Bug#1053832: bookworm-pu: package ceph/16.2.11+ds-2 (CVE-2023-43040)
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: ceph@packages.debian.org
Control: affects -1 + src:ceph
Hi,
[ Reason ]
CVE-2023-43040
[ Impact ]
security issue with RGW with improperly verified POST keys.
[ Tests ]
Upstream runs an extensive unit and functional test suite.
[ Risks ]
There's no modification of the code, just a move of a small
block of code to the appropriate location. So I believe the
risk is minimal.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Just the upstream patch as per the debdiff.
[ Other info ]
Note that the debdiff shows changes in the src/test/debian-jessie
and src/test/ubuntu-16.04 folders. These are generated by the
upstream code, and fixing these would be IMO unecessary effort to
change something that has no consequence on the generated binaries.
So please ignore these.
diff -Nru ceph-16.2.11+ds/debian/changelog ceph-16.2.11+ds/debian/changelog
--- ceph-16.2.11+ds/debian/changelog 2023-02-16 11:54:41.000000000 +0100
+++ ceph-16.2.11+ds/debian/changelog 2023-10-09 10:43:41.000000000 +0200
@@ -1,3 +1,11 @@
+ceph (16.2.11+ds-2+deb12u1) bookworm; urgency=medium
+
+ * CVE-2023-43040: security issue with RGW with improperly verified POST keys.
+ Applied upstream fix: rgw: Fix bucket validation against POST policies
+ (Closes: #1053690).
+
+ -- Thomas Goirand <zigo@debian.org> Mon, 09 Oct 2023 10:43:41 +0200
+
ceph (16.2.11+ds-2) unstable; urgency=medium
* Add missing python3-distutils runtime depends in ceph-common.
diff -Nru ceph-16.2.11+ds/debian/patches/CVE-2023-43040_rgw_Fix_bucket_validation_against_POST_policies.patch ceph-16.2.11+ds/debian/patches/CVE-2023-43040_rgw_Fix_bucket_validation_against_POST_policies.patch
--- ceph-16.2.11+ds/debian/patches/CVE-2023-43040_rgw_Fix_bucket_validation_against_POST_policies.patch 1970-01-01 01:00:00.000000000 +0100
+++ ceph-16.2.11+ds/debian/patches/CVE-2023-43040_rgw_Fix_bucket_validation_against_POST_policies.patch 2023-10-09 10:43:41.000000000 +0200
@@ -0,0 +1,44 @@
+Author: Joshua Baergen <jbaergen@digitalocean.com>
+Date: Wed, 17 May 2023 12:17:09 -0600
+Description: CVE-2023-43040 rgw: Fix bucket validation against POST policies
+ It's possible that user could provide a form part as a part of a POST
+ object upload that uses 'bucket' as a key; in this case, it was
+ overriding what was being set in the validation env (which is the real
+ bucket being modified). The result of this is that a user could actually
+ upload to any bucket accessible by the specified access key by matching
+ the bucket in the POST policy in said POST form part.
+ .
+ Fix this simply by setting the bucket to the correct value after the
+ POST form parts are processed, ignoring the form part above if
+ specified.
