ceph: fix CVE-2023-43040

IBM Spectrum Fusion HCI 2.5.2 through 2.7.2 could allow an attacker to perform unauthorized actions in RGW for Ceph due to improper bucket access. IBM X-Force ID: 266807. Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-43040 Upstream patch: https://github.com/ceph/ceph/commit/98bfb71cb38899333deb58dd2562037450fd7fa8 Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
author: Yogita Urade <yogita.urade@windriver.com> 2025-04-04 10:04:09 +0000
committer: Bruce Ashfield <bruce.ashfield@gmail.com> 2025-04-09 04:02:08 +0000
commit: 55ed2134a4b0225e7cb74777a5775d910dc3f065 (patch)
tree: 227112761233208ef224627dfb6a1406da7aae39
parent: 426530794bfc0df686566beed50e245f40565d6c (diff)
download: meta-virtualization-55ed2134a4b0225e7cb74777a5775d910dc3f065.tar.gz
2 files changed, 57 insertions, 0 deletions
diff --git a/recipes-extended/ceph/ceph/CVE-2023-43040.patch b/recipes-extended/ceph/ceph/CVE-2023-43040.patch
new file mode 100644
index 00000000..18fca583
--- /dev/null
+++ b/recipes-extended/ceph/ceph/CVE-2023-43040.patch
@@ -0,0 +1,56 @@
+From 98bfb71cb38899333deb58dd2562037450fd7fa8 Mon Sep 17 00:00:00 2001
+From: Joshua Baergen <jbaergen@digitalocean.com>
+Date: Wed, 17 May 2023 12:17:09 -0600
+Subject: [PATCH] rgw: Fix bucket validation against POST policies
+It's possible that user could provide a form part as a part of a POST
+object upload that uses 'bucket' as a key; in this case, it was
+overriding what was being set in the validation env (which is the real
+bucket being modified). The result of this is that a user could actually
+upload to any bucket accessible by the specified access key by matching
+the bucket in the POST policy in said POST form part.
+Fix this simply by setting the bucket to the correct value after the
+POST form parts are processed, ignoring the form part above if
+specified.
+Fixes: https://tracker.ceph.com/issues/63004
+Signed-off-by: Joshua Baergen <jbaergen@digitalocean.com>
+CVE: CVE-2023-43040
+Upstream-Status: Backport [https://github.com/ceph/ceph/commit/98bfb71cb38899333deb58dd2562037450fd7fa8]
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ src/rgw/rgw_rest_s3.cc | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
+index cb026714..40b4ff92 100644
+--- a/src/rgw/rgw_rest_s3.cc
+++ b/src/rgw/rgw_rest_s3.cc
+@@ -2735,10 +2735,6 @@ int RGWPostObj_ObjStore_S3::get_params()
+   map_qs_metadata(s);
+-  ldpp_dout(this, 20) << "adding bucket to policy env: " << s->bucket.name
+-                   << dendl;
+-  env.add_var("bucket", s->bucket.name);
+-
+   bool done;
+   do {
+     struct post_form_part part;
+@@ -2789,6 +2785,10 @@ int RGWPostObj_ObjStore_S3::get_params()
+     env.add_var(part.name, part_str);
+   } while (!done);
+  ldpp_dout(this, 20) << "adding bucket to policy env: " << s->bucket.name
+                    << dendl;
+  env.add_var("bucket", s->bucket.name);
+
+   string object_str;
+   if (!part_str(parts, "key", &object_str)) {
+     err_msg = "Key not specified";
+--
+2.40.0
diff --git a/recipes-extended/ceph/ceph_15.2.17.bb b/recipes-extended/ceph/ceph_15.2.17.bb
index 9fb2e722..4f32db0e 100644
--- a/recipes-extended/ceph/ceph_15.2.17.bb
+++ b/recipes-extended/ceph/ceph_15.2.17.bb
@@ -14,6 +14,7 @@ SRC_URI = "http://download.ceph.com/tarballs/ceph-${PV}.tar.gz \
           file://ceph.conf \
           file://0001-cmake-add-support-for-python3.10.patch \
           file://0001-SnappyCompressor.h-fix-snappy-compiler-error.patch \
+           file://CVE-2023-43040.patch \
 "
 SRC_URI[sha256sum] = "d8efe4996aeb01dd2f1cc939c5e434e5a7e2aeaf3f659c0510ffd550477a32e2"
author	Yogita Urade <yogita.urade@windriver.com>	2025-04-04 10:04:09 +0000
committer	Bruce Ashfield <bruce.ashfield@gmail.com>	2025-04-09 04:02:08 +0000
commit	55ed2134a4b0225e7cb74777a5775d910dc3f065 (patch)
tree	227112761233208ef224627dfb6a1406da7aae39
parent	426530794bfc0df686566beed50e245f40565d6c (diff)
download	meta-virtualization-55ed2134a4b0225e7cb74777a5775d910dc3f065.tar.gz

