--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: jessie-pu: package ceph/0.80.7-2+deb8u2
- From: Gaudenz Steinlin <gaudenz@debian.org>
- Date: Wed, 28 Dec 2016 11:38:30 +0100
- Message-id: <148292151048.998.14276943016660551257.reportbug@moebius.durcheinandertal.private>
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Hi
I would like to update ceph with the next stable point release to fix
the 4 security issues listed below. These are all minor issues which did
not warrant a DSA on their own, but are still worth fixing.
https://security-tracker.debian.org/tracker/CVE-2016-9579
https://security-tracker.debian.org/tracker/CVE-2016-5009
https://security-tracker.debian.org/tracker/CVE-2016-7031
https://security-tracker.debian.org/tracker/CVE-2016-8626
The complete debdiff is attached below. I have already built the
package, but not yet uploaded. As soon as I get your OK I'll upload the
package.
Gaudenz
-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing'), (100, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.8.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=de_CH.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru ceph-0.80.7/debian/changelog ceph-0.80.7/debian/changelog
--- ceph-0.80.7/debian/changelog	2016-01-15 10:42:14.000000000 +0100
+++ ceph-0.80.7/debian/changelog	2016-12-28 10:47:36.000000000 +0100
@@ -1,3 +1,14 @@
+ceph (0.80.7-2+deb8u2) jessie; urgency=medium
+
+  * [78329e] Upstream fix for CVE-2016-9579 (short CORS request)
+    (Closes: #849048)
+  * [514d48] Upstream fix for CVE-2016-5009 (mon DoS) (Closes: #829661)
+  * [7ae81b] Upstream fix for CVE-2016-7031 (anonymous read on ACL)
+    (Closes: #838026)
+  * [86ac46] Upstream fix for CVE-2016-8626 (RGW DoS) (Closes: #844200)
+
+ -- Gaudenz Steinlin <gaudenz@debian.org>  Wed, 28 Dec 2016 10:47:36 +0100
+
 ceph (0.80.7-2+deb8u1) jessie; urgency=medium
 
   * [61b5e0] Patch to fix CVE-2015-5245 applied from upstream (Closes: #798567)
diff -Nru ceph-0.80.7/debian/gbp.conf ceph-0.80.7/debian/gbp.conf
--- ceph-0.80.7/debian/gbp.conf	2016-01-15 10:41:01.000000000 +0100
+++ ceph-0.80.7/debian/gbp.conf	2016-12-27 21:47:49.000000000 +0100
@@ -1,5 +1,5 @@
 [DEFAULT]
-debian-branch = jessie-security
+debian-branch = jessie
 pristine-tar = True
 
 [import-orig]
diff -Nru ceph-0.80.7/debian/patches/cve-2016-5009_mon_dos.patch ceph-0.80.7/debian/patches/cve-2016-5009_mon_dos.patch
--- ceph-0.80.7/debian/patches/cve-2016-5009_mon_dos.patch	1970-01-01 01:00:00.000000000 +0100
+++ ceph-0.80.7/debian/patches/cve-2016-5009_mon_dos.patch	2016-12-28 10:47:27.000000000 +0100
@@ -0,0 +1,99 @@
+commit b78a1be835706e7dabc505be343945d0ac05697d
+Author: Kefu Chai <kchai@redhat.com>
+Date:   Thu Jun 30 13:24:22 2016 +0800
+
+    mon: Monitor: validate prefix on handle_command()
+    
+    Fixes: http://tracker.ceph.com/issues/16297
+    
+    Signed-off-by: You Ji <youji@ebay.com>
+    (cherry picked from commit 7cb3434fed03a5497abfd00bcec7276b70df0654)
+    
+    Conflicts:
+        src/mon/Monitor.cc (the signature of Monitor::reply_command()
+                            changed a little bit in master, so adapt the
+                            commit to work with the old method)
+
+--- a/src/mon/Monitor.cc
++++ b/src/mon/Monitor.cc
+@@ -2214,7 +2214,19 @@
+     return;
+   }
+ 
+-  cmd_getval(g_ceph_context, cmdmap, "prefix", prefix);
++  // check return value. If no prefix parameter provided,
++  // return value will be false, then return error info.
