[Pkg-ceph-commits] [ceph] 05/09: Upstream fix for CVE-2016-9579 (short CORS request)
Gaudenz Steinlin
gaudenz at moszumanska.debian.org
Thu Jan 5 10:05:29 UTC 2017
This is an automated email from the git hooks/post-receive script.
gaudenz pushed a commit to branch jessie
in repository ceph.
commit 78329ea693769b83d7ffcf66a242e6252403bd3c
Author: Gaudenz Steinlin <gaudenz at debian.org>
Date: Sat Dec 24 13:12:49 2016 +0100
Upstream fix for CVE-2016-9579 (short CORS request)
This fix was cherry-picked from the upstream master branch. A backport
to jewel is still in progress. See http://tracker.ceph.com/issues/18187.
Closes: #849048
---
.../patches/cve-2016-9579_short_cors_request.patch | 51 ++++++++++++++++++++++
debian/patches/series | 3 ++
2 files changed, 54 insertions(+)
diff --git a/debian/patches/cve-2016-9579_short_cors_request.patch b/debian/patches/cve-2016-9579_short_cors_request.patch
new file mode 100644
index 0000000..6a654ba
--- /dev/null
+++ b/debian/patches/cve-2016-9579_short_cors_request.patch
@@ -0,0 +1,51 @@
+commit 67d4d9e64bc224e047cf333e673bb22cd6290789
+Author: LiuYang <yippeetry at gmail.com>
+Date: Thu Dec 8 14:21:43 2016 +0800
+
+ rgw: do not abort when accept a CORS request with short origin
+
+ Fixed: #18187
+
+ when accept a CROS request, the request http origin shorter than the bucket's corsrule
+ (eg. origin: http://s.com corsrule: <AllowedOrigin>*.verylongdomain.com</AllowedOrigin>).
+ the rgw_cors.cc::is_string_in_set() will have a wrong index, the radosrgw server will
+ abort.
+
+ $ curl http://test.localhost:8000/app.data -H "Origin:http://s.com"
+
+ 0> 2016-12-05 03:22:29.548138 7f6add05d700 -1 *** Caught signal (Aborted) **
+ in thread 7f6add05d700 thread_name:civetweb-worker
+
+ ceph version 11.0.2-2168-gd2f8fb4 (d2f8fb4a6ba75af7e6da0f5a7f1b49ec998b1631)
+ 1: (()+0x50720a) [0x7f6b147c420a]
+ 2: (()+0xf370) [0x7f6b09a33370]
+ 3: (gsignal()+0x37) [0x7f6b081ca1d7]
+ 4: (abort()+0x148) [0x7f6b081cb8c8]
+ 5: (__gnu_cxx::__verbose_terminate_handler()+0x165) [0x7f6b08ace9d5]
+ 6: (()+0x5e946) [0x7f6b08acc946]
+ 7: (()+0x5e973) [0x7f6b08acc973]
+ 8: (()+0x5eb93) [0x7f6b08accb93]
+ 9: (std::__throw_out_of_range(char const*)+0x77) 0x7f6b08b21a17]
+ 10: (()+0xbd97a) [0x7f6b08b2b97a]
+ 11: (()+0x449c1e) [0x7f6b14706c1e]
+ 12: (RGWCORSRule::is_origin_present(char const*)+0x48) [0x7f6b147073b8]
+ 13: (RGWCORSConfiguration::host_name_rule(char const*)+0x37) [0x7f6b147074e7]
+ 14: (RGWOp::generate_cors_headers(std::string&, std::string&, std::string&, std::string&, unsigned int*)+0xa3) [0x7f6b14593e63]
+ 15: (dump_access_control(req_state*, RGWOp*)+0x61) [0x7f6b14653f91]
+
+ Signed-off-by: LiuYang <yippeetry at gmail.com>
+
+diff --git a/src/rgw/rgw_cors.cc b/src/rgw/rgw_cors.cc
+index 1ad5b43136..f2c7f3ac64 100644
+--- a/src/rgw/rgw_cors.cc
++++ b/src/rgw/rgw_cors.cc
+@@ -104,7 +104,8 @@ static bool is_string_in_set(set<string>& s, string h) {
+ string sl = ssplit.front();
+ dout(10) << "Finding " << sl << ", in " << h
+ << ", at offset not less than " << flen << dendl;
+- if (h.compare((h.size() - sl.size()), sl.size(), sl) != 0)
++ if (h.size() < sl.size() ||
++ h.compare((h.size() - sl.size()), sl.size(), sl) != 0)
+ continue;
+ ssplit.pop_front();
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 8ac47ad..4395db6 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -16,6 +16,9 @@ rbdmap1-mount.patch
rbdmap2-hooks.patch
CVE-2015-5245.patch
+## Security
+cve-2016-9579_short_cors_request.patch
+
## Debian
rbdmap3-lazyumount.patch
arch.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ceph/ceph.git
More information about the Pkg-ceph-commits
mailing list