From 9cd2b95bd08ab4ce474910f950103cd4fb06a3ae Mon Sep 17 00:00:00 2001
From: shaominghao <shaominghao@xfusion.com>
Date: Fri, 22 Dec 2023 17:55:53 +0800
Subject: [PATCH] Fix CVE-2021-28235

Signed-off-by: shaominghao <shaominghao@xfusion.com>
---
 ...1-28235-add-an-e2e-test-to-reproduce.patch | 120 ++++++++++++++++++
 ...ssword-after-authenticating-the-user.patch |  34 +++++
 etcd.spec                                     |   9 +-
 3 files changed, 162 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2021-28235-add-an-e2e-test-to-reproduce.patch
 create mode 100644 backport-CVE-2021-28235-remove-password-after-authenticating-the-user.patch

diff --git a/backport-CVE-2021-28235-add-an-e2e-test-to-reproduce.patch b/backport-CVE-2021-28235-add-an-e2e-test-to-reproduce.patch
new file mode 100644
index 0000000..e393bea
--- /dev/null
+++ b/backport-CVE-2021-28235-add-an-e2e-test-to-reproduce.patch
@@ -0,0 +1,120 @@
+From b106da02570ecc4f0a2c4d2c5a8b6cc38d650dd3 Mon Sep 17 00:00:00 2001
+From: shaominghao <shaominghao@xfusion.com>
+Date: Fri, 22 Dec 2023 17:37:01 +0800
+Subject: [PATCH] Add an e2e test to reproduce
+
+---
+ tests/e2e/cluster_test.go              |  7 ++++
+ tests/e2e/ctl_v3_auth_security_test.go | 49 ++++++++++++++++++++++++++
+ tests/e2e/ctl_v3_test.go               |  7 ++++
+ 3 files changed, 63 insertions(+)
+ create mode 100644 tests/e2e/ctl_v3_auth_security_test.go
+
+diff --git a/tests/e2e/cluster_test.go b/tests/e2e/cluster_test.go
+index 29c32e4..9cbf67e 100644
+--- a/tests/e2e/cluster_test.go
++++ b/tests/e2e/cluster_test.go
+@@ -134,6 +134,8 @@ type etcdProcessClusterConfig struct {
+ 	enableV2            bool
+ 	initialCorruptCheck bool
+ 	authTokenOpts       string
++	
++	debug bool
+ }
+ 
+ // newEtcdProcessCluster launches a new cluster from etcd processes, returning
+@@ -262,6 +264,10 @@ func (cfg *etcdProcessClusterConfig) etcdServerProcessConfigs() []*etcdServerPro
+ 		if cfg.authTokenOpts != "" {
+ 			args = append(args, "--auth-token", cfg.authTokenOpts)
+ 		}
++		
++		if cfg.debug {
++			args = append(args, "--debug")
++		}
+ 
+ 		etcdCfgs[i] = &etcdServerProcessConfig{
+ 			execPath:     cfg.execPath,
+@@ -402,3 +408,4 @@ func (epc *etcdProcessCluster) WithStopSignal(sig os.Signal) (ret os.Signal) {
+ 	}
+ 	return ret
+ }
++
+diff --git a/tests/e2e/ctl_v3_auth_security_test.go b/tests/e2e/ctl_v3_auth_security_test.go
+new file mode 100644
+index 0000000..884fb1d
+--- /dev/null
++++ b/tests/e2e/ctl_v3_auth_security_test.go
+@@ -0,0 +1,49 @@
++// Copyright 2023 The etcd Authors
++//
++// Licensed under the Apache License, Version 2.0 (the "License");
++// you may not use this file except in compliance with the License.
++// You may obtain a copy of the License at
++//
++//     http://www.apache.org/licenses/LICENSE-2.0
++//
++// Unless required by applicable law or agreed to in writing, software
++// distributed under the License is distributed on an "AS IS" BASIS,
++// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++// See the License for the specific language governing permissions and
++// limitations under the License.
++
++//go:build !cluster_proxy
++
++package e2e
++
++import (
++	"github.com/stretchr/testify/require"
++	"testing"
++)
++
++// TestAuth_CVE_2021_28235 verifies https://nvd.nist.gov/vuln/detail/CVE-2021-28235
++func TestAuth_CVE_2021_28235(t *testing.T) {
++	testCtl(t, authTest_CVE_2021_28235, withCfg(configNoTLS), withDebug(true))
++}
++
++func authTest_CVE_2021_28235(cx ctlCtx) {
++	// create root user with root role
++	rootPass := "changeme123"
++	err := ctlV3User(cx, []string{"add", "root", "--interactive=false"}, "User root created", []string{rootPass})
++	require.NoError(cx.t, err)
++	err = ctlV3User(cx, []string{"grant-role", "root", "root"}, "Role root is granted to user root", nil)
++	require.NoError(cx.t, err)
++	err = ctlV3AuthEnable(cx)
++	require.NoError(cx.t, err)
++
++	// issue a put request
++	cx.user, cx.pass = "root", rootPass
++	err = ctlV3Put(cx, "foo", "bar", "")
++	require.NoError(cx.t, err)
++
++	// GET /debug/requests
++	httpEndpoint := cx.epc.procs[0].EndpointsHTTP()[0]
++	req := cURLReq{endpoint: "/debug/requests?fam=grpc.Recv.Auth&b=0&exp=1", timeout: 5}
++	err = curl(httpEndpoint, "GET", req, clientNonTLS, rootPass)
++	require.Error(cx.t, err)
++}
+diff --git a/tests/e2e/ctl_v3_test.go b/tests/e2e/ctl_v3_test.go
+index 04f5a65..c1e777a 100644
+--- a/tests/e2e/ctl_v3_test.go
++++ b/tests/e2e/ctl_v3_test.go
+@@ -130,6 +130,12 @@ func withFlagByEnv() ctlOption {
+ 	return func(cx *ctlCtx) { cx.envMap = make(map[string]struct{}) }
+ }
+ 
++func withDebug(debug bool) ctlOption {
++	return func(cx *ctlCtx) {
++		cx.cfg.debug = debug
++	}
++}
++
+ func testCtl(t *testing.T, testFunc func(ctlCtx), opts ...ctlOption) {
+ 	defer testutil.AfterTest(t)
+ 
+@@ -253,3 +259,4 @@ func (cx *ctlCtx) memberToRemove() (ep string, memberID string, clusterID string
+ 
+ 	return ep, memberID, clusterID
+ }
++
+-- 
+2.27.0
diff --git a/backport-CVE-2021-28235-remove-password-after-authenticating-the-user.patch b/backport-CVE-2021-28235-remove-password-after-authenticating-the-user.patch
new file mode 100644
index 0000000..a0dc78a
--- /dev/null
+++ b/backport-CVE-2021-28235-remove-password-after-authenticating-the-user.patch
@@ -0,0 +1,34 @@
+From 0f48bfd4146a73697f58d4dc6aaa16f5c6438551 Mon Sep 17 00:00:00 2001
+From: shaominghao <shaominghao@xfusion.com>
+Date: Fri, 22 Dec 2023 17:45:02 +0800
+Subject: [PATCH] Remove password after authenticating the user
+
+---
+ etcdserver/v3_server.go | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/etcdserver/v3_server.go b/etcdserver/v3_server.go
+index 1fa8e4e..5cc5bef 100644
+--- a/etcdserver/v3_server.go
++++ b/etcdserver/v3_server.go
+@@ -405,6 +405,13 @@ func (s *EtcdServer) Authenticate(ctx context.Context, r *pb.AuthenticateRequest
+ 
+ 	lg := s.getLogger()
+ 
++	// fix https://nvd.nist.gov/vuln/detail/CVE-2021-28235
++	defer func() {
++		if r != nil {
++			r.Password = ""
++		}
++	}()
++
+ 	var resp proto.Message
+ 	for {
+ 		checkedRevision, err := s.AuthStore().CheckPassword(r.Name, r.Password)
+@@ -804,3 +811,4 @@ func (s *EtcdServer) AuthInfoFromCtx(ctx context.Context) (*auth.AuthInfo, error
+ 	return authInfo, nil
+ 
+ }
++
+-- 
+2.27.0
diff --git a/etcd.spec b/etcd.spec
index 04a2c39..daae065 100644
--- a/etcd.spec
+++ b/etcd.spec
@@ -31,7 +31,7 @@ system.}
 %global gosupfiles      integration/fixtures/* etcdserver/api/v2http/testdata/*
 
