[Pkg-ceph-commits] [ceph] 01/09: Patch to fix CVE-2015-5245 applied from upstream
Gaudenz Steinlin
gaudenz at moszumanska.debian.org
Thu Jan 5 10:05:28 UTC 2017
This is an automated email from the git hooks/post-receive script.
gaudenz pushed a commit to branch jessie
in repository ceph.
commit 61b5e0389099bab8bcd196a76eb7a66cb6f5c63e
Author: Gaudenz Steinlin <gaudenz at debian.org>
Date: Fri Sep 11 10:27:26 2015 +0200
Patch to fix CVE-2015-5245 applied from upstream
Refreshed the patch to apply onto the firefly sources and to only
contain the chages to fix the vulnerability.
Closes: #798567
---
debian/patches/CVE-2015-5245.patch | 35 +++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 36 insertions(+)
diff --git a/debian/patches/CVE-2015-5245.patch b/debian/patches/CVE-2015-5245.patch
new file mode 100644
index 0000000..c929c0e
--- /dev/null
+++ b/debian/patches/CVE-2015-5245.patch
@@ -0,0 +1,35 @@
+From ad5507fe0bf72ed5bdf8353e315cc9092c740144 Mon Sep 17 00:00:00 2001
+From: Yehuda Sadeh <yehuda at redhat.com>
+Date: Thu, 30 Jul 2015 14:47:15 -0700
+Subject: [PATCH] rgw: url encode exposed bucket
+
+Fixes: #12537
+Don't send the bucket name back without url encoding it.
+
+Signed-off-by: Yehuda Sadeh <yehuda at redhat.com>
+
+The patch below is an adapted version for ceph 0.80.7 to only contain
+the necessary changes to fix this vulnerability. Neither the quoting
+of the bucket name nor the missing \r are fixed.
+(see http://tracker.ceph.com/issues/9254 and http://tracker.ceph.com/issues/11860)
+
+---
+ src/rgw/rgw_rest.cc | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/src/rgw/rgw_rest.cc
++++ b/src/rgw/rgw_rest.cc
+@@ -272,8 +272,11 @@
+ {
+ int expose_bucket = g_conf->rgw_expose_bucket;
+ if (expose_bucket) {
+- if (!s->bucket_name_str.empty())
+- s->cio->print("Bucket: \"%s\"\n", s->bucket_name_str.c_str());
++ if (!s->bucket_name_str.empty()) {
++ string b;
++ url_encode(s->bucket_name_str, b);
++ s->cio->print("Bucket: \"%s\"\n", b.c_str());
++ }
+ }
+ }
+
diff --git a/debian/patches/series b/debian/patches/series
index 8625fda..8ac47ad 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -14,6 +14,7 @@ backfill-prio.patch
bash-completion.patch
rbdmap1-mount.patch
rbdmap2-hooks.patch
+CVE-2015-5245.patch
## Debian
rbdmap3-lazyumount.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ceph/ceph.git
More information about the Pkg-ceph-commits
mailing list