fix CVE-2020-25678

Signed-off-by: Zhuohui Zou <zhuohui@xsky.com>
(cherry picked from commit f923d4556ff61072cabfc3f385c73738abe14731)

0006-CVE-2020-25678-1.patch

@@ -0,0 +1,109 @@
+From b23bc377f4781789766f94a830e345daed08f504 Mon Sep 17 00:00:00 2001
+From: Neha Ojha <nojha@redhat.com>
+Date: Thu, 3 Dec 2020 19:18:04 +0000
+Subject: [PATCH 1/2] messages/MMonCommand, MMonCommandAck: don't log values
+ for "config set" and "config-key set"
+
+This acts like a big hammer to avoid adding sensitive information, like passwords
+into mon/mgr/cluster logs when using "config set" and "config-key set" to set keys
+whose values should be secure.
+
+Fixes: https://tracker.ceph.com/issues/37503
+Signed-off-by: Neha Ojha <nojha@redhat.com>
+(cherry picked from commit 3d54660ca1a9a7ae54e884c3181fca17a40d8cd3)
+
+ Conflicts:
+	src/messages/MMonCommand.h - trivial resolution
+	src/messages/MMonCommandAck.h - trivial resolution
+---
+ src/messages/MMonCommand.h    | 23 ++++++++++++++++++++---
+ src/messages/MMonCommandAck.h | 24 +++++++++++++++++++++++-
+ 2 files changed, 43 insertions(+), 4 deletions(-)
+
+diff --git a/src/messages/MMonCommand.h b/src/messages/MMonCommand.h
+index c6764475dc..e0ef5a7355 100644
+--- a/src/messages/MMonCommand.h
++++ b/src/messages/MMonCommand.h
+@@ -15,6 +15,7 @@
+ #ifndef CEPH_MMONCOMMAND_H
+ #define CEPH_MMONCOMMAND_H
+ 
++#include "common/cmdparse.h"
+ #include "messages/PaxosServiceMessage.h"
+ 
+ #include <vector>
+@@ -37,10 +38,26 @@ private:
+ public:  
+   const char *get_type_name() const override { return "mon_command"; }
+   void print(ostream& o) const override {
++    cmdmap_t cmdmap;
++    stringstream ss;
++    string prefix;
++    cmdmap_from_json(cmd, &cmdmap, ss);
++    cmd_getval(g_ceph_context, cmdmap, "prefix", prefix);
++    // Some config values contain sensitive data, so don't log them
+     o << "mon_command(";
+-    for (unsigned i=0; i<cmd.size(); i++) {
+-      if (i) o << ' ';
+-      o << cmd[i];
++    if (prefix == "config set") {
++      string name;
++      cmd_getval(g_ceph_context, cmdmap, "name", name);
++      o << "[{prefix=" << prefix << ", name=" << name << "}]";
++    } else if (prefix == "config-key set") {
++      string key;
++      cmd_getval(g_ceph_context, cmdmap, "key", key);
++      o << "[{prefix=" << prefix << ", key=" << key << "}]";
++    } else {
++      for (unsigned i=0; i<cmd.size(); i++) {
++        if (i) o << ' ';
++        o << cmd[i];
++      }
+     }
+     o << " v " << version << ")";
+   }
+diff --git a/src/messages/MMonCommandAck.h b/src/messages/MMonCommandAck.h
+index 2c07b5fe72..4622c06443 100644
+--- a/src/messages/MMonCommandAck.h
++++ b/src/messages/MMonCommandAck.h
+@@ -15,6 +15,7 @@
+ #ifndef CEPH_MMONCOMMANDACK_H
+ #define CEPH_MMONCOMMANDACK_H
+ 
++#include "common/cmdparse.h"
+ #include "messages/PaxosServiceMessage.h"
+ 
+ class MMonCommandAck : public PaxosServiceMessage {
+@@ -33,7 +34,28 @@ private:
+ public:
+   const char *get_type_name() const override { return "mon_command"; }
+   void print(ostream& o) const override {
+-    o << "mon_command_ack(" << cmd << "=" << r << " " << rs << " v" << version << ")";
++    cmdmap_t cmdmap;
++    stringstream ss;
++    string prefix;
++    cmdmap_from_json(cmd, &cmdmap, ss);
++    cmd_getval(g_ceph_context, cmdmap, "prefix", prefix);
++    // Some config values contain sensitive data, so don't log them
++    o << "mon_command_ack(";
++    if (prefix == "config set") {
++      string name;
++      cmd_getval(g_ceph_context, cmdmap, "name", name);
++      o << "[{prefix=" << prefix
++        << ", name=" << name << "}]"
++        << "=" << r << " " << rs << " v" << version << ")";
++    } else if (prefix == "config-key set") {
++      string key;
++      cmd_getval(g_ceph_context, cmdmap, "key", key);
++      o << "[{prefix=" << prefix << ", key=" << key << "}]"
++        << "=" << r << " " << rs << " v" << version << ")";
++    } else {
++      o << cmd;
++    }
++    o << "=" << r << " " << rs << " v" << version << ")";
+   }
+   
+   void encode_payload(uint64_t features) override {
+-- 
+2.29.2
+

