ceph: fix CVE-2023-43040

IBM Spectrum Fusion HCI 2.5.2 through 2.7.2 could allow an attacker to perform unauthorized actions in RGW for Ceph due to improper bucket access. IBM X-Force ID: 266807. Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-43040 Upstream patch: 98bfb71cb3 Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
2025-07-05 05:15:25 +02:00 · 2025-04-04 10:04:09 +00:00 · 2025-04-04 10:04:09 +00:00 · 55ed2134a4
commit 55ed2134a4
parent 426530794b
2 changed files with 57 additions and 0 deletions
--- a/recipes-extended/ceph/ceph/CVE-2023-43040.patch
+++ b/recipes-extended/ceph/ceph/CVE-2023-43040.patch
@ -0,0 +1,56 @@
+From 98bfb71cb38899333deb58dd2562037450fd7fa8 Mon Sep 17 00:00:00 2001
+From: Joshua Baergen <jbaergen@digitalocean.com>
+Date: Wed, 17 May 2023 12:17:09 -0600
+Subject: [PATCH] rgw: Fix bucket validation against POST policies
+
+It's possible that user could provide a form part as a part of a POST
+object upload that uses 'bucket' as a key; in this case, it was
+overriding what was being set in the validation env (which is the real
+bucket being modified). The result of this is that a user could actually
+upload to any bucket accessible by the specified access key by matching
+the bucket in the POST policy in said POST form part.
+
+Fix this simply by setting the bucket to the correct value after the
+POST form parts are processed, ignoring the form part above if
+specified.
+
+Fixes: https://tracker.ceph.com/issues/63004
+
+Signed-off-by: Joshua Baergen <jbaergen@digitalocean.com>
+
+CVE: CVE-2023-43040
+Upstream-Status: Backport [https://github.com/ceph/ceph/commit/98bfb71cb38899333deb58dd2562037450fd7fa8]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ src/rgw/rgw_rest_s3.cc | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
+index cb026714..40b4ff92 100644
+--- a/src/rgw/rgw_rest_s3.cc
+++ b/src/rgw/rgw_rest_s3.cc
+@@ -2735,10 +2735,6 @@ int RGWPostObj_ObjStore_S3::get_params()
+
+   map_qs_metadata(s);
+
+-  ldpp_dout(this, 20) << "adding bucket to policy env: " << s->bucket.name
+-		    << dendl;
+-  env.add_var("bucket", s->bucket.name);
+-
+   bool done;
+   do {
+     struct post_form_part part;
+@@ -2789,6 +2785,10 @@ int RGWPostObj_ObjStore_S3::get_params()
+     env.add_var(part.name, part_str);
+   } while (!done);
+
+  ldpp_dout(this, 20) << "adding bucket to policy env: " << s->bucket.name
+                    << dendl;
+  env.add_var("bucket", s->bucket.name);
+
+   string object_str;
+   if (!part_str(parts, "key", &object_str)) {
+     err_msg = "Key not specified";
+--
+2.40.0
--- a/recipes-extended/ceph/ceph_15.2.17.bb
+++ b/recipes-extended/ceph/ceph_15.2.17.bb
@ -14,6 +14,7 @@ SRC_URI = "http://download.ceph.com/tarballs/ceph-${PV}.tar.gz \
           file://ceph.conf \
           file://0001-cmake-add-support-for-python3.10.patch \
           file://0001-SnappyCompressor.h-fix-snappy-compiler-error.patch \
+           file://CVE-2023-43040.patch \
 "

 SRC_URI[sha256sum] = "d8efe4996aeb01dd2f1cc939c5e434e5a7e2aeaf3f659c0510ffd550477a32e2"