ceph: fix CVE-2023-43040 (#9146)

hbeberman · web-flow · commit 02ffe5c851a0 · 2024-05-20T09:02:40.000-07:00
diff --git a/SPECS/ceph/CVE-2023-43040.patch b/SPECS/ceph/CVE-2023-43040.patch
@@ -0,0 +1,45 @@
+From 98bfb71cb38899333deb58dd2562037450fd7fa8 Mon Sep 17 00:00:00 2001
+From: Joshua Baergen <jbaergen@digitalocean.com>
+Date: Wed, 17 May 2023 12:17:09 -0600
+Subject: [PATCH] rgw: Fix bucket validation against POST policies
+
+It's possible that user could provide a form part as a part of a POST
+object upload that uses 'bucket' as a key; in this case, it was
+overriding what was being set in the validation env (which is the real
+bucket being modified). The result of this is that a user could actually
+upload to any bucket accessible by the specified access key by matching
+the bucket in the POST policy in said POST form part.
+
+Fix this simply by setting the bucket to the correct value after the
+POST form parts are processed, ignoring the form part above if
+specified.
+
+Fixes: https://tracker.ceph.com/issues/63004
+
+Signed-off-by: Joshua Baergen <jbaergen@digitalocean.com>
+Signed-off-by: Henry Beberman <henry.beberman@microsoft.com>
+diff -Naur a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
+--- a/src/rgw/rgw_rest_s3.cc	2022-07-21 17:28:56.000000000 +0000
++++ b/src/rgw/rgw_rest_s3.cc	2024-05-17 19:45:54.373135874 +0000
+@@ -2661,10 +2661,6 @@
+ 
+   map_qs_metadata(s);
+ 
+-  ldpp_dout(this, 20) << "adding bucket to policy env: " << s->bucket->get_name()
+-		    << dendl;
+-  env.add_var("bucket", s->bucket->get_name());
+-
+   bool done;
+   do {
+     struct post_form_part part;
+@@ -2715,6 +2711,10 @@
+     env.add_var(part.name, part_str);
+   } while (!done);
+ 
++  ldpp_dout(this, 20) << "adding bucket to policy env: " << s->bucket->get_name()
++		    << dendl;
++  env.add_var("bucket", s->bucket->get_name());
++
+   string object_str;
+   if (!part_str(parts, "key", &object_str)) {
+     err_msg = "Key not specified";
diff --git a/SPECS/ceph/ceph.spec b/SPECS/ceph/ceph.spec
@@ -5,7 +5,7 @@
 Summary:        User space components of the Ceph file system
 Name:           ceph
 Version:        16.2.10
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        LGPLv2 and LGPLv3 and CC-BY-SA and GPLv2 and Boost and BSD and MIT and Public Domain and GPLv3 and ASL-2.0
 URL:            https://ceph.io/
 Vendor:         Microsoft Corporation
@@ -15,6 +15,7 @@ Patch0:         CVE-2021-24032.patch
 Patch1:         CVE-2021-28361.patch
 Patch2:         CVE-2022-3650.patch
 Patch3:         CVE-2022-3854.patch
+Patch4:         CVE-2023-43040.patch
 
 #
 # Copyright (C) 2004-2019 The Ceph Project Developers. See COPYING file
@@ -1809,6 +1810,9 @@ exit 0
 %config %{_sysconfdir}/prometheus/ceph/ceph_default_alerts.yml
 
 %changelog
+* Fri May 17 2024 Henry Beberman <henry.beberman@microsoft.com> - 16.2.10-4
+- Patch CVE-2023-43040
+
 * Fri May 10 2024 Henry Beberman <henry.beberman@microsoft.com> - 16.2.10-3
 - Patch CVE-2021-24032, CVE-2021-28361, CVE-2022-3650, CVE-2022-3854
 - Explicitly disable seastar to ensure disputed uncompiled CVEs dont get enabled.
