diff --git a/recipes-extended/ceph/ceph/CVE-2023-43040.patch b/recipes-extended/ceph/ceph/CVE-2023-43040.patch new file mode 100644 index 00000000..18fca583 --- /dev/null +++ b/recipes-extended/ceph/ceph/CVE-2023-43040.patch @@ -0,0 +1,56 @@ +From 98bfb71cb38899333deb58dd2562037450fd7fa8 Mon Sep 17 00:00:00 2001 +From: Joshua Baergen +Date: Wed, 17 May 2023 12:17:09 -0600 +Subject: [PATCH] rgw: Fix bucket validation against POST policies + +It's possible that user could provide a form part as a part of a POST +object upload that uses 'bucket' as a key; in this case, it was +overriding what was being set in the validation env (which is the real +bucket being modified). The result of this is that a user could actually +upload to any bucket accessible by the specified access key by matching +the bucket in the POST policy in said POST form part. + +Fix this simply by setting the bucket to the correct value after the +POST form parts are processed, ignoring the form part above if +specified. + +Fixes: https://tracker.ceph.com/issues/63004 + +Signed-off-by: Joshua Baergen + +CVE: CVE-2023-43040 +Upstream-Status: Backport [https://github.com/ceph/ceph/commit/98bfb71cb38899333deb58dd2562037450fd7fa8] + +Signed-off-by: Yogita Urade +--- + src/rgw/rgw_rest_s3.cc | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc +index cb026714..40b4ff92 100644 +--- a/src/rgw/rgw_rest_s3.cc ++++ b/src/rgw/rgw_rest_s3.cc +@@ -2735,10 +2735,6 @@ int RGWPostObj_ObjStore_S3::get_params() + + map_qs_metadata(s); + +- ldpp_dout(this, 20) << "adding bucket to policy env: " << s->bucket.name +- << dendl; +- env.add_var("bucket", s->bucket.name); +- + bool done; + do { + struct post_form_part part; +@@ -2789,6 +2785,10 @@ int RGWPostObj_ObjStore_S3::get_params() + env.add_var(part.name, part_str); + } while (!done); + ++ ldpp_dout(this, 20) << "adding bucket to policy env: " << s->bucket.name ++ << dendl; ++ env.add_var("bucket", s->bucket.name); ++ + string object_str; + if (!part_str(parts, "key", &object_str)) { + err_msg = "Key not specified"; +-- +2.40.0 diff --git a/recipes-extended/ceph/ceph_15.2.17.bb b/recipes-extended/ceph/ceph_15.2.17.bb index 9fb2e722..4f32db0e 100644 --- a/recipes-extended/ceph/ceph_15.2.17.bb +++ b/recipes-extended/ceph/ceph_15.2.17.bb @@ -14,6 +14,7 @@ SRC_URI = "http://download.ceph.com/tarballs/ceph-${PV}.tar.gz \ file://ceph.conf \ file://0001-cmake-add-support-for-python3.10.patch \ file://0001-SnappyCompressor.h-fix-snappy-compiler-error.patch \ + file://CVE-2023-43040.patch \ " SRC_URI[sha256sum] = "d8efe4996aeb01dd2f1cc939c5e434e5a7e2aeaf3f659c0510ffd550477a32e2"