MIRRORS/meta-virtualization
1
0
Fork 0
mirror of git://git.yoctoproject.org/meta-virtualization.git synced 2025-07-19 12:50:22 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

ceph: fix CVE-2023-43040

Browse Source 
IBM Spectrum Fusion HCI 2.5.2 through 2.7.2 could allow an
attacker to perform unauthorized actions in RGW for Ceph due
to improper bucket access. IBM X-Force ID: 266807.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2023-43040

Upstream patch:
98bfb71cb3

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
This commit is contained in:
Yogita Urade 2025-04-04 10:04:09 +00:00 committed by Bruce Ashfield
parent 426530794b
commit 55ed2134a4
2 changed files with 57 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
recipes-extended/ceph/ceph/CVE-2023-43040.patch Normal file
View File

@ -0,0 +1,56 @@
From 98bfb71cb38899333deb58dd2562037450fd7fa8 Mon Sep 17 00:00:00 2001
From: Joshua Baergen <jbaergen@digitalocean.com>
Date: Wed, 17 May 2023 12:17:09 -0600
Subject: [PATCH] rgw: Fix bucket validation against POST policies
It's possible that user could provide a form part as a part of a POST
object upload that uses 'bucket' as a key; in this case, it was
overriding what was being set in the validation env (which is the real
bucket being modified). The result of this is that a user could actually
upload to any bucket accessible by the specified access key by matching
the bucket in the POST policy in said POST form part.
Fix this simply by setting the bucket to the correct value after the
POST form parts are processed, ignoring the form part above if
specified.
Fixes: https://tracker.ceph.com/issues/63004
Signed-off-by: Joshua Baergen <jbaergen@digitalocean.com>
CVE: CVE-2023-43040
Upstream-Status: Backport [https://github.com/ceph/ceph/commit/98bfb71cb38899333deb58dd2562037450fd7fa8]
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
---
src/rgw/rgw_rest_s3.cc | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
index cb026714..40b4ff92 100644
--- a/src/rgw/rgw_rest_s3.cc
+++ b/src/rgw/rgw_rest_s3.cc
@@ -2735,10 +2735,6 @@ int RGWPostObj_ObjStore_S3::get_params()
map_qs_metadata(s);
- ldpp_dout(this, 20) << "adding bucket to policy env: " << s->bucket.name
- << dendl;
- env.add_var("bucket", s->bucket.name);
-
bool done;
do {
struct post_form_part part;
@@ -2789,6 +2785,10 @@ int RGWPostObj_ObjStore_S3::get_params()
env.add_var(part.name, part_str);
} while (!done);
+ ldpp_dout(this, 20) << "adding bucket to policy env: " << s->bucket.name
+ << dendl;
+ env.add_var("bucket", s->bucket.name);
+
string object_str;
if (!part_str(parts, "key", &object_str)) {
err_msg = "Key not specified";
--
2.40.0

1
recipes-extended/ceph/ceph_15.2.17.bb
View File

@ -14,6 +14,7 @@ SRC_URI = "http://download.ceph.com/tarballs/ceph-${PV}.tar.gz \
file://ceph.conf \ file://ceph.conf \
file://0001-cmake-add-support-for-python3.10.patch \ file://0001-cmake-add-support-for-python3.10.patch \
file://0001-SnappyCompressor.h-fix-snappy-compiler-error.patch \ file://0001-SnappyCompressor.h-fix-snappy-compiler-error.patch \
file://CVE-2023-43040.patch \
" "
SRC_URI[sha256sum] = "d8efe4996aeb01dd2f1cc939c5e434e5a7e2aeaf3f659c0510ffd550477a32e2" SRC_URI[sha256sum] = "d8efe4996aeb01dd2f1cc939c5e434e5a7e2aeaf3f659c0510ffd550477a32e2"