++  if(!cmd_getval(g_ceph_context, cmdmap, "prefix", prefix)) {
++    reply_command(m, -EINVAL, "command prefix not found", 0);
++    return;
++  }
++
++  // check prefix is empty
++  if (prefix.empty()) {
++    reply_command(m, -EINVAL, "command prefix must not be empty", 0);
++    return;
++  }
++
+   if (prefix == "get_command_descriptions") {
+     bufferlist rdata;
+     Formatter *f = new_formatter("json");
+@@ -2235,6 +2247,15 @@
+   boost::scoped_ptr<Formatter> f(new_formatter(format));
+ 
+   get_str_vec(prefix, fullcmd);
++
++  // make sure fullcmd is not empty.
++  // invalid prefix will cause empty vector fullcmd.
++  // such as, prefix=";,,;"
++  if (fullcmd.empty()) {
++    reply_command(m, -EINVAL, "command requires a prefix to be valid", 0);
++    return;
++  }
++
+   module = fullcmd[0];
+ 
+   // validate command is in leader map
+--- a/src/test/librados/cmd.cc
++++ b/src/test/librados/cmd.cc
+@@ -49,6 +49,41 @@
+   rados_buffer_free(buf);
+   rados_buffer_free(st);
+ 
++  cmd[0] = (char *)"";
++  ASSERT_EQ(-EINVAL, rados_mon_command(cluster, (const char **)cmd, 1, "{}", 2, &buf, &buflen, &st, &stlen));
++  rados_buffer_free(buf);
++  rados_buffer_free(st);
++
++  cmd[0] = (char *)"{}";
++  ASSERT_EQ(-EINVAL, rados_mon_command(cluster, (const char **)cmd, 1, "", 0, &buf, &buflen, &st, &stlen));
++  rados_buffer_free(buf);
++  rados_buffer_free(st);
++
++  cmd[0] = (char *)"{\"abc\":\"something\"}";
++  ASSERT_EQ(-EINVAL, rados_mon_command(cluster, (const char **)cmd, 1, "", 0, &buf, &buflen, &st, &stlen));
++  rados_buffer_free(buf);
++  rados_buffer_free(st);
++
++  cmd[0] = (char *)"{\"prefix\":\"\"}";
++  ASSERT_EQ(-EINVAL, rados_mon_command(cluster, (const char **)cmd, 1, "", 0, &buf, &buflen, &st, &stlen));
++  rados_buffer_free(buf);
++  rados_buffer_free(st);
++
++  cmd[0] = (char *)"{\"prefix\":\"    \"}";
++  ASSERT_EQ(-EINVAL, rados_mon_command(cluster, (const char **)cmd, 1, "", 0, &buf, &buflen, &st, &stlen));
++  rados_buffer_free(buf);
++  rados_buffer_free(st);
++
++  cmd[0] = (char *)"{\"prefix\":\";;;,,,;;,,\"}";
++  ASSERT_EQ(-EINVAL, rados_mon_command(cluster, (const char **)cmd, 1, "", 0, &buf, &buflen, &st, &stlen));
++  rados_buffer_free(buf);
++  rados_buffer_free(st);
++
++  cmd[0] = (char *)"{\"prefix\":\"extra command\"}";
++  ASSERT_EQ(-EINVAL, rados_mon_command(cluster, (const char **)cmd, 1, "", 0, &buf, &buflen, &st, &stlen));
++  rados_buffer_free(buf);
++  rados_buffer_free(st);
++
+   cmd[0] = (char *)"{\"prefix\":\"mon_status\"}";
+   ASSERT_EQ(0, rados_mon_command(cluster, (const char **)cmd, 1, "", 0, &buf, &buflen, &st, &stlen));
+   ASSERT_LT(0u, buflen);
diff -Nru ceph-0.80.7/debian/patches/cve-2016-7031_rgw_anonymous_read.patch ceph-0.80.7/debian/patches/cve-2016-7031_rgw_anonymous_read.patch
--- ceph-0.80.7/debian/patches/cve-2016-7031_rgw_anonymous_read.patch	1970-01-01 01:00:00.000000000 +0100
+++ ceph-0.80.7/debian/patches/cve-2016-7031_rgw_anonymous_read.patch	2016-12-28 10:47:27.000000000 +0100
@@ -0,0 +1,44 @@
+commit 99ba6610a8f437604cadf68cbe9969def893e870
+Author: root <rahul.1aggarwal@gmail.com>
+Date:   Thu Sep 24 00:21:13 2015 +0530
+
+    13207: Rados Gateway: Anonymous user is able to read bucket with authenticated read ACL