 Name:           etcd
-Release:        4
+Release:        5
 Summary:        Distributed reliable key-value store for the most critical data of a distributed system
 
 # Upstream license specification: Apache-2.0
@@ -46,6 +46,8 @@ Source10:       genmanpages.sh
 # update grpc-go version to v1.32.0
 Patch1:         0001-Convert-int-to-string-using-strconv.Itoa.patch
 Patch2:		0002-Etcd-on-unsupported-platform-without-ETCD_UNSUPPORTED_ARCH=arm64-set.patch
+Patch3:         backport-CVE-2021-28235-add-an-e2e-test-to-reproduce.patch
+Patch4:         backport-CVE-2021-28235-remove-password-after-authenticating-the-user.patch
 
 BuildRequires:  golang
 BuildRequires:  python3-devel
@@ -63,6 +65,8 @@ Requires(pre):  shadow-utils
 %forgesetup
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
+%patch4 -p1
 # For compatibility
 cp -aR etcdserver/api/snap snap
 cp -aR etcdserver/api/membership etcdserver/membership
@@ -148,6 +152,9 @@ getent passwd %{name} >/dev/null || useradd -r -g %{name} -d %{_sharedstatedir}/
 %endif
 
 %changelog
+* Fri Dec 22 2023 shaominghao <shaominghao@xfusion.com> - 3.4.14-5
+- Fix CVE-2021-28235
+
 * Wed Sep 1 2021 jikui <jikui2@huawei.com> - 3.4.14-4
 - modify build flags for secure compilation options
 
-- 
Gitee