Package: release.debian.org Severity: normal Tags: jessie User: [email protected] Usertags: pu
Hi I would like to update ceph with the next stable point release to fix the 4 security issues listed below. These are all minor issues which did not warrant a DSA on their own, but are still worth fixing. https://security-tracker.debian.org/tracker/CVE-2016-9579 https://security-tracker.debian.org/tracker/CVE-2016-5009 https://security-tracker.debian.org/tracker/CVE-2016-7031 https://security-tracker.debian.org/tracker/CVE-2016-8626 The complete debdiff is attached below. I have already built the package, but not yet uploaded. As soon as I get your OK I'll upload the package. Gaudenz -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (500, 'testing'), (100, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.8.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=de_CH.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff -Nru ceph-0.80.7/debian/changelog ceph-0.80.7/debian/changelog --- ceph-0.80.7/debian/changelog 2016-01-15 10:42:14.000000000 +0100 +++ ceph-0.80.7/debian/changelog 2016-12-28 10:47:36.000000000 +0100 @@ -1,3 +1,14 @@ +ceph (0.80.7-2+deb8u2) jessie; urgency=medium + + * [78329e] Upstream fix for CVE-2016-9579 (short CORS request) + (Closes: #849048) + * [514d48] Upstream fix for CVE-2016-5009 (mon DoS) (Closes: #829661) + * [7ae81b] Upstream fix for CVE-2016-7031 (anonymous read on ACL) + (Closes: #838026) + * [86ac46] Upstream fix for CVE-2016-8626 (RGW DoS) (Closes: #844200) + + -- Gaudenz Steinlin <[email protected]> Wed, 28 Dec 2016 10:47:36 +0100 + ceph (0.80.7-2+deb8u1) jessie; urgency=medium * [61b5e0] Patch to fix CVE-2015-5245 applied from upstream (Closes: #798567) diff -Nru ceph-0.80.7/debian/gbp.conf ceph-0.80.7/debian/gbp.conf --- ceph-0.80.7/debian/gbp.conf 2016-01-15 10:41:01.000000000 +0100 +++ ceph-0.80.7/debian/gbp.conf 2016-12-27 21:47:49.000000000 +0100 @@ -1,5 +1,5 @@ [DEFAULT] -debian-branch = jessie-security +debian-branch = jessie pristine-tar = True [import-orig] diff -Nru ceph-0.80.7/debian/patches/cve-2016-5009_mon_dos.patch ceph-0.80.7/debian/patches/cve-2016-5009_mon_dos.patch --- ceph-0.80.7/debian/patches/cve-2016-5009_mon_dos.patch 1970-01-01 01:00:00.000000000 +0100 +++ ceph-0.80.7/debian/patches/cve-2016-5009_mon_dos.patch 2016-12-28 10:47:27.000000000 +0100 @@ -0,0 +1,99 @@ +commit b78a1be835706e7dabc505be343945d0ac05697d +Author: Kefu Chai <[email protected]> +Date: Thu Jun 30 13:24:22 2016 +0800 + + mon: Monitor: validate prefix on handle_command() + + Fixes: http://tracker.ceph.com/issues/16297 + + Signed-off-by: You Ji <[email protected]> + (cherry picked from commit 7cb3434fed03a5497abfd00bcec7276b70df0654) + + Conflicts: + src/mon/Monitor.cc (the signature of Monitor::reply_command() + changed a little bit in master, so adapt the + commit to work with the old method) + +--- a/src/mon/Monitor.cc ++++ b/src/mon/Monitor.cc +@@ -2214,7 +2214,19 @@ + return; + } + +- cmd_getval(g_ceph_context, cmdmap, "prefix", prefix); ++ // check return value. If no prefix parameter provided, ++ // return value will be false, then return error info. ++ if(!cmd_getval(g_ceph_context, cmdmap, "prefix", prefix)) { ++ reply_command(m, -EINVAL, "command prefix not found", 0); ++ return; ++ } ++ ++ // check prefix is empty ++ if (prefix.empty()) { ++ reply_command(m, -EINVAL, "command prefix must not be empty", 0); ++ return; ++ } ++ + if (prefix == "get_command_descriptions") { + bufferlist rdata; + Formatter *f = new_formatter("json"); +@@ -2235,6 +2247,15 @@ + boost::scoped_ptr<Formatter> f(new_formatter(format)); + + get_str_vec(prefix, fullcmd); ++ ++ // make sure fullcmd is not empty. ++ // invalid prefix will cause empty vector fullcmd. ++ // such as, prefix=";,,;" ++ if (fullcmd.empty()) { ++ reply_command(m, -EINVAL, "command requires a prefix to be valid", 0); ++ return; ++ } ++ + module = fullcmd[0]; + + // validate command is in leader map +--- a/src/test/librados/cmd.cc ++++ b/src/test/librados/cmd.cc +@@ -49,6 +49,41 @@ + rados_buffer_free(buf); + rados_buffer_free(st); + ++ cmd[0] = (char *)""; ++ ASSERT_EQ(-EINVAL, rados_mon_command(cluster, (const char **)cmd, 1, "{}", 2, &buf, &buflen, &st, &stlen)); ++ rados_buffer_free(buf); ++ rados_buffer_free(st); ++ ++ cmd[0] = (char *)"{}"; ++ ASSERT_EQ(-EINVAL, rados_mon_command(cluster, (const char **)cmd, 1, "", 0, &buf, &buflen, &st, &stlen)); ++ rados_buffer_free(buf); ++ rados_buffer_free(st); ++ ++ cmd[0] = (char *)"{\"abc\":\"something\"}"; ++ ASSERT_EQ(-EINVAL, rados_mon_command(cluster, (const char **)cmd, 1, "", 0, &buf, &buflen, &st, &stlen)); ++ rados_buffer_free(buf); ++ rados_buffer_free(st); ++ ++ cmd[0] = (char *)"{\"prefix\":\"\"}"; ++ ASSERT_EQ(-EINVAL, rados_mon_command(cluster, (const char **)cmd, 1, "", 0, &buf, &buflen, &st, &stlen)); ++ rados_buffer_free(buf); ++ rados_buffer_free(st); ++ ++ cmd[0] = (char *)"{\"prefix\":\" \"}"; ++ ASSERT_EQ(-EINVAL, rados_mon_command(cluster, (const char **)cmd, 1, "", 0, &buf, &buflen, &st, &stlen)); ++ rados_buffer_free(buf); ++ rados_buffer_free(st); ++ ++ cmd[0] = (char *)"{\"prefix\":\";;;,,,;;,,\"}"; ++ ASSERT_EQ(-EINVAL, rados_mon_command(cluster, (const char **)cmd, 1, "", 0, &buf, &buflen, &st, &stlen)); ++ rados_buffer_free(buf); ++ rados_buffer_free(st); ++ ++ cmd[0] = (char *)"{\"prefix\":\"extra command\"}"; ++ ASSERT_EQ(-EINVAL, rados_mon_command(cluster, (const char **)cmd, 1, "", 0, &buf, &buflen, &st, &stlen)); ++ rados_buffer_free(buf); ++ rados_buffer_free(st); ++ + cmd[0] = (char *)"{\"prefix\":\"mon_status\"}"; + ASSERT_EQ(0, rados_mon_command(cluster, (const char **)cmd, 1, "", 0, &buf, &buflen, &st, &stlen)); + ASSERT_LT(0u, buflen); diff -Nru ceph-0.80.7/debian/patches/cve-2016-7031_rgw_anonymous_read.patch ceph-0.80.7/debian/patches/cve-2016-7031_rgw_anonymous_read.patch --- ceph-0.80.7/debian/patches/cve-2016-7031_rgw_anonymous_read.patch 1970-01-01 01:00:00.000000000 +0100 +++ ceph-0.80.7/debian/patches/cve-2016-7031_rgw_anonymous_read.patch 2016-12-28 10:47:27.000000000 +0100 @@ -0,0 +1,44 @@ +commit 99ba6610a8f437604cadf68cbe9969def893e870 +Author: root <[email protected]> +Date: Thu Sep 24 00:21:13 2015 +0530 + + 13207: Rados Gateway: Anonymous user is able to read bucket with authenticated read ACL + + Signed-off-by: root <[email protected]> + +--- a/src/rgw/rgw_acl_s3.cc ++++ b/src/rgw/rgw_acl_s3.cc +@@ -537,7 +537,7 @@ + { + switch (group) { + case ACL_GROUP_ALL_USERS: +- return (id.compare(rgw_uri_all_users) == 0); ++ return (id.compare(RGW_USER_ANON_ID) == 0); + case ACL_GROUP_AUTHENTICATED_USERS: + return (id.compare(rgw_uri_auth_users) == 0); + default: +--- a/src/rgw/rgw_op.cc ++++ b/src/rgw/rgw_op.cc +@@ -15,6 +15,7 @@ + #include "rgw_rest.h" + #include "rgw_acl.h" + #include "rgw_acl_s3.h" ++#include "rgw_acl_swift.h" + #include "rgw_user.h" + #include "rgw_bucket.h" + #include "rgw_log.h" +@@ -322,7 +323,13 @@ + + s->bucket_instance_id = s->info.args.get(RGW_SYS_PARAM_PREFIX "bucket-instance"); + +- s->bucket_acl = new RGWAccessControlPolicy(s->cct); ++ if(s->dialect.compare("s3") == 0) { ++ s->bucket_acl = new RGWAccessControlPolicy_S3(s->cct); ++ } else if(s->dialect.compare("swift") == 0) { ++ s->bucket_acl = new RGWAccessControlPolicy_SWIFT(s->cct); ++ } else { ++ s->bucket_acl = new RGWAccessControlPolicy(s->cct); ++ } + + if (s->copy_source) { /* check if copy source is within the current domain */ + const char *src = s->copy_source; diff -Nru ceph-0.80.7/debian/patches/cve-2016-8626_rgw_dos.patch ceph-0.80.7/debian/patches/cve-2016-8626_rgw_dos.patch --- ceph-0.80.7/debian/patches/cve-2016-8626_rgw_dos.patch 1970-01-01 01:00:00.000000000 +0100 +++ ceph-0.80.7/debian/patches/cve-2016-8626_rgw_dos.patch 2016-12-28 10:47:27.000000000 +0100 @@ -0,0 +1,30 @@ +commit 23cb642243e09ca4a8e104f62a3bb7b2cbb6ea12 +Author: Yehuda Sadeh <[email protected]> +Date: Thu Oct 20 10:17:36 2016 -0700 + + rgw: handle empty POST condition + + Fixes: http://tracker.ceph.com/issues/17635 + + Before accessing json entity, need to check that iterator is valid. + If there is no entry return appropriate error code. + + Signed-off-by: Yehuda Sadeh <[email protected]> + +--- a/src/rgw/rgw_policy_s3.cc ++++ b/src/rgw/rgw_policy_s3.cc +@@ -284,11 +284,13 @@ + int r = add_condition(v[0], v[1], v[2], err_msg); + if (r < 0) + return r; +- } else { ++ } else if (!citer.end()) { + JSONObj *c = *citer; + dout(0) << "adding simple_check: " << c->get_name() << " : " << c->get_data() << dendl; + + add_simple_check(c->get_name(), c->get_data()); ++ } else { ++ return -EINVAL; + } + } + return 0; diff -Nru ceph-0.80.7/debian/patches/cve-2016-9579_short_cors_request.patch ceph-0.80.7/debian/patches/cve-2016-9579_short_cors_request.patch --- ceph-0.80.7/debian/patches/cve-2016-9579_short_cors_request.patch 1970-01-01 01:00:00.000000000 +0100 +++ ceph-0.80.7/debian/patches/cve-2016-9579_short_cors_request.patch 2016-12-27 21:50:34.000000000 +0100 @@ -0,0 +1,51 @@ +commit 67d4d9e64bc224e047cf333e673bb22cd6290789 +Author: LiuYang <[email protected]> +Date: Thu Dec 8 14:21:43 2016 +0800 + + rgw: do not abort when accept a CORS request with short origin + + Fixed: #18187 + + when accept a CROS request, the request http origin shorter than the bucket's corsrule + (eg. origin: http://s.com corsrule: <AllowedOrigin>*.verylongdomain.com</AllowedOrigin>). + the rgw_cors.cc::is_string_in_set() will have a wrong index, the radosrgw server will + abort. + + $ curl http://test.localhost:8000/app.data -H "Origin:http://s.com"; + + 0> 2016-12-05 03:22:29.548138 7f6add05d700 -1 *** Caught signal (Aborted) ** + in thread 7f6add05d700 thread_name:civetweb-worker + + ceph version 11.0.2-2168-gd2f8fb4 (d2f8fb4a6ba75af7e6da0f5a7f1b49ec998b1631) + 1: (()+0x50720a) [0x7f6b147c420a] + 2: (()+0xf370) [0x7f6b09a33370] + 3: (gsignal()+0x37) [0x7f6b081ca1d7] + 4: (abort()+0x148) [0x7f6b081cb8c8] + 5: (__gnu_cxx::__verbose_terminate_handler()+0x165) [0x7f6b08ace9d5] + 6: (()+0x5e946) [0x7f6b08acc946] + 7: (()+0x5e973) [0x7f6b08acc973] + 8: (()+0x5eb93) [0x7f6b08accb93] + 9: (std::__throw_out_of_range(char const*)+0x77) 0x7f6b08b21a17] + 10: (()+0xbd97a) [0x7f6b08b2b97a] + 11: (()+0x449c1e) [0x7f6b14706c1e] + 12: (RGWCORSRule::is_origin_present(char const*)+0x48) [0x7f6b147073b8] + 13: (RGWCORSConfiguration::host_name_rule(char const*)+0x37) [0x7f6b147074e7] + 14: (RGWOp::generate_cors_headers(std::string&, std::string&, std::string&, std::string&, unsigned int*)+0xa3) [0x7f6b14593e63] + 15: (dump_access_control(req_state*, RGWOp*)+0x61) [0x7f6b14653f91] + + Signed-off-by: LiuYang <[email protected]> + +diff --git a/src/rgw/rgw_cors.cc b/src/rgw/rgw_cors.cc +index 1ad5b43136..f2c7f3ac64 100644 +--- a/src/rgw/rgw_cors.cc ++++ b/src/rgw/rgw_cors.cc +@@ -104,7 +104,8 @@ static bool is_string_in_set(set<string>& s, string h) { + string sl = ssplit.front(); + dout(10) << "Finding " << sl << ", in " << h + << ", at offset not less than " << flen << dendl; +- if (h.compare((h.size() - sl.size()), sl.size(), sl) != 0) ++ if (h.size() < sl.size() || ++ h.compare((h.size() - sl.size()), sl.size(), sl) != 0) + continue; + ssplit.pop_front(); + } diff -Nru ceph-0.80.7/debian/patches/series ceph-0.80.7/debian/patches/series --- ceph-0.80.7/debian/patches/series 2016-01-15 10:41:01.000000000 +0100 +++ ceph-0.80.7/debian/patches/series 2016-12-28 10:47:27.000000000 +0100 @@ -16,6 +16,12 @@ rbdmap2-hooks.patch CVE-2015-5245.patch +## Security +cve-2016-5009_mon_dos.patch +cve-2016-7031_rgw_anonymous_read.patch +cve-2016-8626_rgw_dos.patch +cve-2016-9579_short_cors_request.patch + ## Debian rbdmap3-lazyumount.patch arch.patch