+    
+    Signed-off-by: root <rahul.1aggarwal@gmail.com>
+
+--- a/src/rgw/rgw_acl_s3.cc
++++ b/src/rgw/rgw_acl_s3.cc
+@@ -537,7 +537,7 @@
+ {
+   switch (group) {
+   case ACL_GROUP_ALL_USERS:
+-    return (id.compare(rgw_uri_all_users) == 0);
++    return (id.compare(RGW_USER_ANON_ID) == 0);
+   case ACL_GROUP_AUTHENTICATED_USERS:
+     return (id.compare(rgw_uri_auth_users) == 0);
+   default:
+--- a/src/rgw/rgw_op.cc
++++ b/src/rgw/rgw_op.cc
+@@ -15,6 +15,7 @@
+ #include "rgw_rest.h"
+ #include "rgw_acl.h"
+ #include "rgw_acl_s3.h"
++#include "rgw_acl_swift.h"
+ #include "rgw_user.h"
+ #include "rgw_bucket.h"
+ #include "rgw_log.h"
+@@ -322,7 +323,13 @@
+ 
+   s->bucket_instance_id = s->info.args.get(RGW_SYS_PARAM_PREFIX "bucket-instance");
+ 
+-  s->bucket_acl = new RGWAccessControlPolicy(s->cct);
++  if(s->dialect.compare("s3") == 0) {
++    s->bucket_acl = new RGWAccessControlPolicy_S3(s->cct);
++  } else if(s->dialect.compare("swift")  == 0) {
++    s->bucket_acl = new RGWAccessControlPolicy_SWIFT(s->cct);
++  } else {
++    s->bucket_acl = new RGWAccessControlPolicy(s->cct);
++  }
+ 
+   if (s->copy_source) { /* check if copy source is within the current domain */
+     const char *src = s->copy_source;
diff -Nru ceph-0.80.7/debian/patches/cve-2016-8626_rgw_dos.patch ceph-0.80.7/debian/patches/cve-2016-8626_rgw_dos.patch
--- ceph-0.80.7/debian/patches/cve-2016-8626_rgw_dos.patch	1970-01-01 01:00:00.000000000 +0100
+++ ceph-0.80.7/debian/patches/cve-2016-8626_rgw_dos.patch	2016-12-28 10:47:27.000000000 +0100
@@ -0,0 +1,30 @@
+commit 23cb642243e09ca4a8e104f62a3bb7b2cbb6ea12
+Author: Yehuda Sadeh <yehuda@redhat.com>
+Date:   Thu Oct 20 10:17:36 2016 -0700
+
+    rgw: handle empty POST condition
+    
+    Fixes: http://tracker.ceph.com/issues/17635
+    
+    Before accessing json entity, need to check that iterator is valid.
+    If there is no entry return appropriate error code.
+    
+    Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
+
+--- a/src/rgw/rgw_policy_s3.cc
++++ b/src/rgw/rgw_policy_s3.cc
+@@ -284,11 +284,13 @@
+       int r = add_condition(v[0], v[1], v[2], err_msg);
+       if (r < 0)
+         return r;
+-    } else {
++    } else if (!citer.end()) {
+       JSONObj *c = *citer;
+       dout(0) << "adding simple_check: " << c->get_name() << " : " << c->get_data() << dendl;
+ 
+       add_simple_check(c->get_name(), c->get_data());
++    } else {
++      return -EINVAL;
+     }
+   }
+   return 0;
diff -Nru ceph-0.80.7/debian/patches/cve-2016-9579_short_cors_request.patch ceph-0.80.7/debian/patches/cve-2016-9579_short_cors_request.patch
--- ceph-0.80.7/debian/patches/cve-2016-9579_short_cors_request.patch	1970-01-01 01:00:00.000000000 +0100
+++ ceph-0.80.7/debian/patches/cve-2016-9579_short_cors_request.patch	2016-12-27 21:50:34.000000000 +0100
@@ -0,0 +1,51 @@
+commit 67d4d9e64bc224e047cf333e673bb22cd6290789
+Author: LiuYang <yippeetry@gmail.com>
+Date:   Thu Dec 8 14:21:43 2016 +0800
+
+    rgw: do not abort when accept a CORS request with short origin
+    
+    Fixed: #18187
+    
+    when accept a CROS request, the request http origin shorter than the bucket's corsrule
+    (eg. origin: http://s.com corsrule: <AllowedOrigin>*.verylongdomain.com</AllowedOrigin>).
+    the rgw_cors.cc::is_string_in_set() will have a wrong index, the radosrgw server will
+    abort.
+    
+    $ curl http://test.localhost:8000/app.data -H "Origin:http://s.com"
+    
+     0> 2016-12-05 03:22:29.548138 7f6add05d700 -1 *** Caught signal (Aborted) **
+     in thread 7f6add05d700 thread_name:civetweb-worker
+    
+     ceph version 11.0.2-2168-gd2f8fb4 (d2f8fb4a6ba75af7e6da0f5a7f1b49ec998b1631)
+     1: (()+0x50720a) [0x7f6b147c420a]
+     2: (()+0xf370) [0x7f6b09a33370]
+     3: (gsignal()+0x37) [0x7f6b081ca1d7]
+     4: (abort()+0x148) [0x7f6b081cb8c8]
+     5: (__gnu_cxx::__verbose_terminate_handler()+0x165) [0x7f6b08ace9d5]
+     6: (()+0x5e946) [0x7f6b08acc946]
+     7: (()+0x5e973) [0x7f6b08acc973]
+     8: (()+0x5eb93) [0x7f6b08accb93]
+     9: (std::__throw_out_of_range(char const*)+0x77) 0x7f6b08b21a17]
+     10: (()+0xbd97a) [0x7f6b08b2b97a]
+     11: (()+0x449c1e) [0x7f6b14706c1e]
+     12: (RGWCORSRule::is_origin_present(char const*)+0x48) [0x7f6b147073b8]
+     13: (RGWCORSConfiguration::host_name_rule(char const*)+0x37) [0x7f6b147074e7]
+     14: (RGWOp::generate_cors_headers(std::string&, std::string&, std::string&, std::string&, unsigned int*)+0xa3) [0x7f6b14593e63]
+     15: (dump_access_control(req_state*, RGWOp*)+0x61) [0x7f6b14653f91]
+    
+    Signed-off-by: LiuYang <yippeetry@gmail.com>
+
+diff --git a/src/rgw/rgw_cors.cc b/src/rgw/rgw_cors.cc
+index 1ad5b43136..f2c7f3ac64 100644
+--- a/src/rgw/rgw_cors.cc
++++ b/src/rgw/rgw_cors.cc
+@@ -104,7 +104,8 @@ static bool is_string_in_set(set<string>& s, string h) {
+         string sl = ssplit.front();
+         dout(10) << "Finding " << sl << ", in " << h 
+           << ", at offset not less than " << flen << dendl;
+-        if (h.compare((h.size() - sl.size()), sl.size(), sl) != 0)
++        if (h.size() < sl.size() ||
++	    h.compare((h.size() - sl.size()), sl.size(), sl) != 0)
+           continue;
+         ssplit.pop_front();
+       }
diff -Nru ceph-0.80.7/debian/patches/series ceph-0.80.7/debian/patches/series
--- ceph-0.80.7/debian/patches/series	2016-01-15 10:41:01.000000000 +0100
+++ ceph-0.80.7/debian/patches/series	2016-12-28 10:47:27.000000000 +0100
@@ -16,6 +16,12 @@
 rbdmap2-hooks.patch
 CVE-2015-5245.patch
 
+## Security
+cve-2016-5009_mon_dos.patch
+cve-2016-7031_rgw_anonymous_read.patch
+cve-2016-8626_rgw_dos.patch
+cve-2016-9579_short_cors_request.patch
+
 ## Debian
 rbdmap3-lazyumount.patch
 arch.patch
--- End Message ---