diff --git a/recipes-extended/ceph/ceph/CVE-2023-43040.patch b/recipes-extended/ceph/ceph/CVE-2023-43040.patch new file mode 100644 index 00000000..18fca583 --- /dev/null +++ b/recipes-extended/ceph/ceph/CVE-2023-43040.patch
@@ -0,0 +1,56 @@
		1	From 98bfb71cb38899333deb58dd2562037450fd7fa8 Mon Sep 17 00:00:00 2001
		2	From: Joshua Baergen <jbaergen@digitalocean.com>
		3	Date: Wed, 17 May 2023 12:17:09 -0600
		4	Subject: [PATCH] rgw: Fix bucket validation against POST policies
		5
		6	It's possible that user could provide a form part as a part of a POST
		7	object upload that uses 'bucket' as a key; in this case, it was
		8	overriding what was being set in the validation env (which is the real
		9	bucket being modified). The result of this is that a user could actually
		10	upload to any bucket accessible by the specified access key by matching
		11	the bucket in the POST policy in said POST form part.
		12
		13	Fix this simply by setting the bucket to the correct value after the
		14	POST form parts are processed, ignoring the form part above if
		15	specified.
		16
		17	Fixes: https://tracker.ceph.com/issues/63004
		18
		19	Signed-off-by: Joshua Baergen <jbaergen@digitalocean.com>
		20
		21	CVE: CVE-2023-43040
		22	Upstream-Status: Backport [https://github.com/ceph/ceph/commit/98bfb71cb38899333deb58dd2562037450fd7fa8]
		23
		24	Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
		25	---
		26	src/rgw/rgw_rest_s3.cc \| 8 ++++----
		27	1 file changed, 4 insertions(+), 4 deletions(-)
		28
		29	diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
		30	index cb026714..40b4ff92 100644
		31	--- a/src/rgw/rgw_rest_s3.cc
		32	+++ b/src/rgw/rgw_rest_s3.cc
		33	@@ -2735,10 +2735,6 @@ int RGWPostObj_ObjStore_S3::get_params()
		34
		35	map_qs_metadata(s);
		36
		37	- ldpp_dout(this, 20) << "adding bucket to policy env: " << s->bucket.name
		38	- << dendl;
		39	- env.add_var("bucket", s->bucket.name);
		40	-
		41	bool done;
		42	do {
		43	struct post_form_part part;
		44	@@ -2789,6 +2785,10 @@ int RGWPostObj_ObjStore_S3::get_params()
		45	env.add_var(part.name, part_str);
		46	} while (!done);
		47
		48	+ ldpp_dout(this, 20) << "adding bucket to policy env: " << s->bucket.name
		49	+ << dendl;
		50	+ env.add_var("bucket", s->bucket.name);
		51	+
		52	string object_str;
		53	if (!part_str(parts, "key", &object_str)) {
		54	err_msg = "Key not specified";
		55	--
		56	2.40.0


diff --git a/recipes-extended/ceph/ceph_15.2.17.bb b/recipes-extended/ceph/ceph_15.2.17.bb index 9fb2e722..4f32db0e 100644 --- a/recipes-extended/ceph/ceph_15.2.17.bb +++ b/recipes-extended/ceph/ceph_15.2.17.bb
@@ -14,6 +14,7 @@ SRC_URI = "http://download.ceph.com/tarballs/ceph-${PV}.tar.gz \
14	file://ceph.conf \	14	file://ceph.conf \
15	file://0001-cmake-add-support-for-python3.10.patch \	15	file://0001-cmake-add-support-for-python3.10.patch \
16	file://0001-SnappyCompressor.h-fix-snappy-compiler-error.patch \	16	file://0001-SnappyCompressor.h-fix-snappy-compiler-error.patch \
		17	file://CVE-2023-43040.patch \
17	"	18	"
18		19
19	SRC_URI[sha256sum] = "d8efe4996aeb01dd2f1cc939c5e434e5a7e2aeaf3f659c0510ffd550477a32e2"	20	SRC_URI[sha256sum] = "d8efe4996aeb01dd2f1cc939c5e434e5a7e2aeaf3f659c0510ffd550477a32e2"