+Bug: https://tracker.ceph.com/issues/63004
+Signed-off-by: Joshua Baergen <jbaergen@digitalocean.com>
+Origin: https://github.com/ceph/ceph/commit/98bfb71cb38899333deb58dd2562037450fd7fa8.patch
+Last-Date: 2024-10-09
+
+Index: ceph/src/rgw/rgw_rest_s3.cc
+===================================================================
+--- ceph.orig/src/rgw/rgw_rest_s3.cc
++++ ceph/src/rgw/rgw_rest_s3.cc
+@@ -2661,10 +2661,6 @@ int RGWPostObj_ObjStore_S3::get_params(o
+
+ map_qs_metadata(s);
+
+- ldpp_dout(this, 20) << "adding bucket to policy env: " << s->bucket->get_name()
+- << dendl;
+- env.add_var("bucket", s->bucket->get_name());
+-
+ bool done;
+ do {
+ struct post_form_part part;
+@@ -2715,6 +2711,10 @@ int RGWPostObj_ObjStore_S3::get_params(o
+ env.add_var(part.name, part_str);
+ } while (!done);
+
++ ldpp_dout(this, 20) << "adding bucket to policy env: " << s->bucket->get_name()
++ << dendl;
++ env.add_var("bucket", s->bucket->get_name());
++
+ string object_str;
+ if (!part_str(parts, "key", &object_str)) {
+ err_msg = "Key not specified";
diff -Nru ceph-16.2.11+ds/debian/patches/series ceph-16.2.11+ds/debian/patches/series
--- ceph-16.2.11+ds/debian/patches/series 2023-02-16 11:54:41.000000000 +0100
+++ ceph-16.2.11+ds/debian/patches/series 2023-10-09 10:43:41.000000000 +0200
@@ -23,3 +23,4 @@
CVE-2022-3650_1_ceph-crash_drop_privleges_to_run_as_ceph_user_rather_than_root.patch
CVE-2022-3650_2_ceph-crash_fix_stderr_handling.patch
CVE-2022-3854_1_rgw_Guard_against_malformed_bucket_URLs.patch
+CVE-2023-43040_rgw_Fix_bucket_validation_against_POST_policies.patch
diff -Nru ceph-16.2.11+ds/src/test/debian-jessie/debian/changelog ceph-16.2.11+ds/src/test/debian-jessie/debian/changelog
--- ceph-16.2.11+ds/src/test/debian-jessie/debian/changelog 2023-02-16 11:54:41.000000000 +0100
+++ ceph-16.2.11+ds/src/test/debian-jessie/debian/changelog 2023-10-09 10:43:41.000000000 +0200
@@ -1,3 +1,11 @@
+ceph (16.2.11+ds-2+deb12u1) bookworm; urgency=medium
+
+ * CVE-2023-43040: security issue with RGW with improperly verified POST keys.
+ Applied upstream fix: rgw: Fix bucket validation against POST policies
+ (Closes: #1053690).
+
+ -- Thomas Goirand <zigo@debian.org> Mon, 09 Oct 2023 10:43:41 +0200
+
ceph (16.2.11+ds-2) unstable; urgency=medium
* Add missing python3-distutils runtime depends in ceph-common.
diff -Nru ceph-16.2.11+ds/src/test/debian-jessie/debian/patches/CVE-2023-43040_rgw_Fix_bucket_validation_against_POST_policies.patch ceph-16.2.11+ds/src/test/debian-jessie/debian/patches/CVE-2023-43040_rgw_Fix_bucket_validation_against_POST_policies.patch
--- ceph-16.2.11+ds/src/test/debian-jessie/debian/patches/CVE-2023-43040_rgw_Fix_bucket_validation_against_POST_policies.patch 1970-01-01 01:00:00.000000000 +0100
+++ ceph-16.2.11+ds/src/test/debian-jessie/debian/patches/CVE-2023-43040_rgw_Fix_bucket_validation_against_POST_policies.patch 2023-10-09 10:43:41.000000000 +0200
@@ -0,0 +1,44 @@
+Author: Joshua Baergen <jbaergen@digitalocean.com>
+Date: Wed, 17 May 2023 12:17:09 -0600
+Description: CVE-2023-43040 rgw: Fix bucket validation against POST policies
+ It's possible that user could provide a form part as a part of a POST
+ object upload that uses 'bucket' as a key; in this case, it was
+ overriding what was being set in the validation env (which is the real
+ bucket being modified). The result of this is that a user could actually
+ upload to any bucket accessible by the specified access key by matching
+ the bucket in the POST policy in said POST form part.
+ .
+ Fix this simply by setting the bucket to the correct value after the
+ POST form parts are processed, ignoring the form part above if
+ specified.
+Bug: https://tracker.ceph.com/issues/63004
+Signed-off-by: Joshua Baergen <jbaergen@digitalocean.com>
+Origin: https://github.com/ceph/ceph/commit/98bfb71cb38899333deb58dd2562037450fd7fa8.patch
+Last-Date: 2024-10-09
+
+Index: ceph/src/rgw/rgw_rest_s3.cc
+===================================================================
+--- ceph.orig/src/rgw/rgw_rest_s3.cc
++++ ceph/src/rgw/rgw_rest_s3.cc
+@@ -2661,10 +2661,6 @@ int RGWPostObj_ObjStore_S3::get_params(o
+
+ map_qs_metadata(s);
+
+- ldpp_dout(this, 20) << "adding bucket to policy env: " << s->bucket->get_name()
+- << dendl;
+- env.add_var("bucket", s->bucket->get_name());
+-
+ bool done;
+ do {
+ struct post_form_part part;
+@@ -2715,6 +2711,10 @@ int RGWPostObj_ObjStore_S3::get_params(o
+ env.add_var(part.name, part_str);
+ } while (!done);
+
++ ldpp_dout(this, 20) << "adding bucket to policy env: " << s->bucket->get_name()
++ << dendl;
++ env.add_var("bucket", s->bucket->get_name());
++
+ string object_str;
+ if (!part_str(parts, "key", &object_str)) {
+ err_msg = "Key not specified";
diff -Nru ceph-16.2.11+ds/src/test/debian-jessie/debian/patches/series ceph-16.2.11+ds/src/test/debian-jessie/debian/patches/series
--- ceph-16.2.11+ds/src/test/debian-jessie/debian/patches/series 2023-02-16 11:54:41.000000000 +0100
+++ ceph-16.2.11+ds/src/test/debian-jessie/debian/patches/series 2023-10-09 10:43:41.000000000 +0200
@@ -23,3 +23,4 @@
CVE-2022-3650_1_ceph-crash_drop_privleges_to_run_as_ceph_user_rather_than_root.patch
CVE-2022-3650_2_ceph-crash_fix_stderr_handling.patch
CVE-2022-3854_1_rgw_Guard_against_malformed_bucket_URLs.patch
+CVE-2023-43040_rgw_Fix_bucket_validation_against_POST_policies.patch
diff -Nru ceph-16.2.11+ds/src/test/ubuntu-16.04/debian/changelog ceph-16.2.11+ds/src/test/ubuntu-16.04/debian/changelog
--- ceph-16.2.11+ds/src/test/ubuntu-16.04/debian/changelog 2023-02-16 11:54:41.000000000 +0100
+++ ceph-16.2.11+ds/src/test/ubuntu-16.04/debian/changelog 2023-10-09 10:43:41.000000000 +0200
@@ -1,3 +1,11 @@
+ceph (16.2.11+ds-2+deb12u1) bookworm; urgency=medium
+
+ * CVE-2023-43040: security issue with RGW with improperly verified POST keys.
+ Applied upstream fix: rgw: Fix bucket validation against POST policies
+ (Closes: #1053690).
+
+ -- Thomas Goirand <zigo@debian.org> Mon, 09 Oct 2023 10:43:41 +0200
+
ceph (16.2.11+ds-2) unstable; urgency=medium
* Add missing python3-distutils runtime depends in ceph-common.
diff -Nru ceph-16.2.11+ds/src/test/ubuntu-16.04/debian/patches/CVE-2023-43040_rgw_Fix_bucket_validation_against_POST_policies.patch ceph-16.2.11+ds/src/test/ubuntu-16.04/debian/patches/CVE-2023-43040_rgw_Fix_bucket_validation_against_POST_policies.patch
--- ceph-16.2.11+ds/src/test/ubuntu-16.04/debian/patches/CVE-2023-43040_rgw_Fix_bucket_validation_against_POST_policies.patch 1970-01-01 01:00:00.000000000 +0100
+++ ceph-16.2.11+ds/src/test/ubuntu-16.04/debian/patches/CVE-2023-43040_rgw_Fix_bucket_validation_against_POST_policies.patch 2023-10-09 10:43:41.000000000 +0200
@@ -0,0 +1,44 @@
+Author: Joshua Baergen <jbaergen@digitalocean.com>
+Date: Wed, 17 May 2023 12:17:09 -0600
+Description: CVE-2023-43040 rgw: Fix bucket validation against POST policies
+ It's possible that user could provide a form part as a part of a POST
+ object upload that uses 'bucket' as a key; in this case, it was
+ overriding what was being set in the validation env (which is the real
+ bucket being modified). The result of this is that a user could actually
+ upload to any bucket accessible by the specified access key by matching
+ the bucket in the POST policy in said POST form part.
+ .
+ Fix this simply by setting the bucket to the correct value after the
+ POST form parts are processed, ignoring the form part above if
+ specified.
+Bug: https://tracker.ceph.com/issues/63004
+Signed-off-by: Joshua Baergen <jbaergen@digitalocean.com>
+Origin: https://github.com/ceph/ceph/commit/98bfb71cb38899333deb58dd2562037450fd7fa8.patch
+Last-Date: 2024-10-09
+
+Index: ceph/src/rgw/rgw_rest_s3.cc
+===================================================================
+--- ceph.orig/src/rgw/rgw_rest_s3.cc
++++ ceph/src/rgw/rgw_rest_s3.cc
+@@ -2661,10 +2661,6 @@ int RGWPostObj_ObjStore_S3::get_params(o
+
+ map_qs_metadata(s);
+
+- ldpp_dout(this, 20) << "adding bucket to policy env: " << s->bucket->get_name()
+- << dendl;
+- env.add_var("bucket", s->bucket->get_name());
+-
+ bool done;
+ do {
+ struct post_form_part part;
+@@ -2715,6 +2711,10 @@ int RGWPostObj_ObjStore_S3::get_params(o
+ env.add_var(part.name, part_str);
+ } while (!done);
+
++ ldpp_dout(this, 20) << "adding bucket to policy env: " << s->bucket->get_name()
++ << dendl;
++ env.add_var("bucket", s->bucket->get_name());
++
+ string object_str;
+ if (!part_str(parts, "key", &object_str)) {
+ err_msg = "Key not specified";
diff -Nru ceph-16.2.11+ds/src/test/ubuntu-16.04/debian/patches/series ceph-16.2.11+ds/src/test/ubuntu-16.04/debian/patches/series
--- ceph-16.2.11+ds/src/test/ubuntu-16.04/debian/patches/series 2023-02-16 11:54:41.000000000 +0100
+++ ceph-16.2.11+ds/src/test/ubuntu-16.04/debian/patches/series 2023-10-09 10:43:41.000000000 +0200
@@ -23,3 +23,4 @@
CVE-2022-3650_1_ceph-crash_drop_privleges_to_run_as_ceph_user_rather_than_root.patch
CVE-2022-3650_2_ceph-crash_fix_stderr_handling.patch
CVE-2022-3854_1_rgw_Guard_against_malformed_bucket_URLs.patch
+CVE-2023-43040_rgw_Fix_bucket_validation_against_POST_policies.patch
diff -Nru ceph-16.2.11+ds/src/test/ubuntu-18.04/debian/changelog ceph-16.2.11+ds/src/test/ubuntu-18.04/debian/changelog
--- ceph-16.2.11+ds/src/test/ubuntu-18.04/debian/changelog 2023-02-16 11:54:41.000000000 +0100
+++ ceph-16.2.11+ds/src/test/ubuntu-18.04/debian/changelog 2023-10-09 10:43:41.000000000 +0200
@@ -1,3 +1,11 @@
+ceph (16.2.11+ds-2+deb12u1) bookworm; urgency=medium
+
+ * CVE-2023-43040: security issue with RGW with improperly verified POST keys.
+ Applied upstream fix: rgw: Fix bucket validation against POST policies
+ (Closes: #1053690).
+
+ -- Thomas Goirand <zigo@debian.org> Mon, 09 Oct 2023 10:43:41 +0200
+
ceph (16.2.11+ds-2) unstable; urgency=medium
* Add missing python3-distutils runtime depends in ceph-common.
diff -Nru ceph-16.2.11+ds/src/test/ubuntu-18.04/debian/patches/CVE-2023-43040_rgw_Fix_bucket_validation_against_POST_policies.patch ceph-16.2.11+ds/src/test/ubuntu-18.04/debian/patches/CVE-2023-43040_rgw_Fix_bucket_validation_against_POST_policies.patch
--- ceph-16.2.11+ds/src/test/ubuntu-18.04/debian/patches/CVE-2023-43040_rgw_Fix_bucket_validation_against_POST_policies.patch 1970-01-01 01:00:00.000000000 +0100
+++ ceph-16.2.11+ds/src/test/ubuntu-18.04/debian/patches/CVE-2023-43040_rgw_Fix_bucket_validation_against_POST_policies.patch 2023-10-09 10:43:41.000000000 +0200
@@ -0,0 +1,44 @@
+Author: Joshua Baergen <jbaergen@digitalocean.com>
+Date: Wed, 17 May 2023 12:17:09 -0600
+Description: CVE-2023-43040 rgw: Fix bucket validation against POST policies
+ It's possible that user could provide a form part as a part of a POST
+ object upload that uses 'bucket' as a key; in this case, it was
+ overriding what was being set in the validation env (which is the real
+ bucket being modified). The result of this is that a user could actually
+ upload to any bucket accessible by the specified access key by matching
+ the bucket in the POST policy in said POST form part.
+ .
+ Fix this simply by setting the bucket to the correct value after the
+ POST form parts are processed, ignoring the form part above if
+ specified.
+Bug: https://tracker.ceph.com/issues/63004
+Signed-off-by: Joshua Baergen <jbaergen@digitalocean.com>
+Origin: https://github.com/ceph/ceph/commit/98bfb71cb38899333deb58dd2562037450fd7fa8.patch
+Last-Date: 2024-10-09
+
+Index: ceph/src/rgw/rgw_rest_s3.cc
+===================================================================
+--- ceph.orig/src/rgw/rgw_rest_s3.cc
++++ ceph/src/rgw/rgw_rest_s3.cc
+@@ -2661,10 +2661,6 @@ int RGWPostObj_ObjStore_S3::get_params(o
+
+ map_qs_metadata(s);
+
+- ldpp_dout(this, 20) << "adding bucket to policy env: " << s->bucket->get_name()
+- << dendl;
+- env.add_var("bucket", s->bucket->get_name());
+-
+ bool done;
+ do {
+ struct post_form_part part;
+@@ -2715,6 +2711,10 @@ int RGWPostObj_ObjStore_S3::get_params(o
+ env.add_var(part.name, part_str);
+ } while (!done);
+
++ ldpp_dout(this, 20) << "adding bucket to policy env: " << s->bucket->get_name()
++ << dendl;
++ env.add_var("bucket", s->bucket->get_name());
++
+ string object_str;
+ if (!part_str(parts, "key", &object_str)) {
+ err_msg = "Key not specified";
diff -Nru ceph-16.2.11+ds/src/test/ubuntu-18.04/debian/patches/series ceph-16.2.11+ds/src/test/ubuntu-18.04/debian/patches/series
--- ceph-16.2.11+ds/src/test/ubuntu-18.04/debian/patches/series 2023-02-16 11:54:41.000000000 +0100
+++ ceph-16.2.11+ds/src/test/ubuntu-18.04/debian/patches/series 2023-10-09 10:43:41.000000000 +0200
@@ -23,3 +23,4 @@
CVE-2022-3650_1_ceph-crash_drop_privleges_to_run_as_ceph_user_rather_than_root.patch
CVE-2022-3650_2_ceph-crash_fix_stderr_handling.patch
CVE-2022-3854_1_rgw_Guard_against_malformed_bucket_URLs.patch
+CVE-2023-43040_rgw_Fix_bucket_validation_against_POST_policies.patch
diff -Nru ceph-16.2.11+ds/src/test/ubuntu-20.04/debian/changelog ceph-16.2.11+ds/src/test/ubuntu-20.04/debian/changelog
--- ceph-16.2.11+ds/src/test/ubuntu-20.04/debian/changelog 2023-02-16 11:54:41.000000000 +0100
+++ ceph-16.2.11+ds/src/test/ubuntu-20.04/debian/changelog 2023-10-09 10:43:41.000000000 +0200
@@ -1,3 +1,11 @@
+ceph (16.2.11+ds-2+deb12u1) bookworm; urgency=medium
+
+ * CVE-2023-43040: security issue with RGW with improperly verified POST keys.
+ Applied upstream fix: rgw: Fix bucket validation against POST policies
+ (Closes: #1053690).
