++- 2 files changed, 57 insertions(+), 1 deletion(-) create mode 100644 0027-fix-CVE-2023-43040.patch diff --git a/0027-fix-CVE-2023-43040.patch b/0027-fix-CVE-2023-43040.patch new file mode 100644 index 0000000..d180b8a --- /dev/null +++ b/0027-fix-CVE-2023-43040.patch @@ -0,0 +1,49 @@ +From 98bfb71cb38899333deb58dd2562037450fd7fa8 Mon Sep 17 00:00:00 2001 +From: Joshua Baergen +Date: Wed, 17 May 2023 12:17:09 -0600 +Subject: [PATCH] rgw: Fix bucket validation against POST policies + +It's possible that user could provide a form part as a part of a POST +object upload that uses 'bucket' as a key; in this case, it was +overriding what was being set in the validation env (which is the real +bucket being modified). The result of this is that a user could actually +upload to any bucket accessible by the specified access key by matching +the bucket in the POST policy in said POST form part. + +Fix this simply by setting the bucket to the correct value after the +POST form parts are processed, ignoring the form part above if +specified. + +Fixes: https://tracker.ceph.com/issues/63004 + +Signed-off-by: Joshua Baergen +--- + src/rgw/rgw_rest_s3.cc | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc +index 821f2b38b068f..23e3e608e3071 100644 +--- a/src/rgw/rgw_rest_s3.cc ++++ b/src/rgw/rgw_rest_s3.cc +@@ -2870,10 +2870,6 @@ int RGWPostObj_ObjStore_S3::get_params(optional_yield y) + + map_qs_metadata(s, false); + +- ldpp_dout(this, 20) << "adding bucket to policy env: " << s->bucket->get_name() +- << dendl; +- env.add_var("bucket", s->bucket->get_name()); +- + bool done; + do { + struct post_form_part part; +@@ -2938,6 +2934,10 @@ int RGWPostObj_ObjStore_S3::get_params(optional_yield y) + return r; + } + ++ ldpp_dout(this, 20) << "adding bucket to policy env: " << s->bucket->get_name() ++ << dendl; ++ env.add_var("bucket", s->bucket->get_name()); ++ + string object_str; + if (!part_str(parts, "key", &object_str)) { + err_msg = "Key not specified"; diff --git a/ceph.spec b/ceph.spec index 5028b87..14f62d9 100644 --- a/ceph.spec +++ b/ceph.spec @@ -1,4 +1,4 @@ -%define anolis_release 4 +%define anolis_release 5 %global _hardened_build 1 %bcond_with make_check @@ -77,6 +77,9 @@ Summary: User space components of the Ceph file system License: (LGPLv2+ or LGPLv3) and CC-BY-SA-3.0 and GPLv2 and Boost and BSD and MIT URL: http://ceph.com/ Source0: https://download.ceph.com/tarballs/ceph-%{version}.tar.gz + +ExcludeArch: loongarch64 + Patch0001: 0001-src-common-crc32c_intel_fast.patch Patch0003: 0003-src-common-bitstr.h.patch Patch0008: 0008-cmake-modules-Finduring.cmake.patch @@ -97,6 +100,7 @@ Patch1001: ceph-17.2.0-pybind-boost-1.74.patch Patch1002: ceph-17.2.5-boost-1.81.patch Patch1003: ceph-17.2.0-deprecated-boost.patch %endif +Patch0027: 0027-fix-CVE-2023-43040.patch ################################################################################# # dependencies that apply across all distro families ################################################################################# @@ -1944,6 +1948,9 @@ exit 0 %config %{_sysconfdir}/prometheus/ceph/ceph_default_alerts.yml %changelog +* Mon Jun 03 2024 mgb01105731 - 17.2.5-5 +- fix CVE-2023-43040 + * Mon Mar 11 2024 Bo Ren - 17.2.5-4 - Rebuild with python3.11 - Fix Python 3.11 (PEP-620) incompatibility -- Gitee