From d07f210741726a9939dc937c4516ac98210066e2 Mon Sep 17 00:00:00 2001 From: chixinze Date: Mon, 26 Jul 2021 16:47:18 +0800 Subject: [PATCH] fix CVE-2020-10753 CVE-2021-3524 CVE-2020-1760 Signed-off-by: chixinze (cherry picked from commit ac0cf1417005186b4542f7e56d6815605e6d2c5c) --- 0016-CVE-2020-10753-1.patch | 47 +++++++++++++++++++++++++++++ 0017-CVE-2021-3524-1.patch | 36 ++++++++++++++++++++++ 0018-CVE-2020-1760-1.patch | 31 +++++++++++++++++++ 0019-CVE-2020-1760-2.patch | 28 ++++++++++++++++++ 0020-CVE-2020-1760-3.patch | 59 +++++++++++++++++++++++++++++++++++++ ceph.spec | 12 +++++++- 6 files changed, 212 insertions(+), 1 deletion(-) create mode 100644 0016-CVE-2020-10753-1.patch create mode 100644 0017-CVE-2021-3524-1.patch create mode 100644 0018-CVE-2020-1760-1.patch create mode 100644 0019-CVE-2020-1760-2.patch create mode 100644 0020-CVE-2020-1760-3.patch diff --git a/0016-CVE-2020-10753-1.patch b/0016-CVE-2020-10753-1.patch new file mode 100644 index 0000000..15ad687 --- /dev/null +++ b/0016-CVE-2020-10753-1.patch @@ -0,0 +1,47 @@ +From 46817f30cee60bc5df8354ab326762e7c783fe2c Mon Sep 17 00:00:00 2001 +From: Casey Bodley +Date: Tue, 26 May 2020 15:03:03 -0400 +Subject: [PATCH] rgw: sanitize newlines in s3 CORSConfiguration's ExposeHeader + +the values in the element are sent back to clients in a +Access-Control-Expose-Headers response header. if the values are allowed +to have newlines in them, they can be used to inject arbitrary response +headers + +this issue only affects s3, which gets these values from an xml document + +in swift, they're given in the request header +X-Container-Meta-Access-Control-Expose-Headers, so the value itself +cannot contain newlines + +Signed-off-by: Casey Bodley +Reported-by: Adam Mohammed +--- + src/rgw/rgw_cors.cc | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/src/rgw/rgw_cors.cc b/src/rgw/rgw_cors.cc +index 07dbab5d3e2..0b3e4f39455 100644 +--- a/src/rgw/rgw_cors.cc ++++ b/src/rgw/rgw_cors.cc +@@ -144,11 +144,12 @@ bool RGWCORSRule::is_header_allowed(const char *h, size_t len) { + + void RGWCORSRule::format_exp_headers(string& s) { + s = ""; +- for(list::iterator it = exposable_hdrs.begin(); +- it != exposable_hdrs.end(); ++it) { +- if (s.length() > 0) +- s.append(","); +- s.append((*it)); ++ for (const auto& header : exposable_hdrs) { ++ if (s.length() > 0) ++ s.append(","); ++ // these values are sent to clients in a 'Access-Control-Expose-Headers' ++ // response header, so we escape '\n' to avoid header injection ++ boost::replace_all_copy(std::back_inserter(s), header, "\n", "\\n"); + } + } + +-- +2.23.0 + diff --git a/0017-CVE-2021-3524-1.patch b/0017-CVE-2021-3524-1.patch new file mode 100644 index 0000000..f304983 --- /dev/null +++ b/0017-CVE-2021-3524-1.patch @@ -0,0 +1,36 @@ +From 763aebb94678018f89427137ffbc0c5205b1edc1 Mon Sep 17 00:00:00 2001 +From: Casey Bodley +Date: Tue, 4 May 2021 08:32:58 -0400 +Subject: [PATCH] rgw: sanitize \r in s3 CORSConfiguration's ExposeHeader + +follows up on 1524d3c0c5cb11775313ea1e2bb36a93257947f2 to escape \r as +well + +Fixes: CVE-2021-3524 + +Reported-by: Sergey Bobrov +Signed-off-by: Casey Bodley +(cherry picked from commit 87806f48e7a1b8891eb90711f1cedd26f1119aac) +--- + src/rgw/rgw_cors.cc | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/rgw/rgw_cors.cc b/src/rgw/rgw_cors.cc +index 0b3e4f39455..bfe83d6420e 100644 +--- a/src/rgw/rgw_cors.cc ++++ b/src/rgw/rgw_cors.cc +@@ -148,8 +148,9 @@ void RGWCORSRule::format_exp_headers(string& s) { + if (s.length() > 0) + s.append(","); + // these values are sent to clients in a 'Access-Control-Expose-Headers' +- // response header, so we escape '\n' to avoid header injection +- boost::replace_all_copy(std::back_inserter(s), header, "\n", "\\n"); ++ // response header, so we escape '\n' and '\r' to avoid header injection ++ std::string tmp = boost::replace_all_copy(header, "\n", "\\n"); ++ boost::replace_all_copy(std::back_inserter(s), tmp, "\r", "\\r"); + } + } + +-- +2.23.0 + diff --git a/0018-CVE-2020-1760-1.patch b/0018-CVE-2020-1760-1.patch new file mode 100644 index 0000000..cc8664d --- /dev/null +++ b/0018-CVE-2020-1760-1.patch @@ -0,0 +1,31 @@ +From ba0790a01ba5252db1ebc299db6e12cd758d0ff9 Mon Sep 17 00:00:00 2001 +From: Matt Benjamin +Date: Fri, 27 Mar 2020 18:13:48 +0100 +Subject: [PATCH] rgw: reject unauthenticated response-header actions + +Signed-off-by: Matt Benjamin +Reviewed-by: Casey Bodley +(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400) +--- + src/rgw/rgw_rest_s3.cc | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc +index b0e36dec5d8..5dc6a562051 100644 +--- a/src/rgw/rgw_rest_s3.cc ++++ b/src/rgw/rgw_rest_s3.cc +@@ -266,6 +266,11 @@ int RGWGetObj_ObjStore_S3::send_response_data(bufferlist& bl, off_t bl_ofs, + bool exists; + string val = s->info.args.get(p->param, &exists); + if (exists) { ++ /* reject unauthenticated response header manipulation, see ++ * https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html */ ++ if (s->auth.identity->is_anonymous()) { ++ return -EPERM; ++ } + if (strcmp(p->param, "response-content-type") != 0) { + response_attrs[p->http_attr] = val; + } else { +-- +2.23.0 + diff --git a/0019-CVE-2020-1760-2.patch b/0019-CVE-2020-1760-2.patch new file mode 100644 index 0000000..3f6d9e9 --- /dev/null +++ b/0019-CVE-2020-1760-2.patch @@ -0,0 +1,28 @@ +From 607a65fccd8a80c2f2c74853a6dc5c14ed8a75c1 Mon Sep 17 00:00:00 2001 +From: Abhishek Lekshmanan +Date: Fri, 27 Mar 2020 19:29:01 +0100 +Subject: [PATCH] rgw: EPERM to ERR_INVALID_REQUEST + +As per Robin's comments and S3 spec + +Signed-off-by: Abhishek Lekshmanan +--- + src/rgw/rgw_rest_s3.cc | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc +index 5dc6a562051..dc49caae18d 100644 +--- a/src/rgw/rgw_rest_s3.cc ++++ b/src/rgw/rgw_rest_s3.cc +@@ -269,7 +269,7 @@ int RGWGetObj_ObjStore_S3::send_response_data(bufferlist& bl, off_t bl_ofs, + /* reject unauthenticated response header manipulation, see + * https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html */ + if (s->auth.identity->is_anonymous()) { +- return -EPERM; ++ return -ERR_INVALID_REQUEST; + } + if (strcmp(p->param, "response-content-type") != 0) { + response_attrs[p->http_attr] = val; +-- +2.23.0 + diff --git a/0020-CVE-2020-1760-3.patch b/0020-CVE-2020-1760-3.patch new file mode 100644 index 0000000..9141abe --- /dev/null +++ b/0020-CVE-2020-1760-3.patch @@ -0,0 +1,59 @@ +From 9ca5b3628245e2878426602bb24f1a4e45edc850 Mon Sep 17 00:00:00 2001 +From: "Robin H. Johnson" +Date: Fri, 27 Mar 2020 20:48:13 +0100 +Subject: [PATCH] rgw: reject control characters in response-header actions + +S3 GetObject permits overriding response header values, but those inputs +need to be validated to insure only characters that are valid in an HTTP +header value are present. + +Credit: Initial vulnerability discovery by William Bowling (@wcbowling) +Credit: Further vulnerability discovery by Robin H. Johnson +Signed-off-by: Robin H. Johnson +--- + src/rgw/rgw_rest_s3.cc | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc +index dc49caae18d..459dd1dc715 100644 +--- a/src/rgw/rgw_rest_s3.cc ++++ b/src/rgw/rgw_rest_s3.cc +@@ -167,6 +167,15 @@ int decode_attr_bl_single_value(map& attrs, const char *attr + return 0; + } + ++inline bool str_has_cntrl(const std::string s) { ++ return std::any_of(s.begin(), s.end(), ::iscntrl); ++} ++ ++inline bool str_has_cntrl(const char* s) { ++ std::string _s(s); ++ return str_has_cntrl(_s); ++} ++ + int RGWGetObj_ObjStore_S3::send_response_data(bufferlist& bl, off_t bl_ofs, + off_t bl_len) + { +@@ -271,6 +280,19 @@ int RGWGetObj_ObjStore_S3::send_response_data(bufferlist& bl, off_t bl_ofs, + if (s->auth.identity->is_anonymous()) { + return -ERR_INVALID_REQUEST; + } ++ /* HTTP specification says no control characters should be present in ++ * header values: https://tools.ietf.org/html/rfc7230#section-3.2 ++ * field-vchar = VCHAR / obs-text ++ * ++ * Failure to validate this permits a CRLF injection in HTTP headers, ++ * whereas S3 GetObject only permits specific headers. ++ */ ++ if(str_has_cntrl(val)) { ++ /* TODO: return a more distinct error in future; ++ * stating what the problem is */ ++ return -ERR_INVALID_REQUEST; ++ } ++ + if (strcmp(p->param, "response-content-type") != 0) { + response_attrs[p->http_attr] = val; + } else { +-- +2.23.0 + diff --git a/ceph.spec b/ceph.spec index b143221..e61d5f9 100644 --- a/ceph.spec +++ b/ceph.spec @@ -68,7 +68,7 @@ ################################################################################# Name: ceph Version: 12.2.8 -Release: 13 +Release: 14 Epoch: 2 # define _epoch_prefix macro which will expand to the empty string if epoch is @@ -99,6 +99,11 @@ Patch12: 0012-CVE-2020-27781-2.patch Patch13: 0013-CVE-2020-27781-3.patch Patch14: 0014-CVE-2020-27781-4.patch Patch15: 0015-CVE-2020-27781-5.patch +Patch16: 0016-CVE-2020-10753-1.patch +Patch17: 0017-CVE-2021-3524-1.patch +Patch18: 0018-CVE-2020-1760-1.patch +Patch19: 0019-CVE-2020-1760-2.patch +Patch20: 0020-CVE-2020-1760-3.patch %if 0%{?suse_version} %if 0%{?is_opensuse} @@ -1807,6 +1812,11 @@ exit 0 %changelog +* Mon Jul 26 2021 chixinze - 1:12.2.8-14 +- fix CVE-2020-10753 +- fix CVE-2021-3524 +- fix CVE-2020-1760 + * Sun Jul 18 2021 chixinze - 1:12.2.8-13 - fix CVE-2020-27781 - ceph-volume-client: allow atomic updates for RADOS objects -- Gitee