Bug#849538: jessie-pu: package ceph/0.80.7-2+deb8u2
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Hi
I would like to update ceph with the next stable point release to fix
the 4 security issues listed below. These are all minor issues which did
not warrant a DSA on their own, but are still worth fixing.
https://security-tracker.debian.org/tracker/CVE-2016-9579
https://security-tracker.debian.org/tracker/CVE-2016-5009
https://security-tracker.debian.org/tracker/CVE-2016-7031
https://security-tracker.debian.org/tracker/CVE-2016-8626
The complete debdiff is attached below. I have already built the
package, but not yet uploaded. As soon as I get your OK I'll upload the
package.
Gaudenz
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (500, 'testing'), (100, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.8.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=de_CH.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru ceph-0.80.7/debian/changelog ceph-0.80.7/debian/changelog
--- ceph-0.80.7/debian/changelog 2016-01-15 10:42:14.000000000 +0100
+++ ceph-0.80.7/debian/changelog 2016-12-28 10:47:36.000000000 +0100
@@ -1,3 +1,14 @@
+ceph (0.80.7-2+deb8u2) jessie; urgency=medium
+
+ * [78329e] Upstream fix for CVE-2016-9579 (short CORS request)
+ (Closes: #849048)
+ * [514d48] Upstream fix for CVE-2016-5009 (mon DoS) (Closes: #829661)
+ * [7ae81b] Upstream fix for CVE-2016-7031 (anonymous read on ACL)
+ (Closes: #838026)
+ * [86ac46] Upstream fix for CVE-2016-8626 (RGW DoS) (Closes: #844200)
+
+ -- Gaudenz Steinlin <gaudenz@debian.org> Wed, 28 Dec 2016 10:47:36 +0100
+
ceph (0.80.7-2+deb8u1) jessie; urgency=medium
* [61b5e0] Patch to fix CVE-2015-5245 applied from upstream (Closes: #798567)
diff -Nru ceph-0.80.7/debian/gbp.conf ceph-0.80.7/debian/gbp.conf
--- ceph-0.80.7/debian/gbp.conf 2016-01-15 10:41:01.000000000 +0100
+++ ceph-0.80.7/debian/gbp.conf 2016-12-27 21:47:49.000000000 +0100
@@ -1,5 +1,5 @@
[DEFAULT]
-debian-branch = jessie-security
+debian-branch = jessie
pristine-tar = True
[import-orig]
diff -Nru ceph-0.80.7/debian/patches/cve-2016-5009_mon_dos.patch ceph-0.80.7/debian/patches/cve-2016-5009_mon_dos.patch
--- ceph-0.80.7/debian/patches/cve-2016-5009_mon_dos.patch 1970-01-01 01:00:00.000000000 +0100
+++ ceph-0.80.7/debian/patches/cve-2016-5009_mon_dos.patch 2016-12-28 10:47:27.000000000 +0100
@@ -0,0 +1,99 @@
+commit b78a1be835706e7dabc505be343945d0ac05697d
+Author: Kefu Chai <kchai@redhat.com>
+Date: Thu Jun 30 13:24:22 2016 +0800
+
+ mon: Monitor: validate prefix on handle_command()
+
+ Fixes: http://tracker.ceph.com/issues/16297
+
+ Signed-off-by: You Ji <youji@ebay.com>
+ (cherry picked from commit 7cb3434fed03a5497abfd00bcec7276b70df0654)
+
+ Conflicts:
+ src/mon/Monitor.cc (the signature of Monitor::reply_command()
+ changed a little bit in master, so adapt the
+ commit to work with the old method)
+
+--- a/src/mon/Monitor.cc
++++ b/src/mon/Monitor.cc
+@@ -2214,7 +2214,19 @@
+ return;
+ }
+
+- cmd_getval(g_ceph_context, cmdmap, "prefix", prefix);
++ // check return value. If no prefix parameter provided,
++ // return value will be false, then return error info.
