fix CVE-2021-28235
This commit is contained in:
bwzhang
parent
d0bf8d83a6
commit
6565b905da
@ -46,7 +46,7 @@ index 1fa8e4e..dee5c20 100644
|
||||
+ return nil, rev
|
||||
+}
|
||||
+
|
||||
+func (s *EtcdServer) leaseTimeToLive(ctx context.Context, r *pb.LeaseTimeToLiveRequest) (*pb.LeaseTimeToLiveResponse, error) {
|
||||
+func (s *EtcdServer) LeaseTimeToLive(ctx context.Context, r *pb.LeaseTimeToLiveRequest) (*pb.LeaseTimeToLiveResponse, error) {
|
||||
if s.Leader() == s.ID() {
|
||||
// primary; timetolive directly from leader
|
||||
le := s.lessor.Lookup(lease.LeaseID(r.ID))
|
||||
|
||||
131
0009-fix-CVE-2021-28235.patch
Normal file
131
0009-fix-CVE-2021-28235.patch
Normal file
@ -0,0 +1,131 @@
|
||||
From 3b6de877f048f3875b48f36a66d10a7156106236 Mon Sep 17 00:00:00 2001
|
||||
From: bwzhang <zhangbowei@kylinos.cn>
|
||||
Date: Wed, 24 Apr 2024 09:28:16 +0800
|
||||
Subject: [PATCH] fix CVE-2021-28235
|
||||
|
||||
---
|
||||
etcdserver/v3_server.go | 7 ++++
|
||||
tests/e2e/ctl_v3_auth_security_test.go | 57 ++++++++++++++++++++++++++
|
||||
tests/e2e/ctl_v3_test.go | 6 +++
|
||||
tests/e2e/util.go | 9 ++++
|
||||
4 files changed, 79 insertions(+)
|
||||
create mode 100644 tests/e2e/ctl_v3_auth_security_test.go
|
||||
|
||||
diff --git a/etcdserver/v3_server.go b/etcdserver/v3_server.go
|
||||
index dee5c20..6ef9e61 100644
|
||||
--- a/etcdserver/v3_server.go
|
||||
+++ b/etcdserver/v3_server.go
|
||||
@@ -431,6 +431,13 @@ func (s *EtcdServer) Authenticate(ctx context.Context, r *pb.AuthenticateRequest
|
||||
|
||||
lg := s.getLogger()
|
||||
|
||||
+ // fix https://nvd.nist.gov/vuln/detail/CVE-2021-28235
|
||||
+ defer func() {
|
||||
+ if r != nil {
|
||||
+ r.Password = ""
|
||||
+ }
|
||||
+ }()
|
||||
+
|
||||
var resp proto.Message
|
||||
for {
|
||||
checkedRevision, err := s.AuthStore().CheckPassword(r.Name, r.Password)
|
||||
diff --git a/tests/e2e/ctl_v3_auth_security_test.go b/tests/e2e/ctl_v3_auth_security_test.go
|
||||
new file mode 100644
|
||||
index 0000000..754fa4b
|
||||
--- /dev/null
|
||||
+++ b/tests/e2e/ctl_v3_auth_security_test.go
|
||||
@@ -0,0 +1,57 @@
|
||||
+// Copyright 2023 The etcd Authors
|
||||
+//
|
||||
+// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
+// you may not use this file except in compliance with the License.
|
||||
+// You may obtain a copy of the License at
|
||||
+//
|
||||
+// http://www.apache.org/licenses/LICENSE-2.0
|
||||
+//
|
||||
+// Unless required by applicable law or agreed to in writing, software
|
||||
+// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
+// See the License for the specific language governing permissions and
|
||||
+// limitations under the License.
