From 73de9f080ddb5db99aed6b47aa7c1761c049e259 Mon Sep 17 00:00:00 2001 From: lizhipeng Date: Fri, 22 Mar 2024 10:25:01 +0800 Subject: [PATCH] fix CVE-2023-46159 Signed-off-by: lizhipeng (cherry picked from commit a1487363b2c5ab3308d1110e178f7a75b7ce87db) --- 0003-fix-CVE-2023-46159.patch | 51 +++++++++++++++++++++++++++++++++++ ceph.spec | 6 ++++- 2 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 0003-fix-CVE-2023-46159.patch diff --git a/0003-fix-CVE-2023-46159.patch b/0003-fix-CVE-2023-46159.patch new file mode 100644 index 0000000..d3b94b5 --- /dev/null +++ b/0003-fix-CVE-2023-46159.patch @@ -0,0 +1,51 @@ +From 64803e1ced57d64b758927c3977bb4a4d1769180 Mon Sep 17 00:00:00 2001 +From: Joshua Baergen +Date: Tue, 12 Sep 2023 14:05:01 -0400 +Subject: [PATCH] rgw: Add missing empty checks to the split string in + is_string_in_set(). + +In certain cases, where a user misconfigures a CORS rule, the entirety +of the string can be token characters (or, at least, the string before +and after a given token is all token characters), but != "*". If the +misconfigured string includes "*" we'll try to split the string and we +assume that we can pop the list of string elements when "*" isn't +first/last, but get_str_list() won't return anything for token-only +substrings and thus 'ssplit' will have fewer elements than would be +expected for a correct rule. In the case of an empty list, front() has +undefined behaviour; in our experience, it often results in a huge +allocation attempt because the code tries to copy the string into a +local variable 'sl'. + +An example of this misconfiguration (and thus a reproduction case) is +configuring an origin of " *". + +Signed-off-by: Matt Benjamin +--- + src/rgw/rgw_cors.cc | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/rgw/rgw_cors.cc b/src/rgw/rgw_cors.cc +index e41abf8ccb..bb80e2b58d 100644 +--- a/src/rgw/rgw_cors.cc ++++ b/src/rgw/rgw_cors.cc +@@ -121,6 +121,8 @@ static bool is_string_in_set(set& s, string h) { + + get_str_list((*it), "* \t", ssplit); + if (off != 0) { ++ if (ssplit.empty()) ++ continue; + string sl = ssplit.front(); + flen = sl.length(); + dout(10) << "Finding " << sl << ", in " << h << ", at offset 0" << dendl; +@@ -129,6 +131,8 @@ static bool is_string_in_set(set& s, string h) { + ssplit.pop_front(); + } + if (off != ((*it).length() - 1)) { ++ if (ssplit.empty()) ++ continue; + string sl = ssplit.front(); + dout(10) << "Finding " << sl << ", in " << h + << ", at offset not less than " << flen << dendl; +-- +2.15.0 + diff --git a/ceph.spec b/ceph.spec index 35d7f63..e450a52 100644 --- a/ceph.spec +++ b/ceph.spec @@ -174,7 +174,7 @@ ################################################################################# Name: ceph Version: 18.2.2 -Release: 1 +Release: 2 %if 0%{?fedora} || 0%{?rhel} || 0%{?openEuler} Epoch: 2 %endif @@ -194,6 +194,7 @@ Source0: %{?_remote_tarball_prefix}ceph-18.2.2.tar.gz #backport Patch1: 0001-modify-xsimd-source-to-local-and-set-cxx17-for-arrow.patch Patch2: 0002-fix-compilation-with-cython3.patch +Patch3: 0003-fix-CVE-2023-46159.patch %if 0%{?suse_version} # _insert_obs_source_lines_here @@ -2631,6 +2632,9 @@ exit 0 %{_datadir}/snmp/mibs %changelog +* Fri Mar 22 2024 lizhipeng - 2:18.2.2-2 +- fix CVE-2023-46159 + * Tue Mar 12 2024 wangzengliang - 2:18.2.2-1 - upgrade ceph to 18.2.2