[meta-virtualization][kirkstone][PATCH 1/1] ceph: fix CVE-2023-43040

[meta-virtualization][kirkstone][PATCH 1/1] ceph: fix CVE-2023-43040

[yurade]

From: Yogita Urade <yogita.urade@windriver.com>

IBM Spectrum Fusion HCI 2.5.2 through 2.7.2 could allow an
attacker to perform unauthorized actions in RGW for Ceph due
to improper bucket access. IBM X-Force ID: 266807.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2023-43040

Upstream patch:
https://github.com/ceph/ceph/commit/98bfb71cb38899333deb58dd2562037450fd7fa8

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
---
 .../ceph/ceph/CVE-2023-43040.patch            | 56 +++++++++++++++++++
 recipes-extended/ceph/ceph_15.2.17.bb         |  1 +
 2 files changed, 57 insertions(+)
 create mode 100644 recipes-extended/ceph/ceph/CVE-2023-43040.patch

diff --git a/recipes-extended/ceph/ceph/CVE-2023-43040.patch b/recipes-extended/ceph/ceph/CVE-2023-43040.patch
new file mode 100644
index 00000000..18fca583
--- /dev/null
+++ b/recipes-extended/ceph/ceph/CVE-2023-43040.patch
@@ -0,0 +1,56 @@
+From 98bfb71cb38899333deb58dd2562037450fd7fa8 Mon Sep 17 00:00:00 2001
+From: Joshua Baergen <jbaergen@digitalocean.com>
+Date: Wed, 17 May 2023 12:17:09 -0600
+Subject: [PATCH] rgw: Fix bucket validation against POST policies
+
+It's possible that user could provide a form part as a part of a POST
+object upload that uses 'bucket' as a key; in this case, it was
+overriding what was being set in the validation env (which is the real
+bucket being modified). The result of this is that a user could actually
+upload to any bucket accessible by the specified access key by matching
+the bucket in the POST policy in said POST form part.
+
+Fix this simply by setting the bucket to the correct value after the
+POST form parts are processed, ignoring the form part above if
+specified.
+
+Fixes: https://tracker.ceph.com/issues/63004
+
+Signed-off-by: Joshua Baergen <jbaergen@digitalocean.com>
+
+CVE: CVE-2023-43040
+Upstream-Status: Backport [https://github.com/ceph/ceph/commit/98bfb71cb38899333deb58dd2562037450fd7fa8]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ src/rgw/rgw_rest_s3.cc | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
+index cb026714..40b4ff92 100644
+--- a/src/rgw/rgw_rest_s3.cc
++++ b/src/rgw/rgw_rest_s3.cc
+@@ -2735,10 +2735,6 @@ int RGWPostObj_ObjStore_S3::get_params()
+
+   map_qs_metadata(s);
+
+-  ldpp_dout(this, 20) << "adding bucket to policy env: " << s->bucket.name
+-		    << dendl;
+-  env.add_var("bucket", s->bucket.name);
+-
+   bool done;
+   do {
+     struct post_form_part part;
+@@ -2789,6 +2785,10 @@ int RGWPostObj_ObjStore_S3::get_params()
+     env.add_var(part.name, part_str);
+   } while (!done);
+
++  ldpp_dout(this, 20) << "adding bucket to policy env: " << s->bucket.name
++                    << dendl;
++  env.add_var("bucket", s->bucket.name);
++
+   string object_str;
+   if (!part_str(parts, "key", &object_str)) {
+     err_msg = "Key not specified";
+--
+2.40.0
diff --git a/recipes-extended/ceph/ceph_15.2.17.bb b/recipes-extended/ceph/ceph_15.2.17.bb
index 9fb2e722..4f32db0e 100644
--- a/recipes-extended/ceph/ceph_15.2.17.bb
+++ b/recipes-extended/ceph/ceph_15.2.17.bb
@@ -14,6 +14,7 @@ SRC_URI = "http://download.ceph.com/tarballs/ceph-${PV}.tar.gz \
            file://ceph.conf \
            file://0001-cmake-add-support-for-python3.10.patch \
            file://0001-SnappyCompressor.h-fix-snappy-compiler-error.patch \
+           file://CVE-2023-43040.patch \
 "
 
 SRC_URI[sha256sum] = "d8efe4996aeb01dd2f1cc939c5e434e5a7e2aeaf3f659c0510ffd550477a32e2"
-- 
2.40.0

Re: [meta-virtualization][kirkstone][PATCH 1/1] ceph: fix CVE-2023-43040

[Bruce Ashfield]

merged.

Bruce

In message: [meta-virtualization][kirkstone][PATCH 1/1] ceph: fix CVE-2023-43040
on 04/04/2025 Urade, Yogita via lists.yoctoproject.org wrote:

> From: Yogita Urade <yogita.urade@windriver.com>
> 
> IBM Spectrum Fusion HCI 2.5.2 through 2.7.2 could allow an
> attacker to perform unauthorized actions in RGW for Ceph due
> to improper bucket access. IBM X-Force ID: 266807.
> 
> Reference:
> https://nvd.nist.gov/vuln/detail/CVE-2023-43040
> 
> Upstream patch:
> https://github.com/ceph/ceph/commit/98bfb71cb38899333deb58dd2562037450fd7fa8
> 
> Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
> ---
>  .../ceph/ceph/CVE-2023-43040.patch            | 56 +++++++++++++++++++
>  recipes-extended/ceph/ceph_15.2.17.bb         |  1 +
>  2 files changed, 57 insertions(+)
>  create mode 100644 recipes-extended/ceph/ceph/CVE-2023-43040.patch
> 
> diff --git a/recipes-extended/ceph/ceph/CVE-2023-43040.patch b/recipes-extended/ceph/ceph/CVE-2023-43040.patch
> new file mode 100644
> index 00000000..18fca583
> --- /dev/null
> +++ b/recipes-extended/ceph/ceph/CVE-2023-43040.patch
> @@ -0,0 +1,56 @@
> +From 98bfb71cb38899333deb58dd2562037450fd7fa8 Mon Sep 17 00:00:00 2001
> +From: Joshua Baergen <jbaergen@digitalocean.com>
> +Date: Wed, 17 May 2023 12:17:09 -0600
> +Subject: [PATCH] rgw: Fix bucket validation against POST policies
> +
> +It's possible that user could provide a form part as a part of a POST
> +object upload that uses 'bucket' as a key; in this case, it was
> +overriding what was being set in the validation env (which is the real
> +bucket being modified). The result of this is that a user could actually
> +upload to any bucket accessible by the specified access key by matching
> +the bucket in the POST policy in said POST form part.
> +
> +Fix this simply by setting the bucket to the correct value after the
> +POST form parts are processed, ignoring the form part above if
> +specified.
> +
> +Fixes: https://tracker.ceph.com/issues/63004
> +
> +Signed-off-by: Joshua Baergen <jbaergen@digitalocean.com>
> +
> +CVE: CVE-2023-43040
> +Upstream-Status: Backport [https://github.com/ceph/ceph/commit/98bfb71cb38899333deb58dd2562037450fd7fa8]
> +
> +Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
> +---
> + src/rgw/rgw_rest_s3.cc | 8 ++++----
> + 1 file changed, 4 insertions(+), 4 deletions(-)
> +
> +diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
> +index cb026714..40b4ff92 100644
> +--- a/src/rgw/rgw_rest_s3.cc
> ++++ b/src/rgw/rgw_rest_s3.cc
> +@@ -2735,10 +2735,6 @@ int RGWPostObj_ObjStore_S3::get_params()
> +
> +   map_qs_metadata(s);
> +
> +-  ldpp_dout(this, 20) << "adding bucket to policy env: " << s->bucket.name
> +-		    << dendl;
> +-  env.add_var("bucket", s->bucket.name);
> +-
> +   bool done;
> +   do {
> +     struct post_form_part part;
> +@@ -2789,6 +2785,10 @@ int RGWPostObj_ObjStore_S3::get_params()
> +     env.add_var(part.name, part_str);
> +   } while (!done);
> +
> ++  ldpp_dout(this, 20) << "adding bucket to policy env: " << s->bucket.name
> ++                    << dendl;
> ++  env.add_var("bucket", s->bucket.name);
> ++
> +   string object_str;
> +   if (!part_str(parts, "key", &object_str)) {
> +     err_msg = "Key not specified";
> +--
> +2.40.0
> diff --git a/recipes-extended/ceph/ceph_15.2.17.bb b/recipes-extended/ceph/ceph_15.2.17.bb
> index 9fb2e722..4f32db0e 100644
> --- a/recipes-extended/ceph/ceph_15.2.17.bb
> +++ b/recipes-extended/ceph/ceph_15.2.17.bb
> @@ -14,6 +14,7 @@ SRC_URI = "http://download.ceph.com/tarballs/ceph-${PV}.tar.gz \
>             file://ceph.conf \
>             file://0001-cmake-add-support-for-python3.10.patch \
>             file://0001-SnappyCompressor.h-fix-snappy-compiler-error.patch \
> +           file://CVE-2023-43040.patch \
>  "
>  
>  SRC_URI[sha256sum] = "d8efe4996aeb01dd2f1cc939c5e434e5a7e2aeaf3f659c0510ffd550477a32e2"
> -- 
> 2.40.0
> 

> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#9200): https://lists.yoctoproject.org/g/meta-virtualization/message/9200
> Mute This Topic: https://lists.yoctoproject.org/mt/112081662/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>