!55 [sync] PR-53: Fix CVE-2022-47184 and CVE-2023-33933

From: @openeuler-sync-bot Reviewed-by: @caodongxia Signed-off-by: @caodongxia
2023-12-19 08:50:38 +00:00 · 2023-12-19 08:50:38 +00:00 · 3e25b214e1
commit 3e25b214e1
parent fcc8cf10f3 b06b827864
3 changed files with 315 additions and 1 deletions
--- a/CVE-2022-47184.patch
+++ b/CVE-2022-47184.patch
@ -0,0 +1,105 @@
+From c371b7b21a7e774f852af86b85c87d5d877a14bd Mon Sep 17 00:00:00 2001
+From: Bryan Call <bcall@apache.org>
+Date: Tue, 6 Jun 2023 15:23:04 -0700
+Subject: [PATCH] Deny the TRACE method by default (#9788)
+
+(cherry picked from commit 105af3ca30e59fbb89013e83a484a04559b4cf25)
+---
+ configs/ip_allow.yaml.default                      | 4 +++-
+ doc/admin-guide/files/ip_allow.yaml.en.rst         | 9 ++++++---
+ tests/gold_tests/autest-site/min_cfg/ip_allow.yaml | 4 +++-
+ 3 files changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/configs/ip_allow.yaml.default b/configs/ip_allow.yaml.default
+index ff3627d23e8..16db1d2845a 100644
+--- a/configs/ip_allow.yaml.default
+++ b/configs/ip_allow.yaml.default
+@@ -24,7 +24,7 @@
+ # Rules are applied in the order listed starting from the top.
+ # That means you generally want to append your rules after the ones listed here.
+ #
+-# Allow anything on localhost, limit destructive methods elsewhere.
+# Allow anything on localhost, limit destructive and debug methods elsewhere.
+ ip_allow:
+   - apply: in
+     ip_addrs: 127.0.0.1
+@@ -41,6 +41,7 @@ ip_allow:
+       - PURGE
+       - PUSH
+       - DELETE
+      - TRACE
+   - apply: in
+     ip_addrs: ::/0
+     action: deny
+@@ -48,3 +49,4 @@ ip_allow:
+       - PURGE
+       - PUSH
+       - DELETE
+      - TRACE
+diff --git a/doc/admin-guide/files/ip_allow.yaml.en.rst b/doc/admin-guide/files/ip_allow.yaml.en.rst
+index 1f1843e21ac..db2e58dfa46 100644
+--- a/doc/admin-guide/files/ip_allow.yaml.en.rst
+++ b/doc/admin-guide/files/ip_allow.yaml.en.rst
+@@ -60,6 +60,7 @@ Format
+          - PURGE
+          - PUSH
+          - DELETE
+         - TRACE
+      - apply: in
+        ip_addrs: ::/0
+        action: deny
+@@ -67,6 +68,7 @@ Format
+          - PURGE
+          - PUSH
+          - DELETE
+         - TRACE
+ 
+ Each rule is a mapping. The YAML data must have a top level key of "ip_allow" and its value must
+ be a mapping or a sequence of mappings, each of those being one rule.
+@@ -106,7 +108,8 @@ the specified methods are denied and all other methods are allowed.
+ For example, from the default configuration, the rule for ``127.0.0.1`` is ``allow`` with all
+ methods. Therefore an inbound connection from the loopback address (127.0.0.1) is allowed to use any
+ method. The general IPv4 rule, covering all IPv4 address, is a ``deny`` rule and therefore when it
+-matches the methods "PURGE", "PUSH", and "DELETE", these methods are denied and any other method is allowed.
+matches the methods "PURGE", "PUSH", "DELETE", and "TRACE", these methods are denied and any other method
+is allowed.
+ 
+ The rules are matched in order, by IP address, therefore the general IPv4 rule does not apply to the
+ loopback address because the latter is matched first.
+@@ -224,8 +227,8 @@ As a final example, here is the default configuration in compact form::
+    ip_allow: [
+      { apply: in, ip_addrs: 127.0.0.1, action: allow },
+      { apply: in, ip_addrs: "::1", action: allow },
+-     { apply: in, ip_addrs: 0/0, action: deny, methods: [ PURGE, PUSH, DELETE ] },
+-     { apply: in, ip_addrs: "::/0", action: deny, methods: [ PURGE, PUSH, DELETE ] }
+     { apply: in, ip_addrs: 0/0, action: deny, methods: [ PURGE, PUSH, DELETE, TRACE ] },
+     { apply: in, ip_addrs: "::/0", action: deny, methods: [ PURGE, PUSH, DELETE, TRACE ] }
+      ]
+ 
+ .. note::
+diff --git a/tests/gold_tests/autest-site/min_cfg/ip_allow.yaml b/tests/gold_tests/autest-site/min_cfg/ip_allow.yaml
+index d13c27516ac..841286477cb 100644
+--- a/tests/gold_tests/autest-site/min_cfg/ip_allow.yaml
+++ b/tests/gold_tests/autest-site/min_cfg/ip_allow.yaml
+@@ -13,7 +13,7 @@
+ #  or implied. See the License for the specific language governing permissions and limitations under
+ #  the License.
