From: Bruce Ashfield <bruce.ashfield@gmail.com>
To: Yogita.Urade@windriver.com
Cc: meta-virtualization@lists.yoctoproject.org
Subject: Re: [meta-virtualization][kirkstone][PATCH 1/1] ceph: fix CVE-2023-43040
Date: Wed, 9 Apr 2025 04:02:25 +0000 [thread overview]
Message-ID: <Z_XxUZFWBxPkBkC5@gmail.com> (raw)
In-Reply-To: <20250404100409.3558585-1-yogita.urade@windriver.com>
merged.
Bruce
In message: [meta-virtualization][kirkstone][PATCH 1/1] ceph: fix CVE-2023-43040
on 04/04/2025 Urade, Yogita via lists.yoctoproject.org wrote:
> From: Yogita Urade <yogita.urade@windriver.com>
>
> IBM Spectrum Fusion HCI 2.5.2 through 2.7.2 could allow an
> attacker to perform unauthorized actions in RGW for Ceph due
> to improper bucket access. IBM X-Force ID: 266807.
>
> Reference:
> https://nvd.nist.gov/vuln/detail/CVE-2023-43040
>
> Upstream patch:
> https://github.com/ceph/ceph/commit/98bfb71cb38899333deb58dd2562037450fd7fa8
>
> Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
> ---
> .../ceph/ceph/CVE-2023-43040.patch | 56 +++++++++++++++++++
> recipes-extended/ceph/ceph_15.2.17.bb | 1 +
> 2 files changed, 57 insertions(+)
> create mode 100644 recipes-extended/ceph/ceph/CVE-2023-43040.patch
>
> diff --git a/recipes-extended/ceph/ceph/CVE-2023-43040.patch b/recipes-extended/ceph/ceph/CVE-2023-43040.patch
> new file mode 100644
> index 00000000..18fca583
> --- /dev/null
> +++ b/recipes-extended/ceph/ceph/CVE-2023-43040.patch
> @@ -0,0 +1,56 @@
> +From 98bfb71cb38899333deb58dd2562037450fd7fa8 Mon Sep 17 00:00:00 2001
> +From: Joshua Baergen <jbaergen@digitalocean.com>
> +Date: Wed, 17 May 2023 12:17:09 -0600
> +Subject: [PATCH] rgw: Fix bucket validation against POST policies
> +
> +It's possible that user could provide a form part as a part of a POST
> +object upload that uses 'bucket' as a key; in this case, it was
> +overriding what was being set in the validation env (which is the real
> +bucket being modified). The result of this is that a user could actually
> +upload to any bucket accessible by the specified access key by matching
> +the bucket in the POST policy in said POST form part.
> +
> +Fix this simply by setting the bucket to the correct value after the
> +POST form parts are processed, ignoring the form part above if
> +specified.
> +
> +Fixes: https://tracker.ceph.com/issues/63004
> +
> +Signed-off-by: Joshua Baergen <jbaergen@digitalocean.com>
> +
> +CVE: CVE-2023-43040
> +Upstream-Status: Backport [https://github.com/ceph/ceph/commit/98bfb71cb38899333deb58dd2562037450fd7fa8]
> +
> +Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
> +---
> + src/rgw/rgw_rest_s3.cc | 8 ++++----
> + 1 file changed, 4 insertions(+), 4 deletions(-)
> +
> +diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
> +index cb026714..40b4ff92 100644
> +--- a/src/rgw/rgw_rest_s3.cc
> ++++ b/src/rgw/rgw_rest_s3.cc
> +@@ -2735,10 +2735,6 @@ int RGWPostObj_ObjStore_S3::get_params()
> +
> + map_qs_metadata(s);
> +
> +- ldpp_dout(this, 20) << "adding bucket to policy env: " << s->bucket.name
> +- << dendl;
> +- env.add_var("bucket", s->bucket.name);
> +-
> + bool done;
> + do {
> + struct post_form_part part;
> +@@ -2789,6 +2785,10 @@ int RGWPostObj_ObjStore_S3::get_params()
> + env.add_var(part.name, part_str);
> + } while (!done);
> +
> ++ ldpp_dout(this, 20) << "adding bucket to policy env: " << s->bucket.name
> ++ << dendl;
> ++ env.add_var("bucket", s->bucket.name);
> ++
> + string object_str;
> + if (!part_str(parts, "key", &object_str)) {
> + err_msg = "Key not specified";
> +--
> +2.40.0
> diff --git a/recipes-extended/ceph/ceph_15.2.17.bb b/recipes-extended/ceph/ceph_15.2.17.bb
> index 9fb2e722..4f32db0e 100644
> --- a/recipes-extended/ceph/ceph_15.2.17.bb
> +++ b/recipes-extended/ceph/ceph_15.2.17.bb
> @@ -14,6 +14,7 @@ SRC_URI = "http://download.ceph.com/tarballs/ceph-${PV}.tar.gz \
> file://ceph.conf \
> file://0001-cmake-add-support-for-python3.10.patch \
> file://0001-SnappyCompressor.h-fix-snappy-compiler-error.patch \
> + file://CVE-2023-43040.patch \
> "
>
> SRC_URI[sha256sum] = "d8efe4996aeb01dd2f1cc939c5e434e5a7e2aeaf3f659c0510ffd550477a32e2"
> --
> 2.40.0
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#9200): https://lists.yoctoproject.org/g/meta-virtualization/message/9200
> Mute This Topic: https://lists.yoctoproject.org/mt/112081662/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
prev parent reply other threads:[~2025-04-09 4:02 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-04 10:04 [meta-virtualization][kirkstone][PATCH 1/1] ceph: fix CVE-2023-43040 yurade
2025-04-09 4:02 ` Bruce Ashfield [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z_XxUZFWBxPkBkC5@gmail.com \
--to=bruce.ashfield@gmail.com \
--cc=Yogita.Urade@windriver.com \
--cc=meta-virtualization@lists.yoctoproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.