diff --git a/0006-CVE-2020-25678-1.patch b/0006-CVE-2020-25678-1.patch new file mode 100644 index 0000000000000000000000000000000000000000..39d226fa926eda21e404e80c8c3bb9762208dc5b --- /dev/null +++ b/0006-CVE-2020-25678-1.patch @@ -0,0 +1,109 @@ +From b23bc377f4781789766f94a830e345daed08f504 Mon Sep 17 00:00:00 2001 +From: Neha Ojha +Date: Thu, 3 Dec 2020 19:18:04 +0000 +Subject: [PATCH 1/2] messages/MMonCommand, MMonCommandAck: don't log values + for "config set" and "config-key set" + +This acts like a big hammer to avoid adding sensitive information, like passwords +into mon/mgr/cluster logs when using "config set" and "config-key set" to set keys +whose values should be secure. + +Fixes: https://tracker.ceph.com/issues/37503 +Signed-off-by: Neha Ojha +(cherry picked from commit 3d54660ca1a9a7ae54e884c3181fca17a40d8cd3) + + Conflicts: + src/messages/MMonCommand.h - trivial resolution + src/messages/MMonCommandAck.h - trivial resolution +--- + src/messages/MMonCommand.h | 23 ++++++++++++++++++++--- + src/messages/MMonCommandAck.h | 24 +++++++++++++++++++++++- + 2 files changed, 43 insertions(+), 4 deletions(-) + +diff --git a/src/messages/MMonCommand.h b/src/messages/MMonCommand.h +index c6764475dc..e0ef5a7355 100644 +--- a/src/messages/MMonCommand.h ++++ b/src/messages/MMonCommand.h +@@ -15,6 +15,7 @@ + #ifndef CEPH_MMONCOMMAND_H + #define CEPH_MMONCOMMAND_H + ++#include "common/cmdparse.h" + #include "messages/PaxosServiceMessage.h" + + #include +@@ -37,10 +38,26 @@ private: + public: + const char *get_type_name() const override { return "mon_command"; } + void print(ostream& o) const override { ++ cmdmap_t cmdmap; ++ stringstream ss; ++ string prefix; ++ cmdmap_from_json(cmd, &cmdmap, ss); ++ cmd_getval(g_ceph_context, cmdmap, "prefix", prefix); ++ // Some config values contain sensitive data, so don't log them + o << "mon_command("; +- for (unsigned i=0; i +Date: Thu, 3 Dec 2020 19:24:39 +0000 +Subject: [PATCH 2/2] mon: don't log "config set" and "config-key set" dispatch + and finished messages + +Signed-off-by: Neha Ojha +(cherry picked from commit 4b83dfb1f74e8a59c802ff3c0eb4595f7e763762) +--- + src/mon/Monitor.cc | 18 ++++++++++-------- + src/mon/Monitor.h | 9 ++++++++- + 2 files changed, 18 insertions(+), 9 deletions(-) + +diff --git a/src/mon/Monitor.cc b/src/mon/Monitor.cc +index da1fac90ed..f6c9a1bd8b 100644 +--- a/src/mon/Monitor.cc ++++ b/src/mon/Monitor.cc +@@ -3170,18 +3170,20 @@ void Monitor::handle_command(MonOpRequestRef op) + if (!_allowed_command(session, service, prefix, cmdmap, + param_str_map, mon_cmd)) { + dout(1) << __func__ << " access denied" << dendl; +- (cmd_is_rw ? audit_clog->info() : audit_clog->debug()) +- << "from='" << session->inst << "' " +- << "entity='" << session->entity_name << "' " +- << "cmd=" << m->cmd << ": access denied"; ++ if (prefix != "config set" && prefix != "config-key set") ++ (cmd_is_rw ? audit_clog->info() : audit_clog->debug()) ++ << "from='" << session->inst << "' " ++ << "entity='" << session->entity_name << "' " ++ << "cmd=" << m->cmd << ": access denied"; + reply_command(op, -EACCES, "access denied", 0); + return; + } + +- (cmd_is_rw ? audit_clog->info() : audit_clog->debug()) +- << "from='" << session->inst << "' " +- << "entity='" << session->entity_name << "' " +- << "cmd=" << m->cmd << ": dispatch"; ++ if (prefix != "config set" && prefix != "config-key set") ++ (cmd_is_rw ? audit_clog->info() : audit_clog->debug()) ++ << "from='" << session->inst << "' " ++ << "entity='" << session->entity_name << "' " ++ << "cmd=" << m->cmd << ": dispatch"; + + if (mon_cmd->is_mgr() && + osdmon()->osdmap.require_osd_release >= CEPH_RELEASE_LUMINOUS) { +diff --git a/src/mon/Monitor.h b/src/mon/Monitor.h +index 008947e85b..e8f712e984 100644 +--- a/src/mon/Monitor.h ++++ b/src/mon/Monitor.h +@@ -40,6 +40,7 @@ + #include "PGStatService.h" + #include "MonCommand.h" + ++#include "common/cmdparse.h" + #include "common/LogClient.h" + #include "auth/cephx/CephxKeyServer.h" + #include "auth/AuthMethodList.h" +@@ -860,7 +861,13 @@ public: + ss << "session dropped for command "; + } + } +- ss << "cmd='" << m->cmd << "': finished"; ++ cmdmap_t cmdmap; ++ stringstream ds; ++ string prefix; ++ cmdmap_from_json(m->cmd, &cmdmap, ds); ++ cmd_getval(g_ceph_context, cmdmap, "prefix", prefix); ++ if (prefix != "config set" && prefix != "config-key set") ++ ss << "cmd='" << m->cmd << "': finished"; + + mon->audit_clog->info() << ss.str(); + mon->reply_command(op, rc, rs, rdata, version); +-- +2.29.2 + diff --git a/ceph.spec b/ceph.spec index 94340640ab73c18e79c5f25cf22b8c331b4ade38..a35ca3f4a16975e240a3cfbee5a25298553a2bb5 100644 --- a/ceph.spec +++ b/ceph.spec @@ -68,7 +68,7 @@ ################################################################################# Name: ceph Version: 12.2.8 -Release: 10 +Release: 12 Epoch: 2 # define _epoch_prefix macro which will expand to the empty string if epoch is @@ -89,6 +89,8 @@ Patch2: 0002-CVE-2018-16846-1.patch Patch3: 0003-CVE-2018-16846-2.patch Patch4: 0004-CVE-2018-14662.patch Patch5: 0005-CVE-2020-12059.patch +Patch6: 0006-CVE-2020-25678-1.patch +Patch7: 0007-CVE-2020-25678-2.patch %if 0%{?suse_version} %if 0%{?is_opensuse} @@ -1797,6 +1799,12 @@ exit 0 %changelog +* Wed Mar 10 2021 Zhuohui Zou - 1:12.2.8-12 +- fix CVE-2020-25678 + +* Thu Mar 4 2021 Shaoning Zhang - 1:12.2.8-11 +- correct ceph-mgr requires python2-jinja2 and python2-werkzeug + * Wed Jan 27 2021 Zhiqiang Liu - 1:12.2.8-10 - correct ceph-common requires python2-prettytable version.