Hi Gaudenz Steinlin <gaud...@debian.org> writes:
> Hi > > Salvatore Bonaccorso <car...@debian.org> writes: > >> Source: ceph >> Version: 0.80.7-2 >> Severity: important >> Tags: security upstream >> Forwarded: http://tracker.ceph.com/issues/12537 >> >> Hi, >> >> the following vulnerability was published for ceph. >> >> CVE-2015-5245[0]: >> Ceph: Rados rest gateway returns requested bucket name raw in Bucket >> response header >> >> If you fix the vulnerability please also make sure to include the >> CVE (Common Vulnerabilities & Exposures) id in your changelog entry. >> >> For further information see: >> >> [0] https://security-tracker.debian.org/tracker/CVE-2015-5245 >> [1] http://tracker.ceph.com/issues/12537 > > I fail to see how this is a security issue. It's clearly a bug, but > AFAICS you can only shoot yourself in the foot with it. There is no > explanation in the upstream issue tracker why this was assigned a CVE > ID. But as I'm by no means an expert on these issues I would appreciate > someone else looking at this. Do other distros plan an update for this? > > If my assessment is correct I think we can fix this with a stable > update. I already tried to convince the stable release team to allow > minor updates to stable. See #784373. A backport to the stable firefly > branch (which is in Debian stable) is in progress upstream. I'm a bit lost on the status of this bug. Do I interpret https://security-tracker.debian.org/tracker/source-package/ceph right in that this means the security team thinks this does not warrant a DSA? Or does this just mean that no DSA has been issued yet? I'm still a bit unsure about the severity of this issue. As far as I understand it, an attacker would have to trick someone into requesting a specially crafted bucket name. How realistic is this in the context of the RADOS gateway? I prepared an update which fixes this bug for stable. If the security team want's to issue a DSA I can upload this. I alos attached the patch to this mail, in case you want to do an upload yourself. If the security team does not want to issue a DSA please say so, I'll then try to get this fixed by a stable update. Gaudenz
commit 61b5e0389099bab8bcd196a76eb7a66cb6f5c63e
Author: Gaudenz Steinlin <gaud...@debian.org>
Date: Fri Sep 11 10:27:26 2015 +0200
Patch to fix CVE-2015-5245 applied from upstream
Refreshed the patch to apply onto the firefly sources and to only
contain the chages to fix the vulnerability.
Closes: #798567
diff --git a/debian/patches/CVE-2015-5245.patch b/debian/patches/CVE-2015-5245.patch
new file mode 100644
index 0000000..c929c0e
--- /dev/null
+++ b/debian/patches/CVE-2015-5245.patch
@@ -0,0 +1,35 @@
+From ad5507fe0bf72ed5bdf8353e315cc9092c740144 Mon Sep 17 00:00:00 2001
+From: Yehuda Sadeh <yeh...@redhat.com>
+Date: Thu, 30 Jul 2015 14:47:15 -0700
+Subject: [PATCH] rgw: url encode exposed bucket
+
+Fixes: #12537
+Don't send the bucket name back without url encoding it.
+
+Signed-off-by: Yehuda Sadeh <yeh...@redhat.com>
+
+The patch below is an adapted version for ceph 0.80.7 to only contain
+the necessary changes to fix this vulnerability. Neither the quoting
+of the bucket name nor the missing \r are fixed.
+(see http://tracker.ceph.com/issues/9254 and http://tracker.ceph.com/issues/11860)
+
+---
+ src/rgw/rgw_rest.cc | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/src/rgw/rgw_rest.cc
++++ b/src/rgw/rgw_rest.cc
+@@ -272,8 +272,11 @@
+ {
+ int expose_bucket = g_conf->rgw_expose_bucket;
+ if (expose_bucket) {
+- if (!s->bucket_name_str.empty())
+- s->cio->print("Bucket: \"%s\"\n", s->bucket_name_str.c_str());
++ if (!s->bucket_name_str.empty()) {
++ string b;
++ url_encode(s->bucket_name_str, b);
++ s->cio->print("Bucket: \"%s\"\n", b.c_str());
++ }
+ }
+ }
+
diff --git a/debian/patches/series b/debian/patches/series
index 8625fda..8ac47ad 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -14,6 +14,7 @@ backfill-prio.patch
bash-completion.patch
rbdmap1-mount.patch
rbdmap2-hooks.patch
+CVE-2015-5245.patch
## Debian
rbdmap3-lazyumount.patch
signature.asc
Description: PGP signature
