backport fix cve-2023-32082 and cve-2021-28235

2025-02-17 15:33:41 +08:00 · 2025-02-17 15:33:41 +08:00 · 00f4e6f591
commit 00f4e6f591
parent 7598b43eb1
3 changed files with 312 additions and 2 deletions
--- a/0007-backport-fix-CVE-2023-32082.patch
+++ b/0007-backport-fix-CVE-2023-32082.patch
@ -0,0 +1,160 @@
+From a813426b143c11dcda7fc8402bf66fee7b348470 Mon Sep 17 00:00:00 2001
+From: lvxiangcong <lvxiangcong@kylinos.cn>
+Date: Mon, 17 Feb 2025 13:44:51 +0800
+Subject: [PATCH] backport fix cve-2023-32082
+
+---
+ etcdserver/v3_server.go        | 51 +++++++++++++++++++++++++++++++++-
+ tests/e2e/ctl_v3_auth_test.go  | 49 ++++++++++++++++++++++++++++++++
+ tests/e2e/ctl_v3_lease_test.go |  9 ++++++
+ 3 files changed, 108 insertions(+), 1 deletion(-)
+
+diff --git a/etcdserver/v3_server.go b/etcdserver/v3_server.go
+index 1fa8e4e..93b2bc1 100644
+--- a/etcdserver/v3_server.go
+++ b/etcdserver/v3_server.go
+@@ -298,7 +298,32 @@ func (s *EtcdServer) LeaseRenew(ctx context.Context, id lease.LeaseID) (int64, e
+ 	return -1, ErrCanceled
+ }
+ 
+-func (s *EtcdServer) LeaseTimeToLive(ctx context.Context, r *pb.LeaseTimeToLiveRequest) (*pb.LeaseTimeToLiveResponse, error) {
+func (s *EtcdServer) checkLeaseTimeToLive(ctx context.Context, leaseID lease.LeaseID) (error, uint64) {
+	rev := s.AuthStore().Revision()
+	if !s.AuthStore().IsAuthEnabled() {
+		return nil, rev
+	}
+	authInfo, err := s.AuthInfoFromCtx(ctx)
+	if err != nil {
+		return err, rev
+	}
+	if authInfo == nil {
+		return auth.ErrUserEmpty, rev
+	}
+
+	l := s.lessor.Lookup(leaseID)
+	if l != nil {
+		for _, key := range l.Keys() {
+			if err := s.AuthStore().IsRangePermitted(authInfo, []byte(key), []byte{}); err != nil {
+				return err, 0
+			}
+		}
+	}
+
+	return nil, rev
+}
+
+func (s *EtcdServer) leaseTimeToLive(ctx context.Context, r *pb.LeaseTimeToLiveRequest) (*pb.LeaseTimeToLiveResponse, error) {
+ 	if s.Leader() == s.ID() {
+ 		// primary; timetolive directly from leader
+ 		le := s.lessor.Lookup(lease.LeaseID(r.ID))
+@@ -345,6 +370,30 @@ func (s *EtcdServer) LeaseTimeToLive(ctx context.Context, r *pb.LeaseTimeToLiveR
+ 	return nil, ErrCanceled
+ }
+ 
+func (s *EtcdServer) LeaseTimeToLive(ctx context.Context, r *pb.LeaseTimeToLiveRequest) (*pb.LeaseTimeToLiveResponse, error) {
+	var rev uint64
+	var err error
+	if r.Keys {
+		// check RBAC permission only if Keys is true
+		err, rev = s.checkLeaseTimeToLive(ctx, lease.LeaseID(r.ID))
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	resp, err := s.leaseTimeToLive(ctx, r)
+	if err != nil {
+		return nil, err
+	}
+
+	if r.Keys {
+		if s.AuthStore().IsAuthEnabled() && rev != s.AuthStore().Revision() {
+			return nil, auth.ErrAuthOldRevision
+		}
+	}
+	return resp, nil
+}
+
+ func (s *EtcdServer) LeaseLeases(ctx context.Context, r *pb.LeaseLeasesRequest) (*pb.LeaseLeasesResponse, error) {
+ 	ls := s.lessor.Leases()
+ 	lss := make([]*pb.LeaseStatus, len(ls))
+diff --git a/tests/e2e/ctl_v3_auth_test.go b/tests/e2e/ctl_v3_auth_test.go
+index 2142394..728eafa 100644
+--- a/tests/e2e/ctl_v3_auth_test.go
+++ b/tests/e2e/ctl_v3_auth_test.go
+@@ -69,6 +69,55 @@ func TestCtlV3AuthJWTExpire(t *testing.T) { testCtl(t, authTestJWTExpire, withCf
+ func TestCtlV3AuthCertCNAndUsernameNoPassword(t *testing.T) {
+ 	testCtl(t, authTestCertCNAndUsernameNoPassword, withCfg(configClientTLSCertAuth))
+ }
+func TestCtlV3AuthLeaseTimeToLive(t *testing.T)     { testCtl(t, authTestLeaseTimeToLive) }
+
+func authTestLeaseTimeToLive(cx ctlCtx) {
+	if err := authEnable(cx); err != nil {
+		cx.t.Fatal(err)
+	}
+	cx.user, cx.pass = "root", "root"
+
+	authSetupTestUser(cx)
+
+	cx.user = "test-user"
+	cx.pass = "pass"
+
+	leaseID, err := ctlV3LeaseGrant(cx, 10)
+	if err != nil {
+		cx.t.Fatal(err)
+	}
+
+	err = ctlV3Put(cx, "foo", "val", leaseID)
+	if err != nil {
+		cx.t.Fatal(err)
+	}
+
+	err = ctlV3LeaseTimeToLive(cx, leaseID, true)
+	if err != nil {
+		cx.t.Fatal(err)
+	}
+
+	cx.user = "root"
+	cx.pass = "root"
+	err = ctlV3Put(cx, "bar", "val", leaseID)
+	if err != nil {
+		cx.t.Fatal(err)
+	}
+
+	cx.user = "test-user"
+	cx.pass = "pass"
+	// the lease is attached to bar, which test-user cannot access
+	err = ctlV3LeaseTimeToLive(cx, leaseID, true)
+	if err == nil {
+		cx.t.Fatal("test-user must not be able to access to the lease, because it's attached to the key bar")
+	}
+
+	// without --keys, access should be allowed
+	err = ctlV3LeaseTimeToLive(cx, leaseID, false)
+	if err != nil {
+		cx.t.Fatal(err)
+	}
+}
+ 
+ func authEnableTest(cx ctlCtx) {
+ 	if err := authEnable(cx); err != nil {
+diff --git a/tests/e2e/ctl_v3_lease_test.go b/tests/e2e/ctl_v3_lease_test.go
+index 608b8ca..f90b1a5 100644
+--- a/tests/e2e/ctl_v3_lease_test.go
+++ b/tests/e2e/ctl_v3_lease_test.go