++ if(!cmd_getval(g_ceph_context, cmdmap, "prefix", prefix)) {
++ reply_command(m, -EINVAL, "command prefix not found", 0);
++ return;
++ }
++
++ // check prefix is empty
++ if (prefix.empty()) {
++ reply_command(m, -EINVAL, "command prefix must not be empty", 0);
++ return;
++ }
++
+ if (prefix == "get_command_descriptions") {
+ bufferlist rdata;
+ Formatter *f = new_formatter("json");
+@@ -2235,6 +2247,15 @@
+ boost::scoped_ptr<Formatter> f(new_formatter(format));
+
+ get_str_vec(prefix, fullcmd);
++
++ // make sure fullcmd is not empty.
++ // invalid prefix will cause empty vector fullcmd.
++ // such as, prefix=";,,;"
++ if (fullcmd.empty()) {
++ reply_command(m, -EINVAL, "command requires a prefix to be valid", 0);
++ return;
++ }
++
+ module = fullcmd[0];
+
+ // validate command is in leader map
+--- a/src/test/librados/cmd.cc
++++ b/src/test/librados/cmd.cc
+@@ -49,6 +49,41 @@
+ rados_buffer_free(buf);
+ rados_buffer_free(st);
+
++ cmd[0] = (char *)"";
++ ASSERT_EQ(-EINVAL, rados_mon_command(cluster, (const char **)cmd, 1, "{}", 2, &buf, &buflen, &st, &stlen));
++ rados_buffer_free(buf);
++ rados_buffer_free(st);
++
++ cmd[0] = (char *)"{}";
++ ASSERT_EQ(-EINVAL, rados_mon_command(cluster, (const char **)cmd, 1, "", 0, &buf, &buflen, &st, &stlen));
++ rados_buffer_free(buf);
++ rados_buffer_free(st);
++
++ cmd[0] = (char *)"{\"abc\":\"something\"}";
++ ASSERT_EQ(-EINVAL, rados_mon_command(cluster, (const char **)cmd, 1, "", 0, &buf, &buflen, &st, &stlen));
++ rados_buffer_free(buf);
++ rados_buffer_free(st);
++
++ cmd[0] = (char *)"{\"prefix\":\"\"}";
++ ASSERT_EQ(-EINVAL, rados_mon_command(cluster, (const char **)cmd, 1, "", 0, &buf, &buflen, &st, &stlen));
++ rados_buffer_free(buf);
++ rados_buffer_free(st);
++
++ cmd[0] = (char *)"{\"prefix\":\" \"}";
++ ASSERT_EQ(-EINVAL, rados_mon_command(cluster, (const char **)cmd, 1, "", 0, &buf, &buflen, &st, &stlen));
++ rados_buffer_free(buf);
++ rados_buffer_free(st);
++
++ cmd[0] = (char *)"{\"prefix\":\";;;,,,;;,,\"}";
++ ASSERT_EQ(-EINVAL, rados_mon_command(cluster, (const char **)cmd, 1, "", 0, &buf, &buflen, &st, &stlen));
++ rados_buffer_free(buf);
++ rados_buffer_free(st);
++
++ cmd[0] = (char *)"{\"prefix\":\"extra command\"}";
++ ASSERT_EQ(-EINVAL, rados_mon_command(cluster, (const char **)cmd, 1, "", 0, &buf, &buflen, &st, &stlen));
++ rados_buffer_free(buf);
++ rados_buffer_free(st);
++
+ cmd[0] = (char *)"{\"prefix\":\"mon_status\"}";
+ ASSERT_EQ(0, rados_mon_command(cluster, (const char **)cmd, 1, "", 0, &buf, &buflen, &st, &stlen));
+ ASSERT_LT(0u, buflen);
diff -Nru ceph-0.80.7/debian/patches/cve-2016-7031_rgw_anonymous_read.patch ceph-0.80.7/debian/patches/cve-2016-7031_rgw_anonymous_read.patch
--- ceph-0.80.7/debian/patches/cve-2016-7031_rgw_anonymous_read.patch 1970-01-01 01:00:00.000000000 +0100
+++ ceph-0.80.7/debian/patches/cve-2016-7031_rgw_anonymous_read.patch 2016-12-28 10:47:27.000000000 +0100
@@ -0,0 +1,44 @@
+commit 99ba6610a8f437604cadf68cbe9969def893e870
+Author: root <rahul.1aggarwal@gmail.com>
+Date: Thu Sep 24 00:21:13 2015 +0530
+
+ 13207: Rados Gateway: Anonymous user is able to read bucket with authenticated read ACL
+
+ Signed-off-by: root <rahul.1aggarwal@gmail.com>
+
+--- a/src/rgw/rgw_acl_s3.cc
++++ b/src/rgw/rgw_acl_s3.cc
+@@ -537,7 +537,7 @@
+ {
+ switch (group) {
+ case ACL_GROUP_ALL_USERS:
+- return (id.compare(rgw_uri_all_users) == 0);
++ return (id.compare(RGW_USER_ANON_ID) == 0);
+ case ACL_GROUP_AUTHENTICATED_USERS:
+ return (id.compare(rgw_uri_auth_users) == 0);
+ default:
+--- a/src/rgw/rgw_op.cc
++++ b/src/rgw/rgw_op.cc
+@@ -15,6 +15,7 @@
+ #include "rgw_rest.h"
+ #include "rgw_acl.h"
+ #include "rgw_acl_s3.h"
++#include "rgw_acl_swift.h"
+ #include "rgw_user.h"
+ #include "rgw_bucket.h"
+ #include "rgw_log.h"
+@@ -322,7 +323,13 @@
+
+ s->bucket_instance_id = s->info.args.get(RGW_SYS_PARAM_PREFIX "bucket-instance");
+
+- s->bucket_acl = new RGWAccessControlPolicy(s->cct);
++ if(s->dialect.compare("s3") == 0) {
++ s->bucket_acl = new RGWAccessControlPolicy_S3(s->cct);
++ } else if(s->dialect.compare("swift") == 0) {
++ s->bucket_acl = new RGWAccessControlPolicy_SWIFT(s->cct);
++ } else {
++ s->bucket_acl = new RGWAccessControlPolicy(s->cct);
++ }
+
+ if (s->copy_source) { /* check if copy source is within the current domain */
+ const char *src = s->copy_source;
diff -Nru ceph-0.80.7/debian/patches/cve-2016-8626_rgw_dos.patch ceph-0.80.7/debian/patches/cve-2016-8626_rgw_dos.patch
--- ceph-0.80.7/debian/patches/cve-2016-8626_rgw_dos.patch 1970-01-01 01:00:00.000000000 +0100
+++ ceph-0.80.7/debian/patches/cve-2016-8626_rgw_dos.patch 2016-12-28 10:47:27.000000000 +0100
@@ -0,0 +1,30 @@
+commit 23cb642243e09ca4a8e104f62a3bb7b2cbb6ea12
+Author: Yehuda Sadeh <yehuda@redhat.com>
+Date: Thu Oct 20 10:17:36 2016 -0700
+
+ rgw: handle empty POST condition
+
+ Fixes: http://tracker.ceph.com/issues/17635
+
+ Before accessing json entity, need to check that iterator is valid.
+ If there is no entry return appropriate error code.
+
+ Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
+
+--- a/src/rgw/rgw_policy_s3.cc
++++ b/src/rgw/rgw_policy_s3.cc
+@@ -284,11 +284,13 @@
+ int r = add_condition(v[0], v[1], v[2], err_msg);
+ if (r < 0)
+ return r;
+- } else {
++ } else if (!citer.end()) {
+ JSONObj *c = *citer;
+ dout(0) << "adding simple_check: " << c->get_name() << " : " << c->get_data() << dendl;
+
+ add_simple_check(c->get_name(), c->get_data());
++ } else {
++ return -EINVAL;
+ }
+ }
+ return 0;
diff -Nru ceph-0.80.7/debian/patches/cve-2016-9579_short_cors_request.patch ceph-0.80.7/debian/patches/cve-2016-9579_short_cors_request.patch
--- ceph-0.80.7/debian/patches/cve-2016-9579_short_cors_request.patch 1970-01-01 01:00:00.000000000 +0100
+++ ceph-0.80.7/debian/patches/cve-2016-9579_short_cors_request.patch 2016-12-27 21:50:34.000000000 +0100
@@ -0,0 +1,51 @@
+commit 67d4d9e64bc224e047cf333e673bb22cd6290789
+Author: LiuYang <yippeetry@gmail.com>
+Date: Thu Dec 8 14:21:43 2016 +0800
+
+ rgw: do not abort when accept a CORS request with short origin
+
+ Fixed: #18187
+
+ when accept a CROS request, the request http origin shorter than the bucket's corsrule
+ (eg. origin: http://s.com corsrule: <AllowedOrigin>*.verylongdomain.com</AllowedOrigin>).
