From 6565b905da6d1cc50ba0d0b7d8ee092f1f77a1d5 Mon Sep 17 00:00:00 2001
From: bwzhang <zhangbowei@kylinos.cn>
Date: Wed, 24 Apr 2024 10:17:07 +0800
Subject: [PATCH] fix CVE-2021-28235

---
 0008-fix-CVE-2023-32082.patch |   2 +-
 0009-fix-CVE-2021-28235.patch | 131 ++++++++++++++++++++++++++++++++++
 etcd.spec                     |  11 ++-
 3 files changed, 142 insertions(+), 2 deletions(-)
 create mode 100644 0009-fix-CVE-2021-28235.patch

diff --git a/0008-fix-CVE-2023-32082.patch b/0008-fix-CVE-2023-32082.patch
index 4bbca61..161bba7 100644
--- a/0008-fix-CVE-2023-32082.patch
+++ b/0008-fix-CVE-2023-32082.patch
@@ -46,7 +46,7 @@ index 1fa8e4e..dee5c20 100644
 +	return nil, rev
 +}
 +
-+func (s *EtcdServer) leaseTimeToLive(ctx context.Context, r *pb.LeaseTimeToLiveRequest) (*pb.LeaseTimeToLiveResponse, error) {
++func (s *EtcdServer) LeaseTimeToLive(ctx context.Context, r *pb.LeaseTimeToLiveRequest) (*pb.LeaseTimeToLiveResponse, error) {
  	if s.Leader() == s.ID() {
  		// primary; timetolive directly from leader
  		le := s.lessor.Lookup(lease.LeaseID(r.ID))
diff --git a/0009-fix-CVE-2021-28235.patch b/0009-fix-CVE-2021-28235.patch
new file mode 100644
index 0000000..bd3c001
--- /dev/null
+++ b/0009-fix-CVE-2021-28235.patch
@@ -0,0 +1,131 @@
+From 3b6de877f048f3875b48f36a66d10a7156106236 Mon Sep 17 00:00:00 2001
+From: bwzhang <zhangbowei@kylinos.cn>
+Date: Wed, 24 Apr 2024 09:28:16 +0800
+Subject: [PATCH] fix CVE-2021-28235
+
+---
+ etcdserver/v3_server.go                |  7 ++++
+ tests/e2e/ctl_v3_auth_security_test.go | 57 ++++++++++++++++++++++++++
+ tests/e2e/ctl_v3_test.go               |  6 +++
+ tests/e2e/util.go                      |  9 ++++
+ 4 files changed, 79 insertions(+)
+ create mode 100644 tests/e2e/ctl_v3_auth_security_test.go
+
+diff --git a/etcdserver/v3_server.go b/etcdserver/v3_server.go
+index dee5c20..6ef9e61 100644
+--- a/etcdserver/v3_server.go
++++ b/etcdserver/v3_server.go
+@@ -431,6 +431,13 @@ func (s *EtcdServer) Authenticate(ctx context.Context, r *pb.AuthenticateRequest
+ 
+ 	lg := s.getLogger()
+ 
++	// fix https://nvd.nist.gov/vuln/detail/CVE-2021-28235
++	defer func() {
++		if r != nil {
++			r.Password = ""
++		}
++	}()
++
+ 	var resp proto.Message
+ 	for {
+ 		checkedRevision, err := s.AuthStore().CheckPassword(r.Name, r.Password)
+diff --git a/tests/e2e/ctl_v3_auth_security_test.go b/tests/e2e/ctl_v3_auth_security_test.go
+new file mode 100644
+index 0000000..754fa4b
+--- /dev/null
++++ b/tests/e2e/ctl_v3_auth_security_test.go
+@@ -0,0 +1,57 @@
++// Copyright 2023 The etcd Authors
++//
++// Licensed under the Apache License, Version 2.0 (the "License");
++// you may not use this file except in compliance with the License.
++// You may obtain a copy of the License at
++//
++//     http://www.apache.org/licenses/LICENSE-2.0
++//
++// Unless required by applicable law or agreed to in writing, software
++// distributed under the License is distributed on an "AS IS" BASIS,
++// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++// See the License for the specific language governing permissions and
++// limitations under the License.
++
++//go:build !cluster_proxy
++
++package e2e
++
++import (
++	"strings"
++	"testing"
++
++	"github.com/stretchr/testify/require"
++
++	"go.etcd.io/etcd/tests/v3/framework/e2e"
++)
++
++// TestAuth_CVE_2021_28235 verifies https://nvd.nist.gov/vuln/detail/CVE-2021-28235
++func TestAuth_CVE_2021_28235(t *testing.T) {
++	testCtl(t, authTest_CVE_2021_28235, withCfg(*e2e.NewConfigNoTLS()), withLogLevel("debug"))
++}
++
++func authTest_CVE_2021_28235(cx ctlCtx) {
++	// create root user with root role
++	rootPass := "changeme123"
++	err := ctlV3User(cx, []string{"add", "root", "--interactive=false"}, "User root created", []string{rootPass})
++	require.NoError(cx.t, err)
++	err = ctlV3User(cx, []string{"grant-role", "root", "root"}, "Role root is granted to user root", nil)
++	require.NoError(cx.t, err)
++	err = ctlV3AuthEnable(cx)
++	require.NoError(cx.t, err)
++
++	// issue a put request
++	cx.user, cx.pass = "root", rootPass
++	err = ctlV3Put(cx, "foo", "bar", "")
++	require.NoError(cx.t, err)
++
++	// GET /debug/requests
++	httpEndpoint := cx.epc.Procs[0].EndpointsHTTP()[0]
++	req := e2e.CURLReq{Endpoint: "/debug/requests?fam=grpc.Recv.etcdserverpb.Auth&b=0&exp=1", Timeout: 5}
++	respData, err := curl(httpEndpoint, "GET", req, e2e.ClientNonTLS)
++	require.NoError(cx.t, err)
++
++	if strings.Contains(respData, rootPass) {
++		cx.t.Errorf("The root password is included in the request.\n %s", respData)
++	}
++}
+diff --git a/tests/e2e/ctl_v3_test.go b/tests/e2e/ctl_v3_test.go
+index 04f5a65..74b1838 100644
+--- a/tests/e2e/ctl_v3_test.go
++++ b/tests/e2e/ctl_v3_test.go
+@@ -130,6 +130,12 @@ func withFlagByEnv() ctlOption {
+ 	return func(cx *ctlCtx) { cx.envMap = make(map[string]struct{}) }
+ }
+ 
++func withLogLevel(logLevel string) ctlOption {
++	return func(cx *ctlCtx) {
++		cx.cfg.LogLevel = logLevel
++	}
++}
++
+ func testCtl(t *testing.T, testFunc func(ctlCtx), opts ...ctlOption) {
+ 	defer testutil.AfterTest(t)
+ 
+diff --git a/tests/e2e/util.go b/tests/e2e/util.go
+index ce7289a..3b772c0 100644
+--- a/tests/e2e/util.go
++++ b/tests/e2e/util.go
+@@ -108,3 +108,12 @@ func closeWithTimeout(p *expect.ExpectProcess, d time.Duration) error {
+ func toTLS(s string) string {
+ 	return strings.Replace(s, "http://", "https://", 1)
+ }
++
++func curl(endpoint string, method string, curlReq e2e.CURLReq, connType e2e.ClientConnType) (string, error) {
++	args := e2e.CURLPrefixArgs(endpoint, e2e.ClientConfig{ConnectionType: connType}, false, method, curlReq)
++	lines, err := e2e.RunUtilCompletion(args, nil)
++	if err != nil {
++		return "", err
++	}
++	return strings.Join(lines, "\n"), nil
++}
+-- 
+2.20.1
+
diff --git a/etcd.spec b/etcd.spec
index b2e25ec..e2e87be 100644
--- a/etcd.spec
+++ b/etcd.spec
@@ -31,7 +31,7 @@ system.}
 %global gosupfiles      integration/fixtures/* etcdserver/api/v2http/testdata/*
 
 Name:           etcd
-Release:        11
+Release:        12
 Summary:        Distributed reliable key-value store for the most critical data of a distributed system
 
 # Upstream license specification: Apache-2.0
@@ -52,6 +52,7 @@ Patch5:         0005-fix-CVE-2022-41723.patch
 Patch6:         0006-fix-CVE-2023-39325.patch
 Patch7:         0007-fix-CVE-2022-34038.patch
 Patch8:         0008-fix-CVE-2023-32082.patch
+Patch9:         0009-fix-CVE-2021-28235.patch
 
 BuildRequires:  golang
 BuildRequires:  python3-devel
@@ -73,6 +74,8 @@ Requires(pre):  shadow-utils
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
+%patch8 -p1
+%patch9 -p1
 %ifarch sw_64
 %patch3 -p1
 %endif
@@ -161,6 +164,12 @@ getent passwd %{name} >/dev/null || useradd -r -g %{name} -d %{_sharedstatedir}/
 %endif
 
 %changelog
+* Wed Apr 24 2024 zhangbowei <zhangbowei@kylinos.cn> - 3.4.14-12
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC: fix CVE-2021-28235
+
 * Tue Apr 23 2024 laokz <zhangkai@iscas.ac.cn> - 3.4.14-11
 - Type:bugfix
 - CVE:NA
-- 
Gitee