Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu
Hi, I have prepared an update for Ceph in Bullseye to address CVE-2022-3650 (ie: ceph to root privilege escalation). The security team already told me that there will be no DSA. [ Reason ] (Explain what the reason for the (old-)stable update is. I.e. what is the bug, when was it introduced, is this a regression with respect to the previous (old-)stable.) [ Impact ] Anyone logged as Ceph can become root whenever there's a disk event without the attached patch. [ Tests ] Upstream runs functional test suite, and I trust it. [ Risks ] The code is quite trivial and easy to backport (python code). [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] The Python code checks input better and avoid privilege escalation. See attached debdiff, it's quite readable. Cheers, Thomas Goirand (zigo)
diff -Nru ceph-14.2.21/debian/changelog ceph-14.2.21/debian/changelog --- ceph-14.2.21/debian/changelog 2021-05-27 12:04:21.000000000 +0200 +++ ceph-14.2.21/debian/changelog 2022-11-30 14:20:19.000000000 +0100 @@ -1,3 +1,10 @@ +ceph (14.2.21-1+deb11u1) bullseye-security; urgency=medium + + * CVE-2022-3650: privilege escalation from the ceph user to root. Applied + upstream patches (Closes: #1024932). + + -- Thomas Goirand <z...@debian.org> Wed, 30 Nov 2022 14:20:19 +0100 + ceph (14.2.21-1) unstable; urgency=high * New upstream release, resolving these: diff -Nru ceph-14.2.21/debian/patches/CVE-2022-3650_1_ceph-crash_drop_privleges_to_run_as_ceph_user_rather_than_root.patch ceph-14.2.21/debian/patches/CVE-2022-3650_1_ceph-crash_drop_privleges_to_run_as_ceph_user_rather_than_root.patch --- ceph-14.2.21/debian/patches/CVE-2022-3650_1_ceph-crash_drop_privleges_to_run_as_ceph_user_rather_than_root.patch 1970-01-01 01:00:00.000000000 +0100 +++ ceph-14.2.21/debian/patches/CVE-2022-3650_1_ceph-crash_drop_privleges_to_run_as_ceph_user_rather_than_root.patch 2022-11-30 14:20:19.000000000 +0100 @@ -0,0 +1,61 @@ +Description: CVE-2022-3650: ceph-crash: drop privleges to run as "ceph" user, rather than root + If privileges cannot be dropped, log an error and exit. This commit + also catches and logs exceptions when scraping the crash path, without + which ceph-crash would just exit if it encountered an error. +Author: Tim Serong <tser...@suse.com> +Date: Wed, 2 Nov 2022 14:27:47 +1100 +Bug: https://tracker.ceph.com/issues/57967 +Signed-off-by: Tim Serong <tser...@suse.com> +Origin: upstream, https://github.com/ceph/ceph/commit/130c9626598bc3a75942161e6cce7c664c447382 +Bug-Debian: https://bugs.debian.org/1024932 +Last-Update: 2022-11-28 + +--- ceph-14.2.21.orig/src/ceph-crash.in ++++ ceph-14.2.21/src/ceph-crash.in +@@ -3,8 +3,10 @@ + # vim: ts=4 sw=4 smarttab expandtab + + import argparse ++import grp + import logging + import os ++import pwd + import socket + import subprocess + import sys +@@ -76,7 +78,23 @@ def scrape_path(path): + ) + + ++def drop_privs(): ++ if os.getuid() == 0: ++ try: ++ ceph_uid = pwd.getpwnam("ceph").pw_uid ++ ceph_gid = grp.getgrnam("ceph").gr_gid ++ os.setgroups([]) ++ os.setgid(ceph_gid) ++ os.setuid(ceph_uid) ++ except Exception as e: ++ log.error(f"Unable to drop privileges: {e}") ++ sys.exit(1) ++ ++ + def main(): ++ # run as unprivileged ceph user ++ drop_privs() ++ + args = parse_args() + postdir = os.path.join(args.path, 'posted') + if args.name: +@@ -88,7 +106,10 @@ def main(): + + log.info("monitoring path %s, delay %ds" % (args.path, args.delay * 60.0)) + while True: +- scrape_path(args.path) ++ try: ++ scrape_path(args.path) ++ except Exception as e: ++ log.error(f"Error scraping {args.path}: {e}") + if args.delay == 0: + sys.exit(0) + time.sleep(args.delay * 60) diff -Nru ceph-14.2.21/debian/patches/CVE-2022-3650_2_ceph-crash_fix_stderr_handling.patch ceph-14.2.21/debian/patches/CVE-2022-3650_2_ceph-crash_fix_stderr_handling.patch --- ceph-14.2.21/debian/patches/CVE-2022-3650_2_ceph-crash_fix_stderr_handling.patch 1970-01-01 01:00:00.000000000 +0100 +++ ceph-14.2.21/debian/patches/CVE-2022-3650_2_ceph-crash_fix_stderr_handling.patch 2022-11-30 14:20:19.000000000 +0100 @@ -0,0 +1,24 @@ +Description: CVE-2022-3650: ceph-crash: fix stderr handling + Popen.communicate() returns a tuple (stdout, stderr), and stderr + will be of type bytes, hence the need to decode it before checking + if it's an empty string or not. +Author: Tim Serong <tser...@suse.com> +Date: Wed, 2 Nov 2022 14:23:20 +1100 +Bug: a77b47eeeb5770eeefcf4619ab2105ee7a6a003e +Signed-off-by: Tim Serong <tser...@suse.com> +Bug-Debian: https://bugs.debian.org/1024932 +Origin: upstream, https://github.com/ceph/ceph/commit/45915540559126a652f8d9d105723584cfc63439 +Last-Update: 2022-11-28 + +--- ceph-14.2.21.orig/src/ceph-crash.in ++++ ceph-14.2.21/src/ceph-crash.in +@@ -46,7 +46,8 @@ def post_crash(path): + stderr=subprocess.PIPE, + ) + f = open(os.path.join(path, 'meta'), 'rb') +- stdout, stderr = pr.communicate(input=f.read()) ++ (_, stderr) = pr.communicate(input=f.read()) ++ stderr = stderr.decode() + rc = pr.wait() + f.close() + if rc != 0: diff -Nru ceph-14.2.21/debian/patches/series ceph-14.2.21/debian/patches/series --- ceph-14.2.21/debian/patches/series 2021-05-27 12:04:21.000000000 +0200 +++ ceph-14.2.21/debian/patches/series 2022-11-30 14:20:19.000000000 +0100 @@ -20,3 +20,5 @@ another-cmakelists-fix.patch fix-ceph-osd-systemd-target.patch allow-bgp-to-host.patch +CVE-2022-3650_1_ceph-crash_drop_privleges_to_run_as_ceph_user_rather_than_root.patch +CVE-2022-3650_2_ceph-crash_fix_stderr_handling.patch