!139 fix CVE-2022-3650

From: @wangzengliang1 
Reviewed-by: @liuqinfei 
Signed-off-by: @liuqinfei

0010-fix-CVE-2022-3650.patch

@@ -0,0 +1,82 @@
+From f4035e49ee4745cd384d48a2334be793ce8df461 Mon Sep 17 00:00:00 2001
+From: wangzengliang1 <wangzengliang1@huawei.com>
+Date: Mon, 5 Dec 2022 15:10:45 +0800
+Subject: [PATCH] fix
+ceph-crash: drop privleges to run as "ceph" user, rather than root
+If privileges cannot be dropped, log an error and exit.  This commit
+also catches and logs exceptions when scraping the crash path, without
+which ceph-crash would just exit if it encountered an error.
+
+Fixes: CVE-2022-3650
+Fixes: https://tracker.ceph.com/issues/57967
+Signed-off-by: Tim Serong <tserong@suse.com>
+---
+ src/ceph-crash.in | 28 ++++++++++++++++++++++++++--
+ 1 file changed, 26 insertions(+), 2 deletions(-)
+
+diff --git a/src/ceph-crash.in b/src/ceph-crash.in
+index c549dc1..ad5823e 100644
+--- a/src/ceph-crash.in
++++ b/src/ceph-crash.in
+@@ -3,8 +3,10 @@
+ # vim: ts=4 sw=4 smarttab expandtab
+ 
+ import argparse
++import grp
+ import logging
+ import os
++import pwd
+ import signal
+ import socket
+ import subprocess
+@@ -45,7 +47,8 @@ def post_crash(path):
+             stderr=subprocess.PIPE,
+         )
+         f = open(os.path.join(path, 'meta'), 'rb')
+-        stdout, stderr = pr.communicate(input=f.read())
++        (_, stderr) = pr.communicate(input=f.read())
++        stderr = stderr.decode()
+         rc = pr.wait()
+         f.close()
+         if rc != 0:
+@@ -80,7 +83,25 @@ def handler(signum, frame):
+     print('*** Interrupted with signal %d ***' % signum)
+     sys.exit(0)
+ 
++def drop_privs():
++    if os.getuid() == 0:
++        try:
++            ceph_uid = pwd.getpwnam("ceph").pw_uid
++            ceph_gid = grp.getgrnam("ceph").gr_gid
++            os.setgroups([])
++            os.setgid(ceph_gid)
++            os.setuid(ceph_uid)
++        except Exception as e:
++            log.error(f"Unable to drop privileges: {e}")
++            sys.exit(1)
++
++
+ def main():
++
++
++    # run as unprivileged ceph user
++    drop_privs()
++
+     # exit code 0 on SIGINT, SIGTERM
+     signal.signal(signal.SIGINT, handler)
+     signal.signal(signal.SIGTERM, handler)
+@@ -96,7 +117,10 @@ def main():
+ 
+     log.info("monitoring path %s, delay %ds" % (args.path, args.delay * 60.0))
+     while True:
+-        scrape_path(args.path)
++        try:
++            scrape_path(args.path)
++        except Exception as e:
++            log.error(f"Error scraping {args.path}: {e}")
+         if args.delay == 0:
+             sys.exit(0)
+         time.sleep(args.delay * 60)
+-- 
+2.13.0.windows.1
+

ceph.spec

@@ -125,7 +125,7 @@
 #################################################################################
 Name:		ceph
 Version:	16.2.7
-Release:	10
+Release:	11
 %if 0%{?fedora} || 0%{?rhel} || 0%{?openEuler}
 Epoch:		2
 %endif
@@ -152,6 +152,7 @@ Patch6: 0006-ceph-volume-decrease-number-of-pvs-calls-in-lvm-list.patch
 Patch7: 0007-bluestore-use-direct-write-for-bdevlabel.patch
 Patch8: 0008-enable-sw64-architecture.patch
 Patch9: 0009-fix-CVE-2022-0670.patch
+Patch10: 0010-fix-CVE-2022-3650.patch
 %if 0%{?suse_version}
 # _insert_obs_source_lines_here
 ExclusiveArch:  x86_64 aarch64 ppc64le s390x
@@ -2492,6 +2493,9 @@ exit 0
 %config %{_sysconfdir}/prometheus/ceph/ceph_default_alerts.yml
 
 %changelog
+* Mon Dec 5 2022 wangzengliang <wangzengliang2@huawei.com> - 2:16.2.7-11
+- fix CVE-2022-3650
+
 * Tue Nov 15 2022 wangzengliang <wangzengliang1@huawei.com> - 2:16.2.7-10
 - keep the ceph.spec align with native community