+
+ -- Thomas Goirand <zigo@debian.org> Mon, 09 Oct 2023 10:43:41 +0200
+
ceph (16.2.11+ds-2) unstable; urgency=medium
* Add missing python3-distutils runtime depends in ceph-common.
diff -Nru ceph-16.2.11+ds/src/test/ubuntu-20.04/debian/patches/CVE-2023-43040_rgw_Fix_bucket_validation_against_POST_policies.patch ceph-16.2.11+ds/src/test/ubuntu-20.04/debian/patches/CVE-2023-43040_rgw_Fix_bucket_validation_against_POST_policies.patch
--- ceph-16.2.11+ds/src/test/ubuntu-20.04/debian/patches/CVE-2023-43040_rgw_Fix_bucket_validation_against_POST_policies.patch 1970-01-01 01:00:00.000000000 +0100
+++ ceph-16.2.11+ds/src/test/ubuntu-20.04/debian/patches/CVE-2023-43040_rgw_Fix_bucket_validation_against_POST_policies.patch 2023-10-09 10:43:41.000000000 +0200
@@ -0,0 +1,44 @@
+Author: Joshua Baergen <jbaergen@digitalocean.com>
+Date: Wed, 17 May 2023 12:17:09 -0600
+Description: CVE-2023-43040 rgw: Fix bucket validation against POST policies
+ It's possible that user could provide a form part as a part of a POST
+ object upload that uses 'bucket' as a key; in this case, it was
+ overriding what was being set in the validation env (which is the real
+ bucket being modified). The result of this is that a user could actually
+ upload to any bucket accessible by the specified access key by matching
+ the bucket in the POST policy in said POST form part.
+ .
+ Fix this simply by setting the bucket to the correct value after the
+ POST form parts are processed, ignoring the form part above if
+ specified.
+Bug: https://tracker.ceph.com/issues/63004
+Signed-off-by: Joshua Baergen <jbaergen@digitalocean.com>
+Origin: https://github.com/ceph/ceph/commit/98bfb71cb38899333deb58dd2562037450fd7fa8.patch
+Last-Date: 2024-10-09
+
+Index: ceph/src/rgw/rgw_rest_s3.cc
+===================================================================
+--- ceph.orig/src/rgw/rgw_rest_s3.cc
++++ ceph/src/rgw/rgw_rest_s3.cc
+@@ -2661,10 +2661,6 @@ int RGWPostObj_ObjStore_S3::get_params(o
+
+ map_qs_metadata(s);
+
+- ldpp_dout(this, 20) << "adding bucket to policy env: " << s->bucket->get_name()
+- << dendl;
+- env.add_var("bucket", s->bucket->get_name());
+-
+ bool done;
+ do {
+ struct post_form_part part;
+@@ -2715,6 +2711,10 @@ int RGWPostObj_ObjStore_S3::get_params(o
+ env.add_var(part.name, part_str);
+ } while (!done);
+
++ ldpp_dout(this, 20) << "adding bucket to policy env: " << s->bucket->get_name()
++ << dendl;
++ env.add_var("bucket", s->bucket->get_name());
++
+ string object_str;
+ if (!part_str(parts, "key", &object_str)) {
+ err_msg = "Key not specified";
diff -Nru ceph-16.2.11+ds/src/test/ubuntu-20.04/debian/patches/series ceph-16.2.11+ds/src/test/ubuntu-20.04/debian/patches/series
--- ceph-16.2.11+ds/src/test/ubuntu-20.04/debian/patches/series 2023-02-16 11:54:41.000000000 +0100
+++ ceph-16.2.11+ds/src/test/ubuntu-20.04/debian/patches/series 2023-10-09 10:43:41.000000000 +0200
@@ -23,3 +23,4 @@
CVE-2022-3650_1_ceph-crash_drop_privleges_to_run_as_ceph_user_rather_than_root.patch
CVE-2022-3650_2_ceph-crash_fix_stderr_handling.patch
CVE-2022-3854_1_rgw_Guard_against_malformed_bucket_URLs.patch
+CVE-2023-43040_rgw_Fix_bucket_validation_against_POST_policies.patch
Reply to: