From 22074b1bc9f1c04423a95b05445c57f9471c7182 Mon Sep 17 00:00:00 2001
From: dogsheng <960055655@qq.com>
Date: Wed, 25 Dec 2019 15:43:14 +0800
Subject: [PATCH] Package init

---
 6003-CVE-2018-14662.patch | 279 ++++++++++++++++++++++++++++++++++++++
 ceph.spec                 |  13 +-
 2 files changed, 289 insertions(+), 3 deletions(-)
 create mode 100644 6003-CVE-2018-14662.patch

diff --git a/6003-CVE-2018-14662.patch b/6003-CVE-2018-14662.patch
new file mode 100644
index 0000000..465f12f
--- /dev/null
+++ b/6003-CVE-2018-14662.patch
@@ -0,0 +1,279 @@
+From a2acedd2a7e12d58af6db35edbd8a9d29c557578 Mon Sep 17 00:00:00 2001
+From: Joao Eduardo Luis <joao@suse.de>
+Date: Wed, 17 Oct 2018 14:42:15 +0100
+Subject: [PATCH] mon/config-key: limit caps allowed to access the store
+
+Henceforth, we'll require explicit `allow` caps for commands, or for the
+config-key service. Blanket caps are no longer allowed for the
+config-key service, except for 'allow *'.
+
+(for luminous and mimic, we're also ensuring MonCap's parser is able to
+understand forward slashes '/' when parsing prefixes)
+
+Signed-off-by: Joao Eduardo Luis <joao@suse.de>
+(cherry picked from commit 5fff611041c5afeaf3c8eb09e4de0cc919d69237)
+---
+ .../singleton/all/mon-config-key-caps.yaml    |  17 ++
+ qa/workunits/mon/test_config_key_caps.sh      | 201 ++++++++++++++++++
+ src/mon/MonCap.cc                             |   8 +-
+ 3 files changed, 225 insertions(+), 1 deletion(-)
+ create mode 100644 qa/suites/rados/singleton/all/mon-config-key-caps.yaml
+ create mode 100755 qa/workunits/mon/test_config_key_caps.sh
+
+diff --git a/qa/suites/rados/singleton/all/mon-config-key-caps.yaml b/qa/suites/rados/singleton/all/mon-config-key-caps.yaml
+new file mode 100644
+index 0000000000..0b0b95c52e
+--- /dev/null
++++ b/qa/suites/rados/singleton/all/mon-config-key-caps.yaml
+@@ -0,0 +1,17 @@
++roles:
++- - mon.a
++  - mgr.x
++  - osd.0
++  - osd.1
++  - osd.2
++  - client.0
++tasks:
++- install:
++- ceph:
++    log-whitelist:
++    - overall HEALTH_
++    - \(AUTH_BAD_CAPS\)
++- workunit:
++    clients:
++      all:
++        - mon/test_config_key_caps.sh
+diff --git a/qa/workunits/mon/test_config_key_caps.sh b/qa/workunits/mon/test_config_key_caps.sh
+new file mode 100755
+index 0000000000..77b4b53b70
+--- /dev/null
++++ b/qa/workunits/mon/test_config_key_caps.sh
+@@ -0,0 +1,201 @@
++#!/usr/bin/env bash
++
++set -x
++set -e
++
++tmp=$(mktemp -d -p /tmp test_mon_config_key_caps.XXXXX)
++entities=()
++
++function cleanup()
++{
++	set +e
++	set +x
++	if [[ -e $tmp/keyring ]] && [[ -e $tmp/keyring.orig ]]; then
++		grep '\[.*\..*\]' $tmp/keyring.orig > $tmp/entities.orig
++		for e in $(grep '\[.*\..*\]' $tmp/keyring | \
++			diff $tmp/entities.orig - | \
++			sed -n 's/^.*\[\(.*\..*\)\]/\1/p');
++		do
++			ceph auth rm $e 2>&1 >& /dev/null
++		done
++	fi
++	#rm -fr $tmp
++}
++
++trap cleanup 0 # cleanup on exit
++
++function expect_false()
++{
++	set -x
++	if "$@"; then return 1; else return 0; fi
++}
++
++# for cleanup purposes
++ceph auth export -o $tmp/keyring.orig
++
++k=$tmp/keyring
++
++# setup a few keys
++ceph config-key ls
++ceph config-key set daemon-private/osd.123/test-foo
++ceph config-key set mgr/test-foo
++ceph config-key set device/test-foo
++ceph config-key set test/foo
++
++allow_aa=client.allow_aa
++allow_bb=client.allow_bb
++allow_cc=client.allow_cc
++
++mgr_a=mgr.a
++mgr_b=mgr.b
++osd_a=osd.100
++osd_b=osd.200
++
++prefix_aa=client.prefix_aa
++prefix_bb=client.prefix_bb
++prefix_cc=client.prefix_cc
++match_aa=client.match_aa
++match_bb=client.match_bb
++
++fail_aa=client.fail_aa
++fail_bb=client.fail_bb
++fail_cc=client.fail_cc
++fail_dd=client.fail_dd
++fail_ee=client.fail_ee
++fail_ff=client.fail_ff
++fail_gg=client.fail_gg
++fail_writes=client.fail_writes
++
++ceph auth get-or-create $allow_aa mon 'allow *'
++ceph auth get-or-create $allow_bb mon 'allow service config-key rwx'
++ceph auth get-or-create $allow_cc mon 'allow command "config-key get"'
++