+@@ -294,3 +294,12 @@ func ctlV3LeaseRevoke(cx ctlCtx, leaseID string) error {
+ 	cmdArgs := append(cx.PrefixArgs(), "lease", "revoke", leaseID)
+ 	return spawnWithExpect(cmdArgs, fmt.Sprintf("lease %s revoked", leaseID))
+ }
+
+func ctlV3LeaseTimeToLive(cx ctlCtx, leaseID string, withKeys bool) error {
+	cmdArgs := append(cx.PrefixArgs(), "lease", "timetolive", leaseID)
+	if withKeys {
+		cmdArgs = append(cmdArgs, "--keys")
+	}
+	return e2e.SpawnWithExpectWithEnv(cmdArgs, cx.envMap, fmt.Sprintf("lease %s granted with", leaseID))
+}
+
+-- 
+2.46.0
+
--- a/0008-backport-fix-CVE-2021-28235.patch
+++ b/0008-backport-fix-CVE-2021-28235.patch
@ -0,0 +1,141 @@
+From 5608bf772250843426cc2fa357fac0a55316ad37 Mon Sep 17 00:00:00 2001
+From: lvxiangcong <lvxiangcong@kylinos.cn>
+Date: Mon, 17 Feb 2025 14:46:45 +0800
+Subject: [PATCH] backport fix cve-2021-28235
+
+---
+ etcdserver/v3_server.go                |  7 ++++
+ tests/e2e/ctl_v3_auth_security_test.go | 58 ++++++++++++++++++++++++++
+ tests/e2e/ctl_v3_test.go               |  6 +++
+ tests/e2e/util.go                      | 11 +++++
+ 4 files changed, 82 insertions(+)
+ create mode 100644 tests/e2e/ctl_v3_auth_security_test.go
+
+diff --git a/etcdserver/v3_server.go b/etcdserver/v3_server.go
+index 93b2bc1..8d8bd9c 100644
+--- a/etcdserver/v3_server.go
+++ b/etcdserver/v3_server.go
+@@ -453,6 +453,13 @@ func (s *EtcdServer) Authenticate(ctx context.Context, r *pb.AuthenticateRequest
+ 	}
+ 
+ 	lg := s.getLogger()
+	
+	// fix https://nvd.nist.gov/vuln/detail/CVE-2021-28235
+	defer func() {
+		if r != nil {
+			r.Password = ""
+		}
+	}()
+ 
+ 	var resp proto.Message
+ 	for {
+diff --git a/tests/e2e/ctl_v3_auth_security_test.go b/tests/e2e/ctl_v3_auth_security_test.go
+new file mode 100644
+index 0000000..b63a15f
+--- /dev/null
+++ b/tests/e2e/ctl_v3_auth_security_test.go
+@@ -0,0 +1,58 @@
+// Copyright 2023 The etcd Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//go:build !cluster_proxy
+
+package e2e
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"go.etcd.io/etcd/tests/v3/framework/e2e"
+)
+
+// TestAuth_CVE_2021_28235 verifies https://nvd.nist.gov/vuln/detail/CVE-2021-28235
+func TestAuth_CVE_2021_28235(t *testing.T) {
+	testCtl(t, authTest_CVE_2021_28235, withCfg(*e2e.NewConfigNoTLS()), withLogLevel("debug"))
+}
+
+func authTest_CVE_2021_28235(cx ctlCtx) {
+	// create root user with root role
+	rootPass := "changeme123"
+	err := ctlV3User(cx, []string{"add", "root", "--interactive=false"}, "User root created", []string{rootPass})
+	require.NoError(cx.t, err)
+	err = ctlV3User(cx, []string{"grant-role", "root", "root"}, "Role root is granted to user root", nil)
+	require.NoError(cx.t, err)
+	err = ctlV3AuthEnable(cx)
+	require.NoError(cx.t, err)
+
+	// issue a put request
+	cx.user, cx.pass = "root", rootPass
+	err = ctlV3Put(cx, "foo", "bar", "")
+	require.NoError(cx.t, err)
+
+	// GET /debug/requests
+	httpEndpoint := cx.epc.Procs[0].EndpointsHTTP()[0]
+	req := e2e.CURLReq{Endpoint: "/debug/requests?fam=grpc.Recv.etcdserverpb.Auth&b=0&exp=1", Timeout: 5}
+	respData, err := curl(httpEndpoint, "GET", req, e2e.ClientNonTLS)
+	require.NoError(cx.t, err)
+
+	if strings.Contains(respData, rootPass) {
+		cx.t.Errorf("The root password is included in the request.\n %s", respData)
+	}
+}
+
+diff --git a/tests/e2e/ctl_v3_test.go b/tests/e2e/ctl_v3_test.go
+index 04f5a65..74b1838 100644
+--- a/tests/e2e/ctl_v3_test.go
+++ b/tests/e2e/ctl_v3_test.go
+@@ -130,6 +130,12 @@ func withFlagByEnv() ctlOption {
+ 	return func(cx *ctlCtx) { cx.envMap = make(map[string]struct{}) }
+ }
+ 
+func withLogLevel(logLevel string) ctlOption {
+	return func(cx *ctlCtx) {
+		cx.cfg.LogLevel = logLevel
+	}
+}
+
+ func testCtl(t *testing.T, testFunc func(ctlCtx), opts ...ctlOption) {
+ 	defer testutil.AfterTest(t)
+ 
+diff --git a/tests/e2e/util.go b/tests/e2e/util.go
+index ce7289a..0e41225 100644
+--- a/tests/e2e/util.go
+++ b/tests/e2e/util.go
+@@ -17,6 +17,7 @@ package e2e
+ import (
+ 	"encoding/json"
+ 	"fmt"
+	"string"
+ 	"math/rand"
+ 	"strings"
+ 	"time"
+@@ -108,3 +109,13 @@ func closeWithTimeout(p *expect.ExpectProcess, d time.Duration) error {
+ func toTLS(s string) string {
+ 	return strings.Replace(s, "http://", "https://", 1)
+ }
+
+func curl(endpoint string, method string, curlReq e2e.CURLReq, connType e2e.ClientConnType) (string, error) {
+	args := e2e.CURLPrefixArgs(endpoint, e2e.ClientConfig{ConnectionType: connType}, false, method, curlReq)
+	lines, err := e2e.RunUtilCompletion(args, nil)
+	if err != nil {
+		return "", err
+	}
+	return strings.Join(lines, "\n"), nil
+}
+
+-- 
+2.46.0
+
--- a/etcd.spec
+++ b/etcd.spec
@ -31,7 +31,7 @@ system.}
 %global gosupfiles      integration/fixtures/* etcdserver/api/v2http/testdata/*