0007-CVE-2020-25678-2.patch

@@ -0,0 +1,76 @@
+From 5267f57c24ffc7bd43de66a92b08dd958887f6a0 Mon Sep 17 00:00:00 2001
+From: Neha Ojha <nojha@redhat.com>
+Date: Thu, 3 Dec 2020 19:24:39 +0000
+Subject: [PATCH 2/2] mon: don't log "config set" and "config-key set" dispatch
+ and finished messages
+
+Signed-off-by: Neha Ojha <nojha@redhat.com>
+(cherry picked from commit 4b83dfb1f74e8a59c802ff3c0eb4595f7e763762)
+---
+ src/mon/Monitor.cc | 18 ++++++++++--------
+ src/mon/Monitor.h  |  9 ++++++++-
+ 2 files changed, 18 insertions(+), 9 deletions(-)
+
+diff --git a/src/mon/Monitor.cc b/src/mon/Monitor.cc
+index da1fac90ed..f6c9a1bd8b 100644
+--- a/src/mon/Monitor.cc
++++ b/src/mon/Monitor.cc
+@@ -3170,18 +3170,20 @@ void Monitor::handle_command(MonOpRequestRef op)
+   if (!_allowed_command(session, service, prefix, cmdmap,
+                         param_str_map, mon_cmd)) {
+     dout(1) << __func__ << " access denied" << dendl;
+-    (cmd_is_rw ? audit_clog->info() : audit_clog->debug())
+-      << "from='" << session->inst << "' "
+-      << "entity='" << session->entity_name << "' "
+-      << "cmd=" << m->cmd << ":  access denied";
++    if (prefix != "config set" && prefix != "config-key set")
++      (cmd_is_rw ? audit_clog->info() : audit_clog->debug())
++        << "from='" << session->inst << "' "
++        << "entity='" << session->entity_name << "' "
++        << "cmd=" << m->cmd << ":  access denied";
+     reply_command(op, -EACCES, "access denied", 0);
+     return;
+   }
+ 
+-  (cmd_is_rw ? audit_clog->info() : audit_clog->debug())
+-    << "from='" << session->inst << "' "
+-    << "entity='" << session->entity_name << "' "
+-    << "cmd=" << m->cmd << ": dispatch";
++  if (prefix != "config set" && prefix != "config-key set")
++    (cmd_is_rw ? audit_clog->info() : audit_clog->debug())
++      << "from='" << session->inst << "' "
++      << "entity='" << session->entity_name << "' "
++      << "cmd=" << m->cmd << ": dispatch";
+ 
+   if (mon_cmd->is_mgr() &&
+       osdmon()->osdmap.require_osd_release >= CEPH_RELEASE_LUMINOUS) {
+diff --git a/src/mon/Monitor.h b/src/mon/Monitor.h
+index 008947e85b..e8f712e984 100644
+--- a/src/mon/Monitor.h
++++ b/src/mon/Monitor.h
+@@ -40,6 +40,7 @@
+ #include "PGStatService.h"
+ #include "MonCommand.h"
+ 
++#include "common/cmdparse.h"
+ #include "common/LogClient.h"
+ #include "auth/cephx/CephxKeyServer.h"
+ #include "auth/AuthMethodList.h"
+@@ -860,7 +861,13 @@ public:
+             ss << "session dropped for command ";
+           }
+         }
+-        ss << "cmd='" << m->cmd << "': finished";
++        cmdmap_t cmdmap;
++        stringstream ds;
++        string prefix;
++        cmdmap_from_json(m->cmd, &cmdmap, ds);
++        cmd_getval(g_ceph_context, cmdmap, "prefix", prefix);
++        if (prefix != "config set" && prefix != "config-key set")
++          ss << "cmd='" << m->cmd << "': finished";
+ 
+         mon->audit_clog->info() << ss.str();
+ 	mon->reply_command(op, rc, rs, rdata, version);
+-- 
+2.29.2
+

ceph.spec

@@ -68,7 +68,7 @@
 #################################################################################
 Name:		ceph
 Version:	12.2.8
-Release:	10
+Release:	12
 Epoch:		2
 
 # define _epoch_prefix macro which will expand to the empty string if epoch is
@@ -89,6 +89,8 @@ Patch2:	0002-CVE-2018-16846-1.patch
 Patch3:	0003-CVE-2018-16846-2.patch
 Patch4: 0004-CVE-2018-14662.patch
 Patch5: 0005-CVE-2020-12059.patch
+Patch6: 0006-CVE-2020-25678-1.patch
+Patch7: 0007-CVE-2020-25678-2.patch
 
 %if 0%{?suse_version}
 %if 0%{?is_opensuse}
@@ -1797,6 +1799,12 @@ exit 0
 
 
 %changelog
+* Wed Mar 10 2021 Zhuohui Zou <zhuohui@xsky.com> - 1:12.2.8-12
+- fix CVE-2020-25678
+
+* Thu Mar 4 2021 Shaoning Zhang <zhangshaoning@uniontech.com> - 1:12.2.8-11
+- correct ceph-mgr requires python2-jinja2 and python2-werkzeug
+
 * Wed Jan 27 2021 Zhiqiang Liu <liuzhiqiang26@huawei.com> - 1:12.2.8-10
 - correct ceph-common requires python2-prettytable version.