+ 
+-# Allow anything on localhost, limit destructive methods elsewhere.
+# Allow anything on localhost, limit destructive and debug methods elsewhere.
+ ip_allow:
+   - apply: in
+     ip_addrs: 127.0.0.1
+@@ -34,6 +34,7 @@ ip_allow:
+       - PURGE
+       - PUSH
+       - DELETE
+      - TRACE
+   - apply: in
+     ip_addrs: ::/0
+     action: deny
+@@ -41,3 +42,4 @@ ip_allow:
+       - PURGE
+       - PUSH
+       - DELETE
+      - TRACE
--- a/CVE-2023-33933.patch
+++ b/CVE-2023-33933.patch
@ -0,0 +1,202 @@
+From 726a79cb2f70fcbe0e2139aab3fe56930d3d8c27 Mon Sep 17 00:00:00 2001
+From: Masakazu Kitajo <maskit@apache.org>
+Date: Thu, 8 Jun 2023 02:27:52 +0900
+Subject: [PATCH] s3_auth: Fix hash calculation (#9779)
+
+(cherry picked from commit 867c48c1adf9e795c8d85c48d2d0f07f08aa87ec)
+---
+ plugins/s3_auth/aws_auth_v4.cc                 |  5 +++++
+ plugins/s3_auth/aws_auth_v4.h                  |  1 +
+ plugins/s3_auth/aws_auth_v4_wrap.h             |  5 +++++
+ plugins/s3_auth/unit_tests/test_aws_auth_v4.cc | 14 ++++++++++++++
+ plugins/s3_auth/unit_tests/test_aws_auth_v4.h  |  7 +++++++
+ 5 files changed, 32 insertions(+)
+
+diff --git a/plugins/s3_auth/aws_auth_v4.cc b/plugins/s3_auth/aws_auth_v4.cc
+index 3f9aea0..6ba76d8 100644
+--- a/plugins/s3_auth/aws_auth_v4.cc
+++ b/plugins/s3_auth/aws_auth_v4.cc
+@@ -303,6 +303,11 @@ getCanonicalRequestSha256Hash(TsInterface &api, bool signPayload, const StringSe
+   str = api.getPath(&length);
+   String path("/");
+   path.append(str, length);
+  str = api.getParams(&length);
+  if (length > 0) {
+    path.append(";", 1);
+    path.append(str, length);
+  }
+   String canonicalUri = canonicalEncode(path, /* isObjectName */ true);
+   sha256Update(&canonicalRequestSha256Ctx, canonicalUri);
+   sha256Update(&canonicalRequestSha256Ctx, "\n");
+diff --git a/plugins/s3_auth/aws_auth_v4.h b/plugins/s3_auth/aws_auth_v4.h
+index 865a199..984bc62 100644
+--- a/plugins/s3_auth/aws_auth_v4.h
+++ b/plugins/s3_auth/aws_auth_v4.h
+@@ -47,6 +47,7 @@ public:
+   virtual const char *getMethod(int *length) = 0;
+   virtual const char *getHost(int *length)   = 0;
+   virtual const char *getPath(int *length)   = 0;
+  virtual const char *getParams(int *length) = 0;
+   virtual const char *getQuery(int *length)  = 0;
+   virtual HeaderIterator headerBegin()       = 0;
+   virtual HeaderIterator headerEnd()         = 0;
+diff --git a/plugins/s3_auth/aws_auth_v4_wrap.h b/plugins/s3_auth/aws_auth_v4_wrap.h
+index 72221c3..3ed858a 100644
+--- a/plugins/s3_auth/aws_auth_v4_wrap.h
+++ b/plugins/s3_auth/aws_auth_v4_wrap.h
+@@ -108,6 +108,11 @@ public:
+     return TSUrlPathGet(_bufp, _url, len);
+   }
+   const char *
+  getParams(int *len) override
+  {
+    return TSUrlHttpParamsGet(_bufp, _url, len);
+  }
+  const char *
+   getQuery(int *len) override
+   {
+     return TSUrlHttpQueryGet(_bufp, _url, len);
+diff --git a/plugins/s3_auth/unit_tests/test_aws_auth_v4.cc b/plugins/s3_auth/unit_tests/test_aws_auth_v4.cc
+index 595fe00..a11213c 100644
+--- a/plugins/s3_auth/unit_tests/test_aws_auth_v4.cc
+++ b/plugins/s3_auth/unit_tests/test_aws_auth_v4.cc
+@@ -404,6 +404,7 @@ TEST_CASE("AWSAuthSpecByExample: GET Object", "[AWS][auth][SpecByExample]")
+   api._method.assign("GET");
+   api._host.assign("examplebucket.s3.amazonaws.com");
+   api._path.assign("test.txt");
+  api._params.assign("");
+   api._query.assign("");
+   api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com"));
+   api._headers.insert(std::make_pair("Range", "bytes=0-9"));
+@@ -449,6 +450,7 @@ TEST_CASE("AWSAuthSpecByExample: GET Bucket Lifecycle", "[AWS][auth][SpecByExamp
+   api._method.assign("GET");
+   api._host.assign("examplebucket.s3.amazonaws.com");
+   api._path.assign("");
+  api._params.assign("");
+   api._query.assign("lifecycle");
+   api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com"));
+   api._headers.insert(std::make_pair("x-amz-content-sha256", "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"));
+@@ -493,6 +495,7 @@ TEST_CASE("AWSAuthSpecByExample: Get Bucket List Objects", "[AWS][auth][SpecByEx
+   api._method.assign("GET");
+   api._host.assign("examplebucket.s3.amazonaws.com");
+   api._path.assign("");
+  api._params.assign("");
+   api._query.assign("max-keys=2&prefix=J");
+   api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com"));
+   api._headers.insert(std::make_pair("x-amz-content-sha256", "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"));
+@@ -584,6 +587,7 @@ TEST_CASE("AWSAuthSpecByExample: GET Bucket List Objects, unsigned pay-load, exc
+   api._method.assign("GET");
+   api._host.assign("examplebucket.s3.amazonaws.com");
+   api._path.assign("");
+  api._params.assign("");
+   api._query.assign("max-keys=2&prefix=J");
+   api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com"));
+   api._headers.insert(std::make_pair("x-amz-content-sha256", "UNSIGNED-PAYLOAD"));
+@@ -633,6 +637,7 @@ TEST_CASE("AWSAuthSpecByExample: GET Bucket List Objects, query param value alre
+   api._method.assign("GET");
+   api._host.assign("examplebucket.s3.amazonaws.com");
+   api._path.assign("PATH==");
+  api._params.assign("");
+   api._query.assign("key=TEST==");
+   api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com"));
+   api._headers.insert(std::make_pair("x-amz-content-sha256", "UNSIGNED-PAYLOAD"));
+@@ -679,6 +684,7 @@ TEST_CASE("S3AuthV4UtilParams: signing multiple same name fields", "[AWS][auth][
+   api._method.assign("GET");
+   api._host.assign("examplebucket.s3.amazonaws.com");
+   api._path.assign("");
+  api._params.assign("");
+   api._query.assign("max-keys=2&prefix=J");
+   api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com"));
+   api._headers.insert(std::make_pair("Content-Type", "gzip"));
+@@ -777,6 +783,7 @@ TEST_CASE("S3AuthV4UtilParams: include all headers explicit", "[AWS][auth][SpecB
+   api._method.assign("GET");
+   api._host.assign("examplebucket.s3.amazonaws.com");
+   api._path.assign("");
+  api._params.assign("");
+   api._query.assign("max-keys=2&prefix=J");
+   api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com"));
+   api._headers.insert(std::make_pair("Content-Type", "gzip"));
+@@ -812,6 +819,7 @@ TEST_CASE("S3AuthV4UtilParams: exclude all headers explicit", "[AWS][auth][utili
+   api._method.assign("GET");
+   api._host.assign("examplebucket.s3.amazonaws.com");
+   api._path.assign("");
+  api._params.assign("");
+   api._query.assign("max-keys=2&prefix=J");
+   api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com"));
+   api._headers.insert(std::make_pair("Content-Type", "gzip"));
+@@ -847,6 +855,7 @@ TEST_CASE("S3AuthV4UtilParams: include/exclude non overlapping headers", "[AWS][
+   api._method.assign("GET");
+   api._host.assign("examplebucket.s3.amazonaws.com");
+   api._path.assign("");
+  api._params.assign("");
+   api._query.assign("max-keys=2&prefix=J");
+   api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com"));
+   api._headers.insert(std::make_pair("Content-Type", "gzip"));
+@@ -881,6 +890,7 @@ TEST_CASE("S3AuthV4UtilParams: include/exclude overlapping headers", "[AWS][auth
+   api._method.assign("GET");
+   api._host.assign("examplebucket.s3.amazonaws.com");
+   api._path.assign("");
+  api._params.assign("");
+   api._query.assign("max-keys=2&prefix=J");
+   api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com"));
+   api._headers.insert(std::make_pair("Content-Type", "gzip"));
+@@ -916,6 +926,7 @@ TEST_CASE("S3AuthV4UtilParams: include/exclude overlapping headers missing inclu
+   api._method.assign("GET");
+   api._host.assign("examplebucket.s3.amazonaws.com");
+   api._path.assign("");
+  api._params.assign("");
+   api._query.assign("max-keys=2&prefix=J");
+   api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com"));
+   api._headers.insert(std::make_pair("Content-Type", "gzip"));
+@@ -951,6 +962,7 @@ TEST_CASE("S3AuthV4UtilParams: include/exclude overlapping headers missing exclu
+   api._method.assign("GET");
+   api._host.assign("examplebucket.s3.amazonaws.com");
+   api._path.assign("");
+  api._params.assign("");
+   api._query.assign("max-keys=2&prefix=J");
+   api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com"));
+   api._headers.insert(std::make_pair("Content-Type", "gzip"));
+@@ -989,6 +1001,7 @@ TEST_CASE("S3AuthV4UtilParams: include content type", "[AWS][auth][utility]")
+   api._method.assign("GET");
+   api._host.assign("examplebucket.s3.amazonaws.com");
+   api._path.assign("");
+  api._params.assign("");
+   api._query.assign("max-keys=2&prefix=J");
+   api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com"));
+   api._headers.insert(std::make_pair("Content-Type", "gzip"));
+@@ -1022,6 +1035,7 @@ TEST_CASE("S3AuthV4UtilParams: include missing content type", "[AWS][auth][utili
+   api._method.assign("GET");
+   api._host.assign("examplebucket.s3.amazonaws.com");
+   api._path.assign("");
+  api._params.assign("");
+   api._query.assign("max-keys=2&prefix=J");
+   api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com"));
+   api._headers.insert(std::make_pair("x-amz-content-sha256", "UNSIGNED-PAYLOAD"));
+diff --git a/plugins/s3_auth/unit_tests/test_aws_auth_v4.h b/plugins/s3_auth/unit_tests/test_aws_auth_v4.h
+index e295d75..e4eb454 100644
+--- a/plugins/s3_auth/unit_tests/test_aws_auth_v4.h
+++ b/plugins/s3_auth/unit_tests/test_aws_auth_v4.h
+@@ -95,6 +95,12 @@ public:
+     return _path.c_str();
+   }
+   const char *
+  getParams(int *length)
+  {
+    *length = _params.length();
+    return _params.c_str();
+  }
+  const char *
+   getQuery(int *length)
+   {
+     *length = _query.length();
+@@ -114,6 +120,7 @@ public:
+   String _method;
+   String _host;
+   String _path;
+  String _params;
+   String _query;
+   HeaderMultiMap _headers;
+ };
+-- 
+2.30.0
+
--- a/trafficserver.spec
+++ b/trafficserver.spec
@ -1,7 +1,7 @@
 %define _hardened_build 1
 Name:                trafficserver
 Version:             9.1.4
-Release:             1
+Release:             2
 Summary:             Apache Traffic Server, a reverse, forward and transparent HTTP proxy cache
 License:             Apache-2.0
 URL:                 https://trafficserver.apache.org/
@ -11,6 +11,10 @@ Patch0001:           Fix-status-failure-after-stopping-service.patch
 Patch0002:           Fix-log-in-debug-mode.patch
 Patch0003:           config-layout-openEuler.patch
 Patch0004:           Modify-storage.config-for-traffic_cache_tool.patch
+# https://github.com/apache/trafficserver/commit/c371b7b21a7e774f852af86b85c87d5d877a14bd
+Patch0005:           CVE-2022-47184.patch
+# https://github.com/apache/trafficserver/commit/726a79cb2f70fcbe0e2139aab3fe56930d3d8c27
+Patch0006:           CVE-2023-33933.patch
 BuildRequires:       expat-devel hwloc-devel openssl-devel pcre-devel zlib-devel xz-devel
 BuildRequires:       libcurl-devel ncurses-devel gcc gcc-c++ perl-ExtUtils-MakeMaker
 BuildRequires:       libcap-devel cmake libunwind-devel automake
@ -113,6 +117,9 @@ getent passwd ats >/dev/null || useradd -r -u 176 -g ats -d / -s /sbin/nologin -
 %{_datadir}/pkgconfig/trafficserver.pc

 %changelog
+* Tue Dec 19 2023 yaoxin <yao_xin001@hoperun.com> - 9.1.4-2
+- Fix CVE-2022-47184 and CVE-2023-33933
+
 * Tue Dec 27 2022 jiangpeng <jiangpeng01@ncti-gba.cn> - 9.1.4-1
 - Update to 9.1.4 to fix CVE-2022-37392 and CVE-2022-32749 and CVE-2022-40743