 Name:           etcd
-Release:        8
+Release:        9
 Summary:        Distributed reliable key-value store for the most critical data of a distributed system

 # Upstream license specification: Apache-2.0
@ -50,7 +50,8 @@ Patch3:         0003-backport-Suppress-noisy-basic-auth-token-deletion-log.patch
 Patch4:         0004-backport-fix-CVE-2022-3064.patch
 Patch5:         0005-backport-fix-CVE-2022-41723.patch
 Patch6:         0006-backport-fix-CVE-2022-34038.patch
-
+Patch7:         0007-backport-fix-CVE-2023-32082.patch
+Patch8:         0008-backport-fix-CVE-2021-28235.patch

 BuildRequires:  golang
 BuildRequires:  python3-devel
@ -72,6 +73,8 @@ Requires(pre):  shadow-utils
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
+%patch7 -p1
+%patch8 -p1
 # For compatibility
 cp -aR etcdserver/api/snap snap
 cp -aR etcdserver/api/membership etcdserver/membership
@ -157,6 +160,12 @@ getent passwd %{name} >/dev/null || useradd -r -g %{name} -d %{_sharedstatedir}/
 %endif

 %changelog
+* Mon Feb 17 2025 lvxiangcong<lvxiangcong@kylinos.cn> - 3.4.14-9
+- Type:CVE
+- CVE:CVE-2023-32082 CVE-2021-28235
+- SUG:NA
+- DESC: backport fix CVE-2023-32082 and CVE-2021-28235
+
 * Mon Feb 17 2025 lvxiangcong<lvxiangcong@kylinos.cn> - 3.4.14-8
 - Type:CVE
 - CVE:CVE-2022-34038