[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#849538: marked as done (jessie-pu: package ceph/0.80.7-2+deb8u2)

Your message dated Sat, 14 Jan 2017 12:37:03 +0000
with message-id <1484397423.1091.25.camel@adam-barratt.org.uk>
and subject line Closing requests included in today's point release
has caused the Debian Bug report #849538,
regarding jessie-pu: package ceph/0.80.7-2+deb8u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
849538: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849538
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Hi

I would like to update ceph with the next stable point release to fix
the 4 security issues listed below. These are all minor issues which did
not warrant a DSA on their own, but are still worth fixing.

https://security-tracker.debian.org/tracker/CVE-2016-9579
https://security-tracker.debian.org/tracker/CVE-2016-5009
https://security-tracker.debian.org/tracker/CVE-2016-7031
https://security-tracker.debian.org/tracker/CVE-2016-8626

The complete debdiff is attached below. I have already built the
package, but not yet uploaded. As soon as I get your OK I'll upload the
package.

Gaudenz

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing'), (100, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.8.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=de_CH.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru ceph-0.80.7/debian/changelog ceph-0.80.7/debian/changelog
--- ceph-0.80.7/debian/changelog	2016-01-15 10:42:14.000000000 +0100
+++ ceph-0.80.7/debian/changelog	2016-12-28 10:47:36.000000000 +0100
@@ -1,3 +1,14 @@
+ceph (0.80.7-2+deb8u2) jessie; urgency=medium
+
+  * [78329e] Upstream fix for CVE-2016-9579 (short CORS request)
+    (Closes: #849048)
+  * [514d48] Upstream fix for CVE-2016-5009 (mon DoS) (Closes: #829661)
+  * [7ae81b] Upstream fix for CVE-2016-7031 (anonymous read on ACL)
+    (Closes: #838026)
+  * [86ac46] Upstream fix for CVE-2016-8626 (RGW DoS) (Closes: #844200)
+
+ -- Gaudenz Steinlin <gaudenz@debian.org>  Wed, 28 Dec 2016 10:47:36 +0100
+
 ceph (0.80.7-2+deb8u1) jessie; urgency=medium
 
   * [61b5e0] Patch to fix CVE-2015-5245 applied from upstream (Closes: #798567)
diff -Nru ceph-0.80.7/debian/gbp.conf ceph-0.80.7/debian/gbp.conf
--- ceph-0.80.7/debian/gbp.conf	2016-01-15 10:41:01.000000000 +0100
+++ ceph-0.80.7/debian/gbp.conf	2016-12-27 21:47:49.000000000 +0100
@@ -1,5 +1,5 @@
 [DEFAULT]
-debian-branch = jessie-security
+debian-branch = jessie
 pristine-tar = True
 
 [import-orig]
diff -Nru ceph-0.80.7/debian/patches/cve-2016-5009_mon_dos.patch ceph-0.80.7/debian/patches/cve-2016-5009_mon_dos.patch
--- ceph-0.80.7/debian/patches/cve-2016-5009_mon_dos.patch	1970-01-01 01:00:00.000000000 +0100
+++ ceph-0.80.7/debian/patches/cve-2016-5009_mon_dos.patch	2016-12-28 10:47:27.000000000 +0100
@@ -0,0 +1,99 @@
+commit b78a1be835706e7dabc505be343945d0ac05697d
+Author: Kefu Chai <kchai@redhat.com>
+Date:   Thu Jun 30 13:24:22 2016 +0800
+
+    mon: Monitor: validate prefix on handle_command()
+    
+    Fixes: http://tracker.ceph.com/issues/16297
+    
+    Signed-off-by: You Ji <youji@ebay.com>
+    (cherry picked from commit 7cb3434fed03a5497abfd00bcec7276b70df0654)
+    
+    Conflicts:
+        src/mon/Monitor.cc (the signature of Monitor::reply_command()
+                            changed a little bit in master, so adapt the
+                            commit to work with the old method)
+
+--- a/src/mon/Monitor.cc
++++ b/src/mon/Monitor.cc
+@@ -2214,7 +2214,19 @@
+     return;
+   }
+ 
+-  cmd_getval(g_ceph_context, cmdmap, "prefix", prefix);
++  // check return value. If no prefix parameter provided,
++  // return value will be false, then return error info.
++  if(!cmd_getval(g_ceph_context, cmdmap, "prefix", prefix)) {
++    reply_command(m, -EINVAL, "command prefix not found", 0);
++    return;
++  }
++
++  // check prefix is empty
++  if (prefix.empty()) {
++    reply_command(m, -EINVAL, "command prefix must not be empty", 0);
++    return;
++  }
++
+   if (prefix == "get_command_descriptions") {
+     bufferlist rdata;
+     Formatter *f = new_formatter("json");
+@@ -2235,6 +2247,15 @@
+   boost::scoped_ptr<Formatter> f(new_formatter(format));
+ 
+   get_str_vec(prefix, fullcmd);
++
++  // make sure fullcmd is not empty.
++  // invalid prefix will cause empty vector fullcmd.
++  // such as, prefix=";,,;"
++  if (fullcmd.empty()) {
++    reply_command(m, -EINVAL, "command requires a prefix to be valid", 0);
++    return;
++  }
++
+   module = fullcmd[0];
+ 
+   // validate command is in leader map
+--- a/src/test/librados/cmd.cc
++++ b/src/test/librados/cmd.cc
+@@ -49,6 +49,41 @@
+   rados_buffer_free(buf);
+   rados_buffer_free(st);
+ 
++  cmd[0] = (char *)"";
++  ASSERT_EQ(-EINVAL, rados_mon_command(cluster, (const char **)cmd, 1, "{}", 2, &buf, &buflen, &st, &stlen));
++  rados_buffer_free(buf);
++  rados_buffer_free(st);
++
++  cmd[0] = (char *)"{}";
++  ASSERT_EQ(-EINVAL, rados_mon_command(cluster, (const char **)cmd, 1, "", 0, &buf, &buflen, &st, &stlen));
++  rados_buffer_free(buf);
++  rados_buffer_free(st);
++
++  cmd[0] = (char *)"{\"abc\":\"something\"}";
++  ASSERT_EQ(-EINVAL, rados_mon_command(cluster, (const char **)cmd, 1, "", 0, &buf, &buflen, &st, &stlen));
++  rados_buffer_free(buf);
++  rados_buffer_free(st);
++
++  cmd[0] = (char *)"{\"prefix\":\"\"}";
++  ASSERT_EQ(-EINVAL, rados_mon_command(cluster, (const char **)cmd, 1, "", 0, &buf, &buflen, &st, &stlen));
++  rados_buffer_free(buf);
++  rados_buffer_free(st);
++
++  cmd[0] = (char *)"{\"prefix\":\"    \"}";
++  ASSERT_EQ(-EINVAL, rados_mon_command(cluster, (const char **)cmd, 1, "", 0, &buf, &buflen, &st, &stlen));
++  rados_buffer_free(buf);
++  rados_buffer_free(st);
++
++  cmd[0] = (char *)"{\"prefix\":\";;;,,,;;,,\"}";
++  ASSERT_EQ(-EINVAL, rados_mon_command(cluster, (const char **)cmd, 1, "", 0, &buf, &buflen, &st, &stlen));
++  rados_buffer_free(buf);
++  rados_buffer_free(st);
++
++  cmd[0] = (char *)"{\"prefix\":\"extra command\"}";
++  ASSERT_EQ(-EINVAL, rados_mon_command(cluster, (const char **)cmd, 1, "", 0, &buf, &buflen, &st, &stlen));
++  rados_buffer_free(buf);
++  rados_buffer_free(st);
++
+   cmd[0] = (char *)"{\"prefix\":\"mon_status\"}";
+   ASSERT_EQ(0, rados_mon_command(cluster, (const char **)cmd, 1, "", 0, &buf, &buflen, &st, &stlen));
+   ASSERT_LT(0u, buflen);
diff -Nru ceph-0.80.7/debian/patches/cve-2016-7031_rgw_anonymous_read.patch ceph-0.80.7/debian/patches/cve-2016-7031_rgw_anonymous_read.patch
--- ceph-0.80.7/debian/patches/cve-2016-7031_rgw_anonymous_read.patch	1970-01-01 01:00:00.000000000 +0100
+++ ceph-0.80.7/debian/patches/cve-2016-7031_rgw_anonymous_read.patch	2016-12-28 10:47:27.000000000 +0100
@@ -0,0 +1,44 @@
+commit 99ba6610a8f437604cadf68cbe9969def893e870
+Author: root <rahul.1aggarwal@gmail.com>
+Date:   Thu Sep 24 00:21:13 2015 +0530
+
+    13207: Rados Gateway: Anonymous user is able to read bucket with authenticated read ACL
+    
+    Signed-off-by: root <rahul.1aggarwal@gmail.com>
+
+--- a/src/rgw/rgw_acl_s3.cc
++++ b/src/rgw/rgw_acl_s3.cc
+@@ -537,7 +537,7 @@
+ {
+   switch (group) {
+   case ACL_GROUP_ALL_USERS:
+-    return (id.compare(rgw_uri_all_users) == 0);
++    return (id.compare(RGW_USER_ANON_ID) == 0);
+   case ACL_GROUP_AUTHENTICATED_USERS:
+     return (id.compare(rgw_uri_auth_users) == 0);
+   default:
+--- a/src/rgw/rgw_op.cc
++++ b/src/rgw/rgw_op.cc
+@@ -15,6 +15,7 @@
+ #include "rgw_rest.h"
+ #include "rgw_acl.h"
+ #include "rgw_acl_s3.h"
++#include "rgw_acl_swift.h"
+ #include "rgw_user.h"
+ #include "rgw_bucket.h"
+ #include "rgw_log.h"
+@@ -322,7 +323,13 @@
+ 
+   s->bucket_instance_id = s->info.args.get(RGW_SYS_PARAM_PREFIX "bucket-instance");
+ 
+-  s->bucket_acl = new RGWAccessControlPolicy(s->cct);
++  if(s->dialect.compare("s3") == 0) {
++    s->bucket_acl = new RGWAccessControlPolicy_S3(s->cct);
++  } else if(s->dialect.compare("swift")  == 0) {
++    s->bucket_acl = new RGWAccessControlPolicy_SWIFT(s->cct);
++  } else {
++    s->bucket_acl = new RGWAccessControlPolicy(s->cct);
++  }
+ 
+   if (s->copy_source) { /* check if copy source is within the current domain */
+     const char *src = s->copy_source;
diff -Nru ceph-0.80.7/debian/patches/cve-2016-8626_rgw_dos.patch ceph-0.80.7/debian/patches/cve-2016-8626_rgw_dos.patch
--- ceph-0.80.7/debian/patches/cve-2016-8626_rgw_dos.patch	1970-01-01 01:00:00.000000000 +0100
+++ ceph-0.80.7/debian/patches/cve-2016-8626_rgw_dos.patch	2016-12-28 10:47:27.000000000 +0100
@@ -0,0 +1,30 @@
+commit 23cb642243e09ca4a8e104f62a3bb7b2cbb6ea12
+Author: Yehuda Sadeh <yehuda@redhat.com>
+Date:   Thu Oct 20 10:17:36 2016 -0700
+
+    rgw: handle empty POST condition
+    
+    Fixes: http://tracker.ceph.com/issues/17635
+    
+    Before accessing json entity, need to check that iterator is valid.
+    If there is no entry return appropriate error code.
+    
+    Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
+
+--- a/src/rgw/rgw_policy_s3.cc
++++ b/src/rgw/rgw_policy_s3.cc
+@@ -284,11 +284,13 @@
+       int r = add_condition(v[0], v[1], v[2], err_msg);
+       if (r < 0)
+         return r;
+-    } else {
++    } else if (!citer.end()) {
+       JSONObj *c = *citer;
+       dout(0) << "adding simple_check: " << c->get_name() << " : " << c->get_data() << dendl;
+ 
+       add_simple_check(c->get_name(), c->get_data());
++    } else {
++      return -EINVAL;
+     }
+   }
+   return 0;
diff -Nru ceph-0.80.7/debian/patches/cve-2016-9579_short_cors_request.patch ceph-0.80.7/debian/patches/cve-2016-9579_short_cors_request.patch
--- ceph-0.80.7/debian/patches/cve-2016-9579_short_cors_request.patch	1970-01-01 01:00:00.000000000 +0100
+++ ceph-0.80.7/debian/patches/cve-2016-9579_short_cors_request.patch	2016-12-27 21:50:34.000000000 +0100
@@ -0,0 +1,51 @@
+commit 67d4d9e64bc224e047cf333e673bb22cd6290789
+Author: LiuYang <yippeetry@gmail.com>
+Date:   Thu Dec 8 14:21:43 2016 +0800
+
+    rgw: do not abort when accept a CORS request with short origin
+    
+    Fixed: #18187
+    
+    when accept a CROS request, the request http origin shorter than the bucket's corsrule
+    (eg. origin: http://s.com corsrule: <AllowedOrigin>*.verylongdomain.com</AllowedOrigin>).
+    the rgw_cors.cc::is_string_in_set() will have a wrong index, the radosrgw server will
+    abort.
+    
+    $ curl http://test.localhost:8000/app.data -H "Origin:http://s.com";
+    
+     0> 2016-12-05 03:22:29.548138 7f6add05d700 -1 *** Caught signal (Aborted) **
+     in thread 7f6add05d700 thread_name:civetweb-worker
+    
+     ceph version 11.0.2-2168-gd2f8fb4 (d2f8fb4a6ba75af7e6da0f5a7f1b49ec998b1631)
+     1: (()+0x50720a) [0x7f6b147c420a]
+     2: (()+0xf370) [0x7f6b09a33370]
+     3: (gsignal()+0x37) [0x7f6b081ca1d7]
+     4: (abort()+0x148) [0x7f6b081cb8c8]
+     5: (__gnu_cxx::__verbose_terminate_handler()+0x165) [0x7f6b08ace9d5]
+     6: (()+0x5e946) [0x7f6b08acc946]
+     7: (()+0x5e973) [0x7f6b08acc973]
+     8: (()+0x5eb93) [0x7f6b08accb93]
+     9: (std::__throw_out_of_range(char const*)+0x77) 0x7f6b08b21a17]
+     10: (()+0xbd97a) [0x7f6b08b2b97a]
+     11: (()+0x449c1e) [0x7f6b14706c1e]
+     12: (RGWCORSRule::is_origin_present(char const*)+0x48) [0x7f6b147073b8]
+     13: (RGWCORSConfiguration::host_name_rule(char const*)+0x37) [0x7f6b147074e7]
+     14: (RGWOp::generate_cors_headers(std::string&, std::string&, std::string&, std::string&, unsigned int*)+0xa3) [0x7f6b14593e63]
+     15: (dump_access_control(req_state*, RGWOp*)+0x61) [0x7f6b14653f91]
+    
+    Signed-off-by: LiuYang <yippeetry@gmail.com>
+
+diff --git a/src/rgw/rgw_cors.cc b/src/rgw/rgw_cors.cc
+index 1ad5b43136..f2c7f3ac64 100644
+--- a/src/rgw/rgw_cors.cc
++++ b/src/rgw/rgw_cors.cc
+@@ -104,7 +104,8 @@ static bool is_string_in_set(set<string>& s, string h) {
+         string sl = ssplit.front();
+         dout(10) << "Finding " << sl << ", in " << h 
+           << ", at offset not less than " << flen << dendl;
+-        if (h.compare((h.size() - sl.size()), sl.size(), sl) != 0)
++        if (h.size() < sl.size() ||
++	    h.compare((h.size() - sl.size()), sl.size(), sl) != 0)
+           continue;
+         ssplit.pop_front();
+       }
diff -Nru ceph-0.80.7/debian/patches/series ceph-0.80.7/debian/patches/series
--- ceph-0.80.7/debian/patches/series	2016-01-15 10:41:01.000000000 +0100
+++ ceph-0.80.7/debian/patches/series	2016-12-28 10:47:27.000000000 +0100
@@ -16,6 +16,12 @@
 rbdmap2-hooks.patch
 CVE-2015-5245.patch
 
+## Security
+cve-2016-5009_mon_dos.patch
+cve-2016-7031_rgw_anonymous_read.patch
+cve-2016-8626_rgw_dos.patch
+cve-2016-9579_short_cors_request.patch
+
 ## Debian
 rbdmap3-lazyumount.patch
 arch.patch

--- End Message ---
--- Begin Message --- 
Version: 8.7

Hi,

Each of these bugs refers to an update that was included in today's 8.7
point release.

Regards,

Adam

--- End Message ---
Reply to: