fix CVE-2023-46159

Signed-off-by: lizhipeng <qiuxinyidian@gmail.com> (cherry picked from commit 0528589084daa5d18c15c6354c7f028a48d2ee21)
2024-04-19 18:31:57 +08:00 · 2024-04-19 18:31:57 +08:00 · c119db7cec
commit c119db7cec
parent df707973e9
2 changed files with 56 additions and 1 deletions
--- a/0016-fix-CVE-2023-46159.patch
+++ b/0016-fix-CVE-2023-46159.patch
@ -0,0 +1,51 @@
+From 64803e1ced57d64b758927c3977bb4a4d1769180 Mon Sep 17 00:00:00 2001
+From: Joshua Baergen <jbaergen@digitalocean.com>
+Date: Tue, 12 Sep 2023 14:05:01 -0400
+Subject: [PATCH] rgw: Add missing empty checks to the split string in
+ is_string_in_set().
+
+In certain cases, where a user misconfigures a CORS rule, the entirety
+of the string can be token characters (or, at least, the string before
+and after a given token is all token characters), but != "*". If the
+misconfigured string includes "*" we'll try to split the string and we
+assume that we can pop the list of string elements when "*" isn't
+first/last, but get_str_list() won't return anything for token-only
+substrings and thus 'ssplit' will have fewer elements than would be
+expected for a correct rule. In the case of an empty list, front() has
+undefined behaviour; in our experience, it often results in a huge
+allocation attempt because the code tries to copy the string into a
+local variable 'sl'.
+
+An example of this misconfiguration (and thus a reproduction case) is
+configuring an origin of " *".
+
+Signed-off-by: Matt Benjamin <mbenjamin@redhat.com>
+---
+ src/rgw/rgw_cors.cc | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/rgw/rgw_cors.cc b/src/rgw/rgw_cors.cc
+index e41abf8ccb..bb80e2b58d 100644
+--- a/src/rgw/rgw_cors.cc
+++ b/src/rgw/rgw_cors.cc
+@@ -95,6 +95,8 @@ static bool is_string_in_set(set<string>& s, string h) {
+       
+       get_str_list((*it), "* \t", ssplit);
+       if (off != 0) {
+        if (ssplit.empty())
+          continue;
+         string sl = ssplit.front();
+         flen = sl.length();
+         dout(10) << "Finding " << sl << ", in " << h << ", at offset 0" << dendl;
+@@ -103,6 +105,8 @@ static bool is_string_in_set(set<string>& s, string h) {
+         ssplit.pop_front();
+       }
+       if (off != ((*it).length() - 1)) {
+        if (ssplit.empty())
+          continue;
+         string sl = ssplit.front();
+         dout(10) << "Finding " << sl << ", in " << h 
+           << ", at offset not less than " << flen << dendl;
+-- 
+2.15.0
+
--- a/ceph.spec
+++ b/ceph.spec
@ -125,7 +125,7 @@
 #################################################################################
 Name:		ceph
 Version:	16.2.7
-Release:	19
+Release:	20
 %if 0%{?fedora} || 0%{?rhel} || 0%{?openEuler}
 Epoch:		2
 %endif
@ -158,6 +158,7 @@ Patch12: 0012-add-missing-includes-when-compiling-with-boost-1.75.patch
 Patch13: 0013-add-atomic-library-for-loongarch64.patch
 Patch14: 0014-fix-CVE-2022-3854.patch
 Patch15: 0015-ceph-volume-add-judgment-for-ceph-volume-lvm-activat.patch
+Patch16: 0016-fix-CVE-2023-46159.patch
 %if 0%{?suse_version}
 # _insert_obs_source_lines_here
 ExclusiveArch:  x86_64 aarch64 ppc64le s390x
@ -2502,6 +2503,9 @@ exit 0
 %config %{_sysconfdir}/prometheus/ceph/ceph_default_alerts.yml

 %changelog
+* Fri Mar 22 2024 lizhipeng <qiuxinyidian@gmail.com> - 2:16.2.7-20
+- fix CVE-2023-46159
+
 * Mon Aug 28 2023 liuqinfei <lucas.liuqinfei@huawei.com> - 2:16.2.7-19
 - add judgment for ceph-volume lvm activate
 - sync from #PR 187