packages/ceph
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!247 fix CVE-2023-46159

Browse Source 
From: @qiuxinyidian 
Reviewed-by: @rosinL, @liuqinfei 
Signed-off-by: @rosinL
This commit is contained in:
openeuler-ci-bot 2024-04-30 00:56:04 +00:00 committed by Gitee
commit d28e69236d
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 56 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
0028-fix-CVE-2023-46159.patch Normal file
View File

@ -0,0 +1,51 @@
From 64803e1ced57d64b758927c3977bb4a4d1769180 Mon Sep 17 00:00:00 2001
From: Joshua Baergen <jbaergen@digitalocean.com>
Date: Tue, 12 Sep 2023 14:05:01 -0400
Subject: [PATCH] rgw: Add missing empty checks to the split string in
is_string_in_set().
In certain cases, where a user misconfigures a CORS rule, the entirety
of the string can be token characters (or, at least, the string before
and after a given token is all token characters), but != "*". If the
misconfigured string includes "*" we'll try to split the string and we
assume that we can pop the list of string elements when "*" isn't
first/last, but get_str_list() won't return anything for token-only
substrings and thus 'ssplit' will have fewer elements than would be
expected for a correct rule. In the case of an empty list, front() has
undefined behaviour; in our experience, it often results in a huge
allocation attempt because the code tries to copy the string into a
local variable 'sl'.
An example of this misconfiguration (and thus a reproduction case) is
configuring an origin of " *".
Signed-off-by: Matt Benjamin <mbenjamin@redhat.com>
---
src/rgw/rgw_cors.cc | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/rgw/rgw_cors.cc b/src/rgw/rgw_cors.cc
index e41abf8ccb..bb80e2b58d 100644
--- a/src/rgw/rgw_cors.cc
+++ b/src/rgw/rgw_cors.cc
@@ -94,6 +94,8 @@ static bool is_string_in_set(set<string>& s, string h) {
get_str_list((*it), "* \t", ssplit);
if (off != 0) {
+ if (ssplit.empty())
+ continue;
string sl = ssplit.front();
flen = sl.length();
dout(10) << "Finding " << sl << ", in " << h << ", at offset 0" << dendl;
@@ -102,6 +104,8 @@ static bool is_string_in_set(set<string>& s, string h) {
ssplit.pop_front();
}
if (off != ((*it).length() - 1)) {
+ if (ssplit.empty())
+ continue;
string sl = ssplit.front();
dout(10) << "Finding " << sl << ", in " << h
<< ", at offset not less than " << flen << dendl;
--
2.15.0

6
ceph.spec
View File

@ -68,7 +68,7 @@
################################################################################# #################################################################################
Name: ceph Name: ceph
Version: 12.2.8 Version: 12.2.8
Release: 24 Release: 25
Epoch: 2 Epoch: 2
# define _epoch_prefix macro which will expand to the empty string if epoch is # define _epoch_prefix macro which will expand to the empty string if epoch is
@ -111,6 +111,7 @@ Patch24: 0024-CVE-2021-3979.patch
Patch25: 0025-fix-rgw-ldap-safe_read_file-can-return-0.patch Patch25: 0025-fix-rgw-ldap-safe_read_file-can-return-0.patch
Patch26: 0026-CVE-2021-20288.patch Patch26: 0026-CVE-2021-20288.patch
Patch27: 0027-fix-CVE-2023-43040.patch Patch27: 0027-fix-CVE-2023-43040.patch
Patch28: 0028-fix-CVE-2023-46159.patch
Requires: glibc >= 2.28-66 Requires: glibc >= 2.28-66
@ -1859,6 +1860,9 @@ exit 0
%changelog %changelog
* Fri Mar 22 2024 lizhipeng <qiuxinyidian@gmail.com> - 2:12.2.8-25
- fix CVE-2023-46159
* Sat Nov 25 2023 wangzengliang <wangzengliang2@huawei.com> - 2:12.2.8-24 * Sat Nov 25 2023 wangzengliang <wangzengliang2@huawei.com> - 2:12.2.8-24
- fix * recognition error when install - fix * recognition error when install