++ceph auth get-or-create $mgr_a mon 'allow profile mgr'
++ceph auth get-or-create $mgr_b mon 'allow profile mgr'
++ceph auth get-or-create $osd_a mon 'allow profile osd'
++ceph auth get-or-create $osd_b mon 'allow profile osd'
++
++ceph auth get-or-create $prefix_aa mon \
++	"allow command \"config-key get\" with key prefix client/$prefix_aa"
++
++cap="allow command \"config-key set\" with key prefix client/"
++cap="$cap,allow command \"config-key get\" with key prefix client/$prefix_bb"
++ceph auth get-or-create $prefix_bb mon "$cap"
++
++cap="allow command \"config-key get\" with key prefix client/"
++cap="$cap, allow command \"config-key set\" with key prefix client/"
++cap="$cap, allow command \"config-key ls\""
++ceph auth get-or-create $prefix_cc mon "$cap"
++
++cap="allow command \"config-key get\" with key=client/$match_aa/foo"
++ceph auth get-or-create $match_aa mon "$cap"
++cap="allow command \"config-key get\" with key=client/$match_bb/foo"
++cap="$cap,allow command \"config-key set\" with key=client/$match_bb/foo"
++ceph auth get-or-create $match_bb mon "$cap"
++
++ceph auth get-or-create $fail_aa mon 'allow rx'
++ceph auth get-or-create $fail_bb mon 'allow r,allow w'
++ceph auth get-or-create $fail_cc mon 'allow rw'
++ceph auth get-or-create $fail_dd mon 'allow rwx'
++ceph auth get-or-create $fail_ee mon 'allow profile bootstrap-rgw'
++ceph auth get-or-create $fail_ff mon 'allow profile bootstrap-rbd'
++# write commands will require rw; wx is not enough
++ceph auth get-or-create $fail_gg mon 'allow service config-key wx'
++# read commands will only require 'r'; 'rx' should be enough.
++ceph auth get-or-create $fail_writes mon 'allow service config-key rx'
++
++# grab keyring
++ceph auth export -o $k
++
++# keys will all the caps can do whatever
++for c in $allow_aa $allow_bb $allow_cc $mgr_a $mgr_b; do
++	ceph -k $k --name $c config-key get daemon-private/osd.123/test-foo
++	ceph -k $k --name $c config-key get mgr/test-foo
++	ceph -k $k --name $c config-key get device/test-foo
++	ceph -k $k --name $c config-key get test/foo
++done
++
++for c in $osd_a $osd_b; do
++	ceph -k $k --name $c config-key put daemon-private/$c/test-foo
++	ceph -k $k --name $c config-key get daemon-private/$c/test-foo
++	expect_false ceph -k $k --name $c config-key ls
++	expect_false ceph -k $k --name $c config-key get mgr/test-foo
++	expect_false ceph -k $k --name $c config-key get device/test-foo
++	expect_false ceph -k $k --name $c config-key get test/foo
++done
++
++expect_false ceph -k $k --name $osd_a get daemon-private/$osd_b/test-foo
++expect_false ceph -k $k --name $osd_b get daemon-private/$osd_a/test-foo
++
++expect_false ceph -k $k --name $prefix_aa \
++	config-key ls
++expect_false ceph -k $k --name $prefix_aa \
++	config-key get daemon-private/osd.123/test-foo
++expect_false ceph -k $k --name $prefix_aa \
++	config-key set test/bar
++expect_false ceph -k $k --name $prefix_aa \
++	config-key set client/$prefix_aa/foo
++
++# write something so we can read, use a custom entity
++ceph -k $k --name $allow_bb config-key set client/$prefix_aa/foo
++ceph -k $k --name $prefix_aa config-key get client/$prefix_aa/foo
++# check one writes to the other's prefix, the other is able to read
++ceph -k $k --name $prefix_bb config-key set client/$prefix_aa/bar
++ceph -k $k --name $prefix_aa config-key get client/$prefix_aa/bar
++
++ceph -k $k --name $prefix_bb config-key set client/$prefix_bb/foo
++ceph -k $k --name $prefix_bb config-key get client/$prefix_bb/foo
++
++expect_false ceph -k $k --name $prefix_bb config-key get client/$prefix_aa/bar
++expect_false ceph -k $k --name $prefix_bb config-key ls
++expect_false ceph -k $k --name $prefix_bb \
++	config-key get daemon-private/osd.123/test-foo
++expect_false ceph -k $k --name $prefix_bb config-key get mgr/test-foo
++expect_false ceph -k $k --name $prefix_bb config-key get device/test-foo
++expect_false ceph -k $k --name $prefix_bb config-key get test/bar
++expect_false ceph -k $k --name $prefix_bb config-key set test/bar
++
++ceph -k $k --name $prefix_cc config-key set client/$match_aa/foo
++ceph -k $k --name $prefix_cc config-key set client/$match_bb/foo
++ceph -k $k --name $prefix_cc config-key get client/$match_aa/foo
++ceph -k $k --name $prefix_cc config-key get client/$match_bb/foo
++expect_false ceph -k $k --name $prefix_cc config-key set other/prefix
++expect_false ceph -k $k --name $prefix_cc config-key get mgr/test-foo
++ceph -k $k --name $prefix_cc config-key ls >& /dev/null
++
++ceph -k $k --name $match_aa config-key get client/$match_aa/foo
++expect_false ceph -k $k --name $match_aa config-key get client/$match_bb/foo
++expect_false ceph -k $k --name $match_aa config-key set client/$match_aa/foo
++ceph -k $k --name $match_bb config-key get client/$match_bb/foo
++ceph -k $k --name $match_bb config-key set client/$match_bb/foo
++expect_false ceph -k $k --name $match_bb config-key get client/$match_aa/foo
++expect_false ceph -k $k --name $match_bb config-key set client/$match_aa/foo
++
++keys=(daemon-private/osd.123/test-foo
++	  mgr/test-foo
++	  device/test-foo
++	  test/foo
++	  client/$prefix_aa/foo
++	  client/$prefix_bb/foo
++	  client/$match_aa/foo
++	  client/$match_bb/foo
++)
++# expect these all to fail accessing config-key
++for c in $fail_aa $fail_bb $fail_cc \
++		 $fail_dd $fail_ee $fail_ff \
++		 $fail_gg; do
++	for m in get set; do
++		for key in ${keys[*]} client/$prefix_aa/foo client/$prefix_bb/foo; do
++			expect_false ceph -k $k --name $c config-key $m $key
++		done
++	done
++done
++
++# fail writes but succeed on reads
++expect_false ceph -k $k --name $fail_writes config-key set client/$match_aa/foo
++expect_false ceph -k $k --name $fail_writes config-key set test/foo
++ceph -k $k --name $fail_writes config-key ls
++ceph -k $k --name $fail_writes config-key get client/$match_aa/foo 
++ceph -k $k --name $fail_writes config-key get daemon-private/osd.123/test-foo
++
++echo "OK"
+diff --git a/src/mon/MonCap.cc b/src/mon/MonCap.cc
+index 6340ad7b14..c64f7e1081 100644
+--- a/src/mon/MonCap.cc
++++ b/src/mon/MonCap.cc
+@@ -350,6 +350,12 @@ mon_rwxa_t MonCapGrant::get_allowed(CephContext *cct,
+     }
+     return MON_CAP_ALL;
+   }
++  // we don't allow config-key service to be accessed with blanket caps other
++  // than '*' (i.e., 'any'), and that should have been checked by the caller
++  // via 'is_allow_all()'.
++  if (s == "config-key") {
++    return 0;
++  }
+   return allow;
+ }
+ 
+@@ -484,7 +490,7 @@ struct MonCapParser : qi::grammar<Iterator, MonCap()>
+     quoted_string %=
+       lexeme['"' >> +(char_ - '"') >> '"'] | 
+       lexeme['\'' >> +(char_ - '\'') >> '\''];
+-    unquoted_word %= +char_("a-zA-Z0-9_.-");
++    unquoted_word %= +char_("a-zA-Z0-9_/.-");
+     str %= quoted_string | unquoted_word;
+ 
+     spaces = +(lit(' ') | lit('\n') | lit('\t'));
+
diff --git a/ceph.spec b/ceph.spec
index 9e02884..4dbbaac 100644
--- a/ceph.spec
+++ b/ceph.spec
@@ -68,7 +68,7 @@
 #################################################################################
 Name:		ceph
 Version:	12.2.8
-Release:	3
+Release:	4
 %if 0%{?fedora} || 0%{?rhel}
 Epoch:		2
 %else if 0%{?openeuler}
@@ -95,6 +95,7 @@ Patch3:		0003-src-rocksdb-table-block.h.patch
 Patch6000:	6000-CVE-2018-16889.patch
 Patch6001:	6001-CVE-2018-16846-1.patch
 Patch6002:	6002-CVE-2018-16846-2.patch
+Patch6003:      6003-CVE-2018-14662.patch
 
 %if 0%{?suse_version}
 %if 0%{?is_opensuse}
@@ -1802,11 +1803,17 @@ exit 0
 
 
 %changelog
-* Mon Oct 21 2019 caomeng <caomeng5@huawei.com> - 1:12.2.8-3
+* Mon Dec 23 2019 openEuler Buildteam <buildteam@openeuler.org> - 1:12.2.8-4
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:fix CVE-2018-14662
+
+* Mon Oct 21 2019 openEuler Buildteam <buildteam@openeuler.org> - 1:12.2.8-3
 - Type:enhancement
 - ID:NA
 - SUG:NA
 - DESC:delete build requirement redhat-lsb-core
 
-* Mon Sep 9 2019 guiyao <guiyao@huawei.com> - 1:12.2.8-2
+* Mon Sep 9 2019 openEuler Buildteam <buildteam@openeuler.org> - 1:12.2.8-2
 - openEuler Init