diff --git a/43-bugfix-for-CVE-2025-52555.patch b/43-bugfix-for-CVE-2025-52555.patch new file mode 100644 index 0000000000000000000000000000000000000000..6d55bbaf5fd56079b631b9cdc5ba8586265c494c --- /dev/null +++ b/43-bugfix-for-CVE-2025-52555.patch @@ -0,0 +1,82 @@ +From d19668a519cd98d429d2ef547de7acd48f75f99a Mon Sep 17 00:00:00 2001 +From: Xiubo Li +Date: Wed, 3 Apr 2024 19:02:08 +0800 +Subject: [PATCH] client: disallow unprivileged users to escalate root + privileges + +An unprivileged user can `chmod 777` a directory owned by root +and gain access. Fix this bug and also add a test case for the +same. + +Signed-off-by: Xiubo Li +Signed-off-by: Venky Shankar +--- + src/client/Client.cc | 24 ++++++++++++++---------- + src/test/libcephfs/suidsgid.cc | 10 ++++++++++ + 2 files changed, 24 insertions(+), 10 deletions(-) + +diff --git a/src/client/Client.cc b/src/client/Client.cc +index 2f3e170fe20f5..f9c6a927f425f 100644 +--- a/src/client/Client.cc ++++ b/src/client/Client.cc +@@ -6026,18 +6026,22 @@ int Client::may_setattr(Inode *in, struct ceph_statx *stx, int mask, + } + + if (mask & CEPH_SETATTR_MODE) { ++ bool allowed = false; ++ /* ++ * Currently the kernel fuse and libfuse code is buggy and ++ * won't pass the ATTR_KILL_SUID/ATTR_KILL_SGID to ceph-fuse. ++ * But will just set the ATTR_MODE and at the same time by ++ * clearing the suid/sgid bits. ++ * ++ * Only allow unprivileged users to clear S_ISUID and S_ISUID. ++ */ ++ if ((in->mode & (S_ISUID | S_ISGID)) != (stx->stx_mode & (S_ISUID | S_ISGID)) && ++ (in->mode & ~(S_ISUID | S_ISGID)) == (stx->stx_mode & ~(S_ISUID | S_ISGID))) { ++ allowed = true; ++ } + uint32_t m = ~stx->stx_mode & in->mode; // mode bits removed + ldout(cct, 20) << __func__ << " " << *in << " = " << hex << m << dec << dendl; +- if (perms.uid() != 0 && perms.uid() != in->uid && +- /* +- * Currently the kernel fuse and libfuse code is buggy and +- * won't pass the ATTR_KILL_SUID/ATTR_KILL_SGID to ceph-fuse. +- * But will just set the ATTR_MODE and at the same time by +- * clearing the suid/sgid bits. +- * +- * Only allow unprivileged users to clear S_ISUID and S_ISUID. +- */ +- (m & ~(S_ISUID | S_ISGID))) ++ if (perms.uid() != 0 && perms.uid() != in->uid && !allowed) + goto out; + + gid_t i_gid = (mask & CEPH_SETATTR_GID) ? stx->stx_gid : in->gid; +diff --git a/src/test/libcephfs/suidsgid.cc b/src/test/libcephfs/suidsgid.cc +index d750613ebd814..474795cc455d4 100644 +--- a/src/test/libcephfs/suidsgid.cc ++++ b/src/test/libcephfs/suidsgid.cc +@@ -134,6 +134,14 @@ void run_truncate_test_case(int mode, int result, size_t size, bool with_admin=f + ceph_close(_cmount, fd); + } + ++void run_change_mode_test_case() ++{ ++ char c_dir[1024]; ++ sprintf(c_dir, "/mode_test_%d", getpid()); ++ ASSERT_EQ(0, ceph_mkdirs(admin, c_dir, 0700)); ++ ASSERT_EQ(ceph_chmod(cmount, c_dir, 0777), -CEPHFS_EPERM); ++} ++ + TEST(SuidsgidTest, WriteClearSetuid) { + ASSERT_EQ(0, ceph_create(&admin, NULL)); + ASSERT_EQ(0, ceph_conf_read_file(admin, NULL)); +@@ -206,6 +214,8 @@ TEST(SuidsgidTest, WriteClearSetuid) { + // 14, Truncate by unprivileged user clears the suid and sgid + run_truncate_test_case(06766, 0, 100); + ++ run_change_mode_test_case(); ++ + // clean up + ceph_shutdown(cmount); + ceph_shutdown(admin); diff --git a/ceph.spec b/ceph.spec index 7b8fcc83611047799088f796fd61987c1dba30ea..ffb96dfb2394fb1544988a0ea7efaaef06734cb5 100644 --- a/ceph.spec +++ b/ceph.spec @@ -1,4 +1,4 @@ -%define anolis_release 3 +%define anolis_release 4 # # spec file for package ceph # @@ -127,6 +127,7 @@ Patch0039: 0039-src-common-dout.h.patch Patch0040: 0040-add-loongarch64-support-for-ceph-18.2.1.patch Patch0041: 0041-fix-close-can-not-be-find-in-TUDPTransport.cc.patch Patch0042: 0042-add-riscv64-support-for-ceph-18.2.1.patch +Patch43: 43-bugfix-for-CVE-2025-52555.patch ################################################################################# # dependencies that apply across all distro families ################################################################################# @@ -2026,6 +2027,9 @@ exit 0 %{_datadir}/snmp/mibs %changelog +* Wed Jul 16 2025 tomcruiseqi - 18.2.1-4 +- Fix CVE-2025-52555 + * Fri May 30 2025 Yihao Yan - 2:18.2.1-3 - add support for riscv build