|
||||
+
|
||||
+//go:build !cluster_proxy
|
||||
+
|
||||
+package e2e
|
||||
+
|
||||
+import (
|
||||
+ "strings"
|
||||
+ "testing"
|
||||
+
|
||||
+ "github.com/stretchr/testify/require"
|
||||
+
|
||||
+ "go.etcd.io/etcd/tests/v3/framework/e2e"
|
||||
+)
|
||||
+
|
||||
+// TestAuth_CVE_2021_28235 verifies https://nvd.nist.gov/vuln/detail/CVE-2021-28235
|
||||
+func TestAuth_CVE_2021_28235(t *testing.T) {
|
||||
+ testCtl(t, authTest_CVE_2021_28235, withCfg(*e2e.NewConfigNoTLS()), withLogLevel("debug"))
|
||||
+}
|
||||
+
|
||||
+func authTest_CVE_2021_28235(cx ctlCtx) {
|
||||
+ // create root user with root role
|
||||
+ rootPass := "changeme123"
|
||||
+ err := ctlV3User(cx, []string{"add", "root", "--interactive=false"}, "User root created", []string{rootPass})
|
||||
+ require.NoError(cx.t, err)
|
||||
+ err = ctlV3User(cx, []string{"grant-role", "root", "root"}, "Role root is granted to user root", nil)
|
||||
+ require.NoError(cx.t, err)
|
||||
+ err = ctlV3AuthEnable(cx)
|
||||
+ require.NoError(cx.t, err)
|
||||
+
|
||||
+ // issue a put request
|
||||
+ cx.user, cx.pass = "root", rootPass
|
||||
+ err = ctlV3Put(cx, "foo", "bar", "")
|
||||
+ require.NoError(cx.t, err)
|
||||
+
|
||||
+ // GET /debug/requests
|
||||
+ httpEndpoint := cx.epc.Procs[0].EndpointsHTTP()[0]
|
||||
+ req := e2e.CURLReq{Endpoint: "/debug/requests?fam=grpc.Recv.etcdserverpb.Auth&b=0&exp=1", Timeout: 5}
|
||||
+ respData, err := curl(httpEndpoint, "GET", req, e2e.ClientNonTLS)
|
||||
+ require.NoError(cx.t, err)
|
||||
+
|
||||
+ if strings.Contains(respData, rootPass) {
|
||||
+ cx.t.Errorf("The root password is included in the request.\n %s", respData)
|
||||
+ }
|
||||
+}
|
||||
diff --git a/tests/e2e/ctl_v3_test.go b/tests/e2e/ctl_v3_test.go
|
||||
index 04f5a65..74b1838 100644
|
||||
--- a/tests/e2e/ctl_v3_test.go
|
||||
+++ b/tests/e2e/ctl_v3_test.go
|
||||
@@ -130,6 +130,12 @@ func withFlagByEnv() ctlOption {
|
||||
return func(cx *ctlCtx) { cx.envMap = make(map[string]struct{}) }
|
||||
}
|
||||
|
||||
+func withLogLevel(logLevel string) ctlOption {
|
||||
+ return func(cx *ctlCtx) {
|
||||
+ cx.cfg.LogLevel = logLevel
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
func testCtl(t *testing.T, testFunc func(ctlCtx), opts ...ctlOption) {
|
||||
defer testutil.AfterTest(t)
|
||||
|
||||
diff --git a/tests/e2e/util.go b/tests/e2e/util.go
|
||||
index ce7289a..3b772c0 100644
|
||||
--- a/tests/e2e/util.go
|
||||
+++ b/tests/e2e/util.go
|
||||
@@ -108,3 +108,12 @@ func closeWithTimeout(p *expect.ExpectProcess, d time.Duration) error {
|
||||
func toTLS(s string) string {
|
||||
return strings.Replace(s, "http://", "https://", 1)
|
||||
}
|
||||
+
|
||||
+func curl(endpoint string, method string, curlReq e2e.CURLReq, connType e2e.ClientConnType) (string, error) {
|
||||
+ args := e2e.CURLPrefixArgs(endpoint, e2e.ClientConfig{ConnectionType: connType}, false, method, curlReq)
|
||||
+ lines, err := e2e.RunUtilCompletion(args, nil)
|
||||
+ if err != nil {
|
||||
+ return "", err
|
||||
+ }
|
||||
+ return strings.Join(lines, "\n"), nil
|
||||
+}
|
||||
--
|
||||
2.20.1
|
||||
|
||||
11
etcd.spec
11
etcd.spec
@ -31,7 +31,7 @@ system.}
|
||||
%global gosupfiles integration/fixtures/* etcdserver/api/v2http/testdata/*
|
||||
|
||||
Name: etcd
|
||||
Release: 11
|
||||
Release: 12
|
||||
Summary: Distributed reliable key-value store for the most critical data of a distributed system
|
||||
|
||||
# Upstream license specification: Apache-2.0
|
||||
@ -52,6 +52,7 @@ Patch5: 0005-fix-CVE-2022-41723.patch
|
||||
Patch6: 0006-fix-CVE-2023-39325.patch
|
||||
Patch7: 0007-fix-CVE-2022-34038.patch
|
||||
Patch8: 0008-fix-CVE-2023-32082.patch
|
||||
Patch9: 0009-fix-CVE-2021-28235.patch
|
||||
|
||||
BuildRequires: golang
|
||||
BuildRequires: python3-devel
|
||||
@ -73,6 +74,8 @@ Requires(pre): shadow-utils
|
||||
%patch5 -p1
|
||||
%patch6 -p1
|
||||
%patch7 -p1
|
||||
%patch8 -p1
|
||||
%patch9 -p1
|
||||
%ifarch sw_64
|
||||
%patch3 -p1
|
||||
%endif
|
||||
@ -161,6 +164,12 @@ getent passwd %{name} >/dev/null || useradd -r -g %{name} -d %{_sharedstatedir}/
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Apr 24 2024 zhangbowei <zhangbowei@kylinos.cn> - 3.4.14-12
|
||||
- Type:bugfix
|
||||
- CVE:NA
|
||||
- SUG:NA
|
||||
- DESC: fix CVE-2021-28235
|
||||
|
||||
* Tue Apr 23 2024 laokz <zhangkai@iscas.ac.cn> - 3.4.14-11
|
||||
- Type:bugfix
|
||||
- CVE:NA
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user