From f64cbdd9a42ee420838f8fa2481a10119a0b57d3 Mon Sep 17 00:00:00 2001 From: tzing_t Date: Thu, 23 Jan 2025 02:47:19 +0000 Subject: [PATCH] fix CVE-2022-47950 --- CVE-2022-47950.patch | 71 ++++++++++++++++++++++++++++++++++++++++++++ openstack-swift.spec | 6 +++- 2 files changed, 76 insertions(+), 1 deletion(-) create mode 100644 CVE-2022-47950.patch diff --git a/CVE-2022-47950.patch b/CVE-2022-47950.patch new file mode 100644 index 0000000..33cc934 --- /dev/null +++ b/CVE-2022-47950.patch @@ -0,0 +1,71 @@ +diff --git a/swift/common/middleware/s3api/etree.py b/swift/common/middleware/s3api/etree.py +index 987b84a..e16b753 100644 +--- a/swift/common/middleware/s3api/etree.py ++++ b/swift/common/middleware/s3api/etree.py +@@ -130,7 +130,7 @@ class _Element(lxml.etree.ElementBase): + + + parser_lookup = lxml.etree.ElementDefaultClassLookup(element=_Element) +-parser = lxml.etree.XMLParser() ++parser = lxml.etree.XMLParser(resolve_entities=False, no_network=True) + parser.set_element_class_lookup(parser_lookup) + + Element = parser.makeelement +diff --git a/test/unit/common/middleware/s3api/test_multi_delete.py b/test/unit/common/middleware/s3api/test_multi_delete.py +index eae5fb7..aba74b1 100644 +--- a/test/unit/common/middleware/s3api/test_multi_delete.py ++++ b/test/unit/common/middleware/s3api/test_multi_delete.py +@@ -455,6 +455,7 @@ class TestS3ApiMultiDelete(S3ApiTestCase): + body=body) + status, headers, body = self.call_s3api(req) + self.assertEqual(status.split()[0], '200') ++ self.assertIn(b'Key1Server Error', body) + + def _test_object_multi_DELETE(self, account): + self.keys = ['Key1', 'Key2'] +@@ -512,6 +513,45 @@ class TestS3ApiMultiDelete(S3ApiTestCase): + elem = fromstring(body) + self.assertEqual(len(elem.findall('Deleted')), len(self.keys)) + ++ def test_object_multi_DELETE_with_system_entity(self): ++ self.keys = ['Key1', 'Key2'] ++ self.swift.register( ++ 'DELETE', '/v1/AUTH_test/bucket/%s' % self.keys[0], ++ swob.HTTPNotFound, {}, None) ++ self.swift.register( ++ 'DELETE', '/v1/AUTH_test/bucket/%s' % self.keys[1], ++ swob.HTTPNoContent, {}, None) ++ ++ elem = Element('Delete') ++ for key in self.keys: ++ obj = SubElement(elem, 'Object') ++ SubElement(obj, 'Key').text = key ++ body = tostring(elem, use_s3ns=False) ++ body = body.replace( ++ b'?>\n', ++ b'?>\n ]>\n', ++ ).replace(b'>Key1<', b'>Key1&ent;<') ++ content_md5 = ( ++ base64.b64encode(md5(body, usedforsecurity=False).digest()) ++ .strip()) ++ ++ req = Request.blank('/bucket?delete', ++ environ={'REQUEST_METHOD': 'POST'}, ++ headers={ ++ 'Authorization': 'AWS test:full_control:hmac', ++ 'Date': self.get_date_header(), ++ 'Content-MD5': content_md5}, ++ body=body) ++ req.date = datetime.now() ++ req.content_type = 'text/plain' ++ ++ status, headers, body = self.call_s3api(req) ++ self.assertEqual(status, '200 OK', body) ++ self.assertIn(b'Key2', body) ++ self.assertNotIn(b'root:/root', body) ++ self.assertIn(b'Key1', body) ++ + def _test_no_body(self, use_content_length=False, + use_transfer_encoding=False, string_to_md5=b''): + content_md5 = (base64.b64encode( diff --git a/openstack-swift.spec b/openstack-swift.spec index cd7e559..930b86a 100644 --- a/openstack-swift.spec +++ b/openstack-swift.spec @@ -16,7 +16,7 @@ expensive equipment. Name: openstack-swift Version: 2.27.0 -Release: 6 +Release: 7 Summary: OpenStack Object Storage License: ASL 2.0 URL: https://docs.openstack.org/swift/latest/ @@ -68,6 +68,7 @@ Source76: %{name}-container-sync@.service Source77: internal-client.conf Patch001: Replace_deprecated_import_ABCs_from_collections.patch +Patch002: CVE-2022-47950.patch BuildArch: noarch @@ -582,6 +583,9 @@ exit 0 %endif %changelog +* Thu Jan 23 2025 tzing_t - 2.27.0-7 +- fix CVE-2022-47950 + * Sat May 25 2024 tzing_t - 2.27.0-6 - Replace deprecated import ABCs from collections -- Gitee