Bug#1096424: ceph: diff for NMU version 18.2.7+ds-1.1

Mon, 05 Jan 2026 11:45:16 -0800 

Control: tags 1096424 + patch
Control: tags 1096424 + pending
Control: tags 1120797 + patch
Control: tags 1120797 + pending

Dear maintainer,

I've prepared an NMU for ceph (versioned as 18.2.7+ds-1.1) and uploaded 
it to DELAYED/2. Please feel free to tell me if I should cancel it.

cu
Adrian

diffstat for ceph-18.2.7+ds ceph-18.2.7+ds

 changelog                                                          |    9 ++
 patches/0001-Check-if-HTTP_X_AMZ_COPY_SOURCE-header-is-empty.patch |   31 +++++++++
 patches/0001-build-Include-cstdint-more-places.patch               |   34 ++++++++++
 patches/series                                                     |    2 
 4 files changed, 76 insertions(+)

diff -Nru ceph-18.2.7+ds/debian/changelog ceph-18.2.7+ds/debian/changelog
--- ceph-18.2.7+ds/debian/changelog	2025-07-22 20:06:06.000000000 +0300
+++ ceph-18.2.7+ds/debian/changelog	2026-01-05 20:03:35.000000000 +0200
@@ -1,3 +1,12 @@
+ceph (18.2.7+ds-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Backport upstream fix for FTBFS with GCC 15. (Closes: #1096424)
+  * CVE-2024-47866: RGW DoS attack with empty HTTP header in S3
+    object copy. (Closes: #1120797)
+
+ -- Adrian Bunk <[email protected]>  Mon, 05 Jan 2026 20:03:35 +0200
+
 ceph (18.2.7+ds-1) unstable; urgency=high
 
   * Adding patch from upstream to fix regression with CVE-2025-52555: -
diff -Nru ceph-18.2.7+ds/debian/patches/0001-build-Include-cstdint-more-places.patch ceph-18.2.7+ds/debian/patches/0001-build-Include-cstdint-more-places.patch
--- ceph-18.2.7+ds/debian/patches/0001-build-Include-cstdint-more-places.patch	1970-01-01 02:00:00.000000000 +0200
+++ ceph-18.2.7+ds/debian/patches/0001-build-Include-cstdint-more-places.patch	2026-01-05 20:03:35.000000000 +0200
@@ -0,0 +1,34 @@
+From 24ea35870fe9b3ba15285ec8746ba97ed5d67ff3 Mon Sep 17 00:00:00 2001
+From: "Adam C. Emerson" <[email protected]>
+Date: Thu, 8 May 2025 13:47:03 -0400
+Subject: build: Include <cstdint> more places
+
+Fix needed as of GCC 15.
+
+Signed-off-by: Adam C. Emerson <[email protected]>
+---
+ src/rocksdb/db/blob/blob_file_meta.h       | 1 +
+ src/rocksdb/include/rocksdb/trace_record.h | 1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/src/rocksdb/db/blob/blob_file_meta.h
++++ b/src/rocksdb/db/blob/blob_file_meta.h
+@@ -6,6 +6,7 @@
+ #pragma once
+ 
+ #include <cassert>
++#include <cstdint>
+ #include <iosfwd>
+ #include <memory>
+ #include <string>
+--- a/src/rocksdb/include/rocksdb/trace_record.h
++++ b/src/rocksdb/include/rocksdb/trace_record.h
+@@ -5,6 +5,7 @@
+ 
+ #pragma once
+ 
++#include <cstdint>
+ #include <memory>
+ #include <string>
+ #include <vector>
+
diff -Nru ceph-18.2.7+ds/debian/patches/0001-Check-if-HTTP_X_AMZ_COPY_SOURCE-header-is-empty.patch ceph-18.2.7+ds/debian/patches/0001-Check-if-HTTP_X_AMZ_COPY_SOURCE-header-is-empty.patch
--- ceph-18.2.7+ds/debian/patches/0001-Check-if-HTTP_X_AMZ_COPY_SOURCE-header-is-empty.patch	1970-01-01 02:00:00.000000000 +0200
+++ ceph-18.2.7+ds/debian/patches/0001-Check-if-HTTP_X_AMZ_COPY_SOURCE-header-is-empty.patch	2026-01-05 20:03:35.000000000 +0200
@@ -0,0 +1,31 @@
+From 2efe60a2841f432a7d8f9bb22d4111607094e891 Mon Sep 17 00:00:00 2001
+From: Suyash Dongre <[email protected]>
+Date: Wed, 20 Aug 2025 23:22:41 +0530
+Subject: Check if `HTTP_X_AMZ_COPY_SOURCE` header is empty
+
+The issue was that the `HTTP_X_AMZ_COPY_SOURCE` header could be present but empty (i.e., an empty string rather than NULL). The  code only checked if the pointer was not NULL, but didn't verify that the string had content. When an empty string was passed to RGWCopyObj::parse_copy_location(), it would eventually try to access name_str[0] on an empty string, causing a crash.
+
+Fixes: https://tracker.ceph.com/issues/72669
+
+Signed-off-by: Suyash Dongre <[email protected]>
+---
+ src/rgw/rgw_op.cc | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
+index 09f15979629..83182e375cb 100644
+--- a/src/rgw/rgw_op.cc
++++ b/src/rgw/rgw_op.cc
+@@ -5255,6 +5255,9 @@ bool RGWCopyObj::parse_copy_location(const std::string_view& url_src,
+     params_str = url_src.substr(pos + 1);
+   }
+ 
++  if (name_str.empty()) {
++    return false;
++  }
+   if (name_str[0] == '/') // trim leading slash
+     name_str.remove_prefix(1);
+ 
+-- 
+2.30.2
+
diff -Nru ceph-18.2.7+ds/debian/patches/series ceph-18.2.7+ds/debian/patches/series
--- ceph-18.2.7+ds/debian/patches/series	2025-07-22 20:03:45.000000000 +0300
+++ ceph-18.2.7+ds/debian/patches/series	2026-01-05 20:03:35.000000000 +0200
@@ -39,3 +39,5 @@
 py313-compat/0008-mgr-set-argv-for-python-in-PyModuleRegistry.patch
 py313-compat/0009-mgr-add-site-package-paths-in-PyModuleRegistry.patch
 py313-compat/0010-ceph-volume-fix-importlib.metadata-compat.patch
+0001-build-Include-cstdint-more-places.patch
+0001-Check-if-HTTP_X_AMZ_COPY_SOURCE-header-is-empty.patch

Reply via email to