[Pkg-ceph-commits] [ceph] 04/05: Add upstream patch to fix CVE-2015-5245

Gaudenz Steinlin gaudenz at moszumanska.debian.org
Fri Sep 18 15:33:59 UTC 2015 

This is an automated email from the git hooks/post-receive script.

gaudenz pushed a commit to branch experimental
in repository ceph.

commit 53693588806314f9c6716c17380157ee8776c239
Author: Gaudenz Steinlin <gaudenz at debian.org>
Date:   Fri Sep 18 16:51:06 2015 +0200

    Add upstream patch to fix CVE-2015-5245
    
    See http://tracker.ceph.com/issues/12537 for more information.
    
    Closes: #798567
---
 debian/patches/CVE-2015-5245.patch | 31 +++++++++++++++++++++++++++++++
 debian/patches/series              |  1 +
 2 files changed, 32 insertions(+)

diff --git a/debian/patches/CVE-2015-5245.patch b/debian/patches/CVE-2015-5245.patch
new file mode 100644
index 0000000..8c59d06
--- /dev/null
+++ b/debian/patches/CVE-2015-5245.patch
@@ -0,0 +1,31 @@
+From ad5507fe0bf72ed5bdf8353e315cc9092c740144 Mon Sep 17 00:00:00 2001
+From: Yehuda Sadeh <yehuda at redhat.com>
+Date: Thu, 30 Jul 2015 14:47:15 -0700
+Subject: [PATCH] rgw: url encode exposed bucket
+
+Fixes: #12537
+Don't send the bucket name back without url encoding it.
+
+Signed-off-by: Yehuda Sadeh <yehuda at redhat.com>
+---
+ src/rgw/rgw_rest.cc | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/src/rgw/rgw_rest.cc b/src/rgw/rgw_rest.cc
+index a03e31f..84681c7 100644
+--- a/src/rgw/rgw_rest.cc
++++ b/src/rgw/rgw_rest.cc
+@@ -361,8 +361,11 @@ void dump_bucket_from_state(struct req_state *s)
+ {
+   int expose_bucket = g_conf->rgw_expose_bucket;
+   if (expose_bucket) {
+-    if (!s->bucket_name_str.empty())
+-      s->cio->print("Bucket: %s\r\n", s->bucket_name_str.c_str());
++    if (!s->bucket_name_str.empty()) {
++      string b;
++      url_encode(s->bucket_name_str, b);
++      s->cio->print("Bucket: %s\r\n", b.c_str());
++    }
+   }
+ }
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 9f24fbd..a4eb539 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,5 +1,6 @@
 ## Backported / Upstream
 sleep-recover.patch
+CVE-2015-5245.patch
 
 ## Debian
 rbdmap3-lazyumount.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ceph/ceph.git

More information about the Pkg-ceph-commits mailing list