Bug#1109654: marked as done (unblock: ceph/18.2.7+ds-1)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Fri, 25 Jul 2025 21:02:04 +0000
with message-id <E1ufPYK-00FCXV-2I@respighi.debian.org>
and subject line unblock ceph
has caused the Debian Bug report #1109654,
regarding unblock: ceph/18.2.7+ds-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1109654: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109654
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: unblock: ceph/18.2.7-3 (pre-approval)
• From: Daniel Baumann <daniel@debian.org>
• Date: Mon, 21 Jul 2025 10:22:14 +0200
• Message-id: <[🔎] 264315f5-df19-413d-878a-2c79c49c3f9f@debian.org>
• Reply-to: daniel@debian.org

Package: release.debian.org
Control: affects -1 + src:ceph
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: daniel@debian.org

Hi,

this is a pre-approval request to allow uploading and unblocking ceph/18.2.7-3.

It fixes a regression from CVE-2025-52555 where unprivileged users can set setuid or setguid on files:

  * https://bugs.debian.org/1109470

  * https://github.com/ceph/ceph/pull/64356

* https://github.com/ceph/ceph/commit/7028ed21138522495df1e9f8b01195a3c43d47ff.patch

I've prepared an updated package for ceph:

  * https://salsa.debian.org/ceph-team/ceph/-/commits/debian/unstable

I've previously applied the fix on our ceph cluster at work, no issues.

As ceph is a key package, I'm awaiting your feedback to upload it to unstable, diff is attached.

Regards,
Daniel

diff --git a/debian/changelog b/debian/changelog
index 2ac580bfa7..44da762156 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+ceph (18.2.7-3) unstable; urgency=high
+
+  * Adding patch from upstream to fix regression with CVE-2025-52555:
+    - unprivileged users can set S_ISUID and/or S_ISGID bits when changed
+      seperatly from each other (Closes: #1109470).
+
+ -- Daniel Baumann <daniel@debian.org>  Mon, 21 Jul 2025 10:06:16 +0200
+
 ceph (18.2.7-2) unstable; urgency=medium
 