+ the rgw_cors.cc::is_string_in_set() will have a wrong index, the radosrgw server will
+ abort.
+
+ $ curl http://test.localhost:8000/app.data -H "Origin:http://s.com";
+
+ 0> 2016-12-05 03:22:29.548138 7f6add05d700 -1 *** Caught signal (Aborted) **
+ in thread 7f6add05d700 thread_name:civetweb-worker
+
+ ceph version 11.0.2-2168-gd2f8fb4 (d2f8fb4a6ba75af7e6da0f5a7f1b49ec998b1631)
+ 1: (()+0x50720a) [0x7f6b147c420a]
+ 2: (()+0xf370) [0x7f6b09a33370]
+ 3: (gsignal()+0x37) [0x7f6b081ca1d7]
+ 4: (abort()+0x148) [0x7f6b081cb8c8]
+ 5: (__gnu_cxx::__verbose_terminate_handler()+0x165) [0x7f6b08ace9d5]
+ 6: (()+0x5e946) [0x7f6b08acc946]
+ 7: (()+0x5e973) [0x7f6b08acc973]
+ 8: (()+0x5eb93) [0x7f6b08accb93]
+ 9: (std::__throw_out_of_range(char const*)+0x77) 0x7f6b08b21a17]
+ 10: (()+0xbd97a) [0x7f6b08b2b97a]
+ 11: (()+0x449c1e) [0x7f6b14706c1e]
+ 12: (RGWCORSRule::is_origin_present(char const*)+0x48) [0x7f6b147073b8]
+ 13: (RGWCORSConfiguration::host_name_rule(char const*)+0x37) [0x7f6b147074e7]
+ 14: (RGWOp::generate_cors_headers(std::string&, std::string&, std::string&, std::string&, unsigned int*)+0xa3) [0x7f6b14593e63]
+ 15: (dump_access_control(req_state*, RGWOp*)+0x61) [0x7f6b14653f91]
+
+ Signed-off-by: LiuYang <yippeetry@gmail.com>
+
+diff --git a/src/rgw/rgw_cors.cc b/src/rgw/rgw_cors.cc
+index 1ad5b43136..f2c7f3ac64 100644
+--- a/src/rgw/rgw_cors.cc
++++ b/src/rgw/rgw_cors.cc
+@@ -104,7 +104,8 @@ static bool is_string_in_set(set<string>& s, string h) {
+ string sl = ssplit.front();
+ dout(10) << "Finding " << sl << ", in " << h
+ << ", at offset not less than " << flen << dendl;
+- if (h.compare((h.size() - sl.size()), sl.size(), sl) != 0)
++ if (h.size() < sl.size() ||
++ h.compare((h.size() - sl.size()), sl.size(), sl) != 0)
+ continue;
+ ssplit.pop_front();
+ }
diff -Nru ceph-0.80.7/debian/patches/series ceph-0.80.7/debian/patches/series
--- ceph-0.80.7/debian/patches/series 2016-01-15 10:41:01.000000000 +0100
+++ ceph-0.80.7/debian/patches/series 2016-12-28 10:47:27.000000000 +0100
@@ -16,6 +16,12 @@
rbdmap2-hooks.patch
CVE-2015-5245.patch
+## Security
+cve-2016-5009_mon_dos.patch
+cve-2016-7031_rgw_anonymous_read.patch
+cve-2016-8626_rgw_dos.patch
+cve-2016-9579_short_cors_request.patch
+
## Debian
rbdmap3-lazyumount.patch
arch.patch
Reply to: