!55 [sync] PR-50: fix CVE-2020-10753 CVE-2021-3524 CVE-2020-1760

From: @openeuler-sync-bot
Reviewed-by: @chixinze
Signed-off-by: @chixinze

0016-CVE-2020-10753-1.patch

@@ -0,0 +1,47 @@
+From 46817f30cee60bc5df8354ab326762e7c783fe2c Mon Sep 17 00:00:00 2001
+From: Casey Bodley <cbodley@redhat.com>
+Date: Tue, 26 May 2020 15:03:03 -0400
+Subject: [PATCH] rgw: sanitize newlines in s3 CORSConfiguration's ExposeHeader
+
+the values in the <ExposeHeader> element are sent back to clients in a
+Access-Control-Expose-Headers response header. if the values are allowed
+to have newlines in them, they can be used to inject arbitrary response
+headers
+
+this issue only affects s3, which gets these values from an xml document
+
+in swift, they're given in the request header
+X-Container-Meta-Access-Control-Expose-Headers, so the value itself
+cannot contain newlines
+
+Signed-off-by: Casey Bodley <cbodley@redhat.com>
+Reported-by: Adam Mohammed <amohammed@linode.com>
+---
+ src/rgw/rgw_cors.cc | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/src/rgw/rgw_cors.cc b/src/rgw/rgw_cors.cc
+index 07dbab5d3e2..0b3e4f39455 100644
+--- a/src/rgw/rgw_cors.cc
++++ b/src/rgw/rgw_cors.cc
+@@ -144,11 +144,12 @@ bool RGWCORSRule::is_header_allowed(const char *h, size_t len) {
+ 
+ void RGWCORSRule::format_exp_headers(string& s) {
+   s = "";
+-  for(list<string>::iterator it = exposable_hdrs.begin();
+-      it != exposable_hdrs.end(); ++it) {
+-      if (s.length() > 0)
+-        s.append(",");
+-      s.append((*it));
++  for (const auto& header : exposable_hdrs) {
++    if (s.length() > 0)
++      s.append(",");
++    // these values are sent to clients in a 'Access-Control-Expose-Headers'
++    // response header, so we escape '\n' to avoid header injection
++    boost::replace_all_copy(std::back_inserter(s), header, "\n", "\\n");
+   }
+ }
+ 
+-- 
+2.23.0
+

0017-CVE-2021-3524-1.patch

@@ -0,0 +1,36 @@
+From 763aebb94678018f89427137ffbc0c5205b1edc1 Mon Sep 17 00:00:00 2001
+From: Casey Bodley <cbodley@redhat.com>
+Date: Tue, 4 May 2021 08:32:58 -0400
+Subject: [PATCH] rgw: sanitize \r in s3 CORSConfiguration's ExposeHeader
+
+follows up on 1524d3c0c5cb11775313ea1e2bb36a93257947f2 to escape \r as
+well
+
+Fixes: CVE-2021-3524
+
+Reported-by: Sergey Bobrov <Sergey.Bobrov@kaspersky.com>
+Signed-off-by: Casey Bodley <cbodley@redhat.com>
+(cherry picked from commit 87806f48e7a1b8891eb90711f1cedd26f1119aac)
+---
+ src/rgw/rgw_cors.cc | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/rgw/rgw_cors.cc b/src/rgw/rgw_cors.cc
+index 0b3e4f39455..bfe83d6420e 100644
+--- a/src/rgw/rgw_cors.cc
++++ b/src/rgw/rgw_cors.cc
+@@ -148,8 +148,9 @@ void RGWCORSRule::format_exp_headers(string& s) {
+     if (s.length() > 0)
+       s.append(",");
+     // these values are sent to clients in a 'Access-Control-Expose-Headers'
+-    // response header, so we escape '\n' to avoid header injection
+-    boost::replace_all_copy(std::back_inserter(s), header, "\n", "\\n");
++    // response header, so we escape '\n' and '\r' to avoid header injection
++    std::string tmp = boost::replace_all_copy(header, "\n", "\\n");
++    boost::replace_all_copy(std::back_inserter(s), tmp, "\r", "\\r");
+   }
+ }
+ 
+-- 
+2.23.0
+

0018-CVE-2020-1760-1.patch

@@ -0,0 +1,31 @@
+From ba0790a01ba5252db1ebc299db6e12cd758d0ff9 Mon Sep 17 00:00:00 2001
+From: Matt Benjamin <mbenjamin@redhat.com>
+Date: Fri, 27 Mar 2020 18:13:48 +0100
+Subject: [PATCH] rgw: reject unauthenticated response-header actions
+
+Signed-off-by: Matt Benjamin <mbenjamin@redhat.com>
+Reviewed-by: Casey Bodley <cbodley@redhat.com>
+(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)
+---
+ src/rgw/rgw_rest_s3.cc | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
+index b0e36dec5d8..5dc6a562051 100644
+--- a/src/rgw/rgw_rest_s3.cc
++++ b/src/rgw/rgw_rest_s3.cc
+@@ -266,6 +266,11 @@ int RGWGetObj_ObjStore_S3::send_response_data(bufferlist& bl, off_t bl_ofs,
+       bool exists;
+       string val = s->info.args.get(p->param, &exists);
+       if (exists) {
++	/* reject unauthenticated response header manipulation, see
++	 * https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html */
++	if (s->auth.identity->is_anonymous()) {
++	  return -EPERM;
++	}
+ 	if (strcmp(p->param, "response-content-type") != 0) {
+ 	  response_attrs[p->http_attr] = val;
+ 	} else {
+-- 
+2.23.0
+

0019-CVE-2020-1760-2.patch

@@ -0,0 +1,28 @@
+From 607a65fccd8a80c2f2c74853a6dc5c14ed8a75c1 Mon Sep 17 00:00:00 2001
+From: Abhishek Lekshmanan <abhishek@suse.com>
+Date: Fri, 27 Mar 2020 19:29:01 +0100
+Subject: [PATCH] rgw: EPERM to ERR_INVALID_REQUEST
+
+As per Robin's comments and S3 spec
+
+Signed-off-by: Abhishek Lekshmanan <abhishek@suse.com>
+---
+ src/rgw/rgw_rest_s3.cc | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
+index 5dc6a562051..dc49caae18d 100644
+--- a/src/rgw/rgw_rest_s3.cc
++++ b/src/rgw/rgw_rest_s3.cc
+@@ -269,7 +269,7 @@ int RGWGetObj_ObjStore_S3::send_response_data(bufferlist& bl, off_t bl_ofs,
+ 	/* reject unauthenticated response header manipulation, see
+ 	 * https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html */
+ 	if (s->auth.identity->is_anonymous()) {
+-	  return -EPERM;
++	  return -ERR_INVALID_REQUEST;
+ 	}
+ 	if (strcmp(p->param, "response-content-type") != 0) {
+ 	  response_attrs[p->http_attr] = val;
+-- 
+2.23.0
+

0020-CVE-2020-1760-3.patch

@@ -0,0 +1,59 @@
+From 9ca5b3628245e2878426602bb24f1a4e45edc850 Mon Sep 17 00:00:00 2001
+From: "Robin H. Johnson" <rjohnson@digitalocean.com>
+Date: Fri, 27 Mar 2020 20:48:13 +0100
+Subject: [PATCH] rgw: reject control characters in response-header actions
+
+S3 GetObject permits overriding response header values, but those inputs
+need to be validated to insure only characters that are valid in an HTTP
+header value are present.
+
+Credit: Initial vulnerability discovery by William Bowling (@wcbowling)
+Credit: Further vulnerability discovery by Robin H. Johnson <rjohnson@digitalocean.com>
+Signed-off-by: Robin H. Johnson <rjohnson@digitalocean.com>
+---
+ src/rgw/rgw_rest_s3.cc | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
+index dc49caae18d..459dd1dc715 100644
+--- a/src/rgw/rgw_rest_s3.cc
++++ b/src/rgw/rgw_rest_s3.cc
+@@ -167,6 +167,15 @@ int decode_attr_bl_single_value(map<string, bufferlist>& attrs, const char *attr
+   return 0;
+ }
+ 
++inline bool str_has_cntrl(const std::string s) {
++  return std::any_of(s.begin(), s.end(), ::iscntrl);
++}
++
++inline bool str_has_cntrl(const char* s) {
++  std::string _s(s);
++  return str_has_cntrl(_s);
++}
++
+ int RGWGetObj_ObjStore_S3::send_response_data(bufferlist& bl, off_t bl_ofs,
+ 					      off_t bl_len)
+ {
+@@ -271,6 +280,19 @@ int RGWGetObj_ObjStore_S3::send_response_data(bufferlist& bl, off_t bl_ofs,
+ 	if (s->auth.identity->is_anonymous()) {
+ 	  return -ERR_INVALID_REQUEST;
+ 	}
++        /* HTTP specification says no control characters should be present in
++         * header values: https://tools.ietf.org/html/rfc7230#section-3.2
++         *      field-vchar    = VCHAR / obs-text
++         *
++         * Failure to validate this permits a CRLF injection in HTTP headers,
++         * whereas S3 GetObject only permits specific headers.
++         */
++        if(str_has_cntrl(val)) {
++          /* TODO: return a more distinct error in future;
++           * stating what the problem is */
++          return -ERR_INVALID_REQUEST;
++        }
++
+ 	if (strcmp(p->param, "response-content-type") != 0) {
+ 	  response_attrs[p->http_attr] = val;
+ 	} else {
+-- 
+2.23.0
+

ceph.spec

@@ -68,7 +68,7 @@
 #################################################################################
 Name:		ceph
 Version:	12.2.8
-Release:	13
+Release:	14
 Epoch:		2
 
 # define _epoch_prefix macro which will expand to the empty string if epoch is
@@ -99,6 +99,11 @@ Patch12: 0012-CVE-2020-27781-2.patch
 Patch13: 0013-CVE-2020-27781-3.patch
 Patch14: 0014-CVE-2020-27781-4.patch
 Patch15: 0015-CVE-2020-27781-5.patch
+Patch16: 0016-CVE-2020-10753-1.patch
+Patch17: 0017-CVE-2021-3524-1.patch
+Patch18: 0018-CVE-2020-1760-1.patch
+Patch19: 0019-CVE-2020-1760-2.patch
+Patch20: 0020-CVE-2020-1760-3.patch
 
 %if 0%{?suse_version}
 %if 0%{?is_opensuse}
@@ -1807,6 +1812,11 @@ exit 0
 
 
 %changelog
+* Mon Jul 26 2021 chixinze <xmdxcxz@gmail.com> - 1:12.2.8-14
+- fix CVE-2020-10753
+- fix CVE-2021-3524
+- fix CVE-2020-1760
+
 * Sun Jul 18 2021 chixinze <xmdxcxz@gmail.com> - 1:12.2.8-13
 - fix CVE-2020-27781
 - ceph-volume-client: allow atomic updates for RADOS objects