   * Add 0010-ceph-volume-fix-importlib.metadata-compat.patch
diff --git a/debian/patches/0031-CVE-2025-52555-regression.patch b/debian/patches/0031-CVE-2025-52555-regression.patch
new file mode 100644
index 0000000000..d5aebce07d
--- /dev/null
+++ b/debian/patches/0031-CVE-2025-52555-regression.patch
@@ -0,0 +1,101 @@
+Author: Kefu Chai <tchaikov@gmail.com>
+Description: [PATCH] client: prohibit unprivileged users from setting sgid/suid bits
+ Prior to fb1b72d, unprivileged users could add mode bits as long as
+ S_ISUID and S_ISGID were not included in the change.
+ .
+ After fb1b72d, unprivileged users were allowed to modify S_ISUID and
+ S_ISGID bits only when no other mode bits were changed in the same
+ operation. This inadvertently permitted unprivileged users to set
+ S_ISUID and/or S_ISGID bits when they were the sole bits being modified.
+ .
+ This behavior should not be allowed. Unprivileged users should be
+ prohibited from setting S_ISUID and/or S_ISGID bits under any
+ circumstances.
+ .
+ This change tightens the permission check to prevent unprivileged
+ users from setting these privileged bits in all cases.
+
+diff -Naurp ceph.orig/src/client/Client.cc ceph/src/client/Client.cc
+--- ceph.orig/src/client/Client.cc
++++ ceph/src/client/Client.cc
+@@ -6031,22 +6031,23 @@ int Client::may_setattr(Inode *in, struc
+   }
+ 
+   if (mask & CEPH_SETATTR_MODE) {
+-    bool allowed = false;
+     /*
+      * Currently the kernel fuse and libfuse code is buggy and
+      * won't pass the ATTR_KILL_SUID/ATTR_KILL_SGID to ceph-fuse.
+      * But will just set the ATTR_MODE and at the same time by
+      * clearing the suid/sgid bits.
+      *
+-     * Only allow unprivileged users to clear S_ISUID and S_ISUID.
++     * Only allow unprivileged users to clear S_ISUID and S_ISGID.
+      */
+-    if ((in->mode & (S_ISUID | S_ISGID)) != (stx->stx_mode & (S_ISUID | S_ISGID)) &&
+-        (in->mode & ~(S_ISUID | S_ISGID)) == (stx->stx_mode & ~(S_ISUID | S_ISGID))) {
+-      allowed = true;
+-    }
+-    uint32_t m = ~stx->stx_mode & in->mode; // mode bits removed
+-    ldout(cct, 20) << __func__ << " " << *in << " = " << hex << m << dec <<  dendl;
+-    if (perms.uid() != 0 && perms.uid() != in->uid && !allowed)
++    uint32_t removed_bits = ~stx->stx_mode & in->mode;
++    uint32_t added_bits = ~in->mode & stx->stx_mode;
++    bool clearing_suid_sgid = (
++      // no new bits added
++      added_bits == 0 &&
++      // only suid/suid bits removed
++      (removed_bits & ~(S_ISUID | S_ISGID)) == 0);
++    ldout(cct, 20) << __func__ << " " << *in << " = " << hex << removed_bits << dec <<  dendl;
++    if (perms.uid() != 0 && perms.uid() != in->uid && !clearing_suid_sgid)
+       goto out;
+ 
+     gid_t i_gid = (mask & CEPH_SETATTR_GID) ? stx->stx_gid : in->gid;
+diff -Naurp ceph.orig/src/test/libcephfs/suidsgid.cc ceph/src/test/libcephfs/suidsgid.cc
+--- ceph.orig/src/test/libcephfs/suidsgid.cc
++++ ceph/src/test/libcephfs/suidsgid.cc
+@@ -19,6 +19,7 @@
+ #include "include/stringify.h"
+ #include "include/cephfs/libcephfs.h"
+ #include "include/rados/librados.h"
++#include <cerrno>
+ #include <errno.h>
+ #include <fcntl.h>
+ #include <unistd.h>
+@@ -142,6 +143,17 @@ void run_change_mode_test_case()
+   ASSERT_EQ(ceph_chmod(cmount, c_dir, 0777), -CEPHFS_EPERM);
+ }
+ 
++static void run_set_sgid_suid_test_case(int old_suid_sgid,
++					int new_suid_sgid,
++					int expected_result)
++{
++  char c_dir[1024];
++  sprintf(c_dir, "/mode_test_%d", getpid());
++  const int mode = 0766;
++  ASSERT_EQ(ceph_mkdirs(admin, c_dir, mode | old_suid_sgid), 0);
++  ASSERT_EQ(ceph_chmod(cmount, c_dir, mode | new_suid_sgid), expected_result);
++}
++
+ TEST(SuidsgidTest, WriteClearSetuid) {
+   ASSERT_EQ(0, ceph_create(&admin, NULL));
+   ASSERT_EQ(0, ceph_conf_read_file(admin, NULL));
+@@ -214,8 +226,18 @@ TEST(SuidsgidTest, WriteClearSetuid) {
+   // 14, Truncate by unprivileged user clears the suid and sgid
+   run_truncate_test_case(06766, 0, 100);
+ 
++  // 15, Prohibit unpriviledged user from changing non-sgid/suid
++  //     mode bits
+   run_change_mode_test_case();
+ 
++  // 16, Prohibit unpriviledged user from setting suid/sgid
++  run_set_sgid_suid_test_case(0, S_ISUID, -EPERM);
++  run_set_sgid_suid_test_case(0, S_ISGID, -EPERM);
++  run_set_sgid_suid_test_case(0, S_ISUID | S_ISGID, -EPERM);
++  run_set_sgid_suid_test_case(S_ISGID, S_ISUID, -EPERM);
++  run_set_sgid_suid_test_case(S_ISUID, S_ISGID, -EPERM);
++  run_set_sgid_suid_test_case(S_ISGID, S_ISUID | S_ISGID, -EPERM);
++
+   // clean up
+   ceph_shutdown(cmount);
+   ceph_shutdown(admin);
diff --git a/debian/patches/series b/debian/patches/series
index 8d2ed4e4b6..c934e1ce38 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -29,6 +29,7 @@
 0028-cephadm-do-not-write-logrotate.patch
 0029-fix-ftbfs-loongson64.patch
 0030-fix-ftbfs-with-fmt10.patch
+0031-CVE-2025-52555-regression.patch
 py313-compat/0001-mgr-stop-using-deprecated-API-to-initialize-Python.patch
 py313-compat/0002-mgr-set-argv-for-python-in-PyModuleRegistry.patch
 py313-compat/0003-mgr-add-site-package-paths-in-PyModuleRegistry.patch

--- End Message ---

--- Begin Message ---

• To: 1109654-done@bugs.debian.org
• Subject: unblock ceph
• From: Sebastian Ramacher <sramacher@respighi.debian.org>
• Date: Fri, 25 Jul 2025 21:02:04 +0000
• Message-id: <E1ufPYK-00FCXV-2I@respighi.debian.org>

Unblocked.

--- End Message ---