Bug#1026078: bullseye-pu: package ceph/14.2.21-1 CVE-2022-3650
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
I have prepared an update for Ceph in Bullseye to address
CVE-2022-3650 (ie: ceph to root privilege escalation).
The security team already told me that there will be no DSA.
[ Reason ]
(Explain what the reason for the (old-)stable update is. I.e.
what is the bug, when was it introduced, is this a regression
with respect to the previous (old-)stable.)
[ Impact ]
Anyone logged as Ceph can become root whenever there's a disk
event without the attached patch.
[ Tests ]
Upstream runs functional test suite, and I trust it.
[ Risks ]
The code is quite trivial and easy to backport (python code).
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
The Python code checks input better and avoid privilege escalation.
See attached debdiff, it's quite readable.
Cheers,
Thomas Goirand (zigo)
diff -Nru ceph-14.2.21/debian/changelog ceph-14.2.21/debian/changelog
--- ceph-14.2.21/debian/changelog 2021-05-27 12:04:21.000000000 +0200
+++ ceph-14.2.21/debian/changelog 2022-11-30 14:20:19.000000000 +0100
@@ -1,3 +1,10 @@
+ceph (14.2.21-1+deb11u1) bullseye-security; urgency=medium
+
+ * CVE-2022-3650: privilege escalation from the ceph user to root. Applied
+ upstream patches (Closes: #1024932).
+
+ -- Thomas Goirand <zigo@debian.org> Wed, 30 Nov 2022 14:20:19 +0100
+
ceph (14.2.21-1) unstable; urgency=high
* New upstream release, resolving these:
diff -Nru ceph-14.2.21/debian/patches/CVE-2022-3650_1_ceph-crash_drop_privleges_to_run_as_ceph_user_rather_than_root.patch ceph-14.2.21/debian/patches/CVE-2022-3650_1_ceph-crash_drop_privleges_to_run_as_ceph_user_rather_than_root.patch
--- ceph-14.2.21/debian/patches/CVE-2022-3650_1_ceph-crash_drop_privleges_to_run_as_ceph_user_rather_than_root.patch 1970-01-01 01:00:00.000000000 +0100
+++ ceph-14.2.21/debian/patches/CVE-2022-3650_1_ceph-crash_drop_privleges_to_run_as_ceph_user_rather_than_root.patch 2022-11-30 14:20:19.000000000 +0100
@@ -0,0 +1,61 @@
+Description: CVE-2022-3650: ceph-crash: drop privleges to run as "ceph" user, rather than root
+ If privileges cannot be dropped, log an error and exit. This commit
+ also catches and logs exceptions when scraping the crash path, without
+ which ceph-crash would just exit if it encountered an error.
+Author: Tim Serong <tserong@suse.com>
+Date: Wed, 2 Nov 2022 14:27:47 +1100
+Bug: https://tracker.ceph.com/issues/57967
+Signed-off-by: Tim Serong <tserong@suse.com>
+Origin: upstream, https://github.com/ceph/ceph/commit/130c9626598bc3a75942161e6cce7c664c447382
+Bug-Debian: https://bugs.debian.org/1024932
+Last-Update: 2022-11-28
+
+--- ceph-14.2.21.orig/src/ceph-crash.in
++++ ceph-14.2.21/src/ceph-crash.in
+@@ -3,8 +3,10 @@
+ # vim: ts=4 sw=4 smarttab expandtab
+
+ import argparse
++import grp
+ import logging
+ import os
++import pwd
+ import socket
+ import subprocess
+ import sys
+@@ -76,7 +78,23 @@ def scrape_path(path):
+ )
+
+
++def drop_privs():
++ if os.getuid() == 0:
++ try:
++ ceph_uid = pwd.getpwnam("ceph").pw_uid
++ ceph_gid = grp.getgrnam("ceph").gr_gid
++ os.setgroups([])
++ os.setgid(ceph_gid)
++ os.setuid(ceph_uid)
++ except Exception as e:
++ log.error(f"Unable to drop privileges: {e}")
++ sys.exit(1)
++
++
+ def main():
++ # run as unprivileged ceph user
++ drop_privs()
++
+ args = parse_args()
+ postdir = os.path.join(args.path, 'posted')
+ if args.name:
+@@ -88,7 +106,10 @@ def main():
+
+ log.info("monitoring path %s, delay %ds" % (args.path, args.delay * 60.0))
+ while True:
+- scrape_path(args.path)
++ try:
++ scrape_path(args.path)
++ except Exception as e:
++ log.error(f"Error scraping {args.path}: {e}")
+ if args.delay == 0:
+ sys.exit(0)
+ time.sleep(args.delay * 60)
diff -Nru ceph-14.2.21/debian/patches/CVE-2022-3650_2_ceph-crash_fix_stderr_handling.patch ceph-14.2.21/debian/patches/CVE-2022-3650_2_ceph-crash_fix_stderr_handling.patch
--- ceph-14.2.21/debian/patches/CVE-2022-3650_2_ceph-crash_fix_stderr_handling.patch 1970-01-01 01:00:00.000000000 +0100
+++ ceph-14.2.21/debian/patches/CVE-2022-3650_2_ceph-crash_fix_stderr_handling.patch 2022-11-30 14:20:19.000000000 +0100
@@ -0,0 +1,24 @@
+Description: CVE-2022-3650: ceph-crash: fix stderr handling
+ Popen.communicate() returns a tuple (stdout, stderr), and stderr
+ will be of type bytes, hence the need to decode it before checking
+ if it's an empty string or not.
+Author: Tim Serong <tserong@suse.com>
+Date: Wed, 2 Nov 2022 14:23:20 +1100
+Bug: a77b47eeeb5770eeefcf4619ab2105ee7a6a003e
+Signed-off-by: Tim Serong <tserong@suse.com>
+Bug-Debian: https://bugs.debian.org/1024932
+Origin: upstream, https://github.com/ceph/ceph/commit/45915540559126a652f8d9d105723584cfc63439
+Last-Update: 2022-11-28
+
+--- ceph-14.2.21.orig/src/ceph-crash.in
++++ ceph-14.2.21/src/ceph-crash.in
+@@ -46,7 +46,8 @@ def post_crash(path):
+ stderr=subprocess.PIPE,
+ )
+ f = open(os.path.join(path, 'meta'), 'rb')
+- stdout, stderr = pr.communicate(input=f.read())
++ (_, stderr) = pr.communicate(input=f.read())
++ stderr = stderr.decode()
+ rc = pr.wait()
+ f.close()
+ if rc != 0:
diff -Nru ceph-14.2.21/debian/patches/series ceph-14.2.21/debian/patches/series
--- ceph-14.2.21/debian/patches/series 2021-05-27 12:04:21.000000000 +0200
+++ ceph-14.2.21/debian/patches/series 2022-11-30 14:20:19.000000000 +0100
@@ -20,3 +20,5 @@
another-cmakelists-fix.patch
fix-ceph-osd-systemd-target.patch
allow-bgp-to-host.patch
+CVE-2022-3650_1_ceph-crash_drop_privleges_to_run_as_ceph_user_rather_than_root.patch
+CVE-2022-3650_2_ceph-crash_fix_stderr_handling.patch
Reply to: