[Medium] Patch ceph to fix CVE-2014-5461 (#12123)

kevin-b-lockwood · web-flow · commit d419417f0bb4 · 2025-02-02T10:06:33.000-05:00
diff --git a/SPECS/ceph/CVE-2012-6708.patch b/SPECS/ceph/CVE-2012-6708.patch
@@ -0,0 +1,28 @@
+From c993d7d4b9ddb5d9dcb0c4120f798730aacfff0a Mon Sep 17 00:00:00 2001
+From: Kevin Lockwood <v-klockwood@microsoft.com>
+Date: Mon, 13 Jan 2025 14:53:54 -0800
+Subject: [PATCH] Adjust jQuery('html') detection to only match when html
+ starts with '<' (not counting space characters). Fixes #11290.
+
+Source: https://github.com/jquery/jquery/commit/05531fc4080ae24070930d15ae0cea7ae056457d.patch
+---
+ qa/workunits/erasure-code/jquery.js | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/qa/workunits/erasure-code/jquery.js b/qa/workunits/erasure-code/jquery.js
+index 8c24ffc61..45c208837 100644
+--- a/qa/workunits/erasure-code/jquery.js
++++ b/qa/workunits/erasure-code/jquery.js
+@@ -56,7 +56,8 @@ var
+ 
+ 	// A simple way to check for HTML strings
+ 	// Prioritize #id over <tag> to avoid XSS via location.hash (#9521)
+-	rquickExpr = /^(?:[^#<]*(<[\w\W]+>)[^>]*$|#([\w\-]*)$)/,
++	// Strict HTML recognition (#11290: must start with <)
++	rquickExpr = /^(?:(<[\w\W]+>)[^>]*|#([\w-]*))$/,
+ 
+ 	// Match a standalone tag
+ 	rsingleTag = /^<(\w+)\s*\/?>(?:<\/\1>|)$/,
+-- 
+2.34.1
+
diff --git a/SPECS/ceph/CVE-2014-5461.patch b/SPECS/ceph/CVE-2014-5461.patch
@@ -0,0 +1,29 @@
+From 4c6ecee6fcb3c3deead402098c6de1cfd53bb91b Mon Sep 17 00:00:00 2001
+From: Kevin Lockwood <v-klockwood@microsoft.com>
+Date: Tue, 28 Jan 2025 15:47:50 -0800
+Subject: [PATCH] Patch ceph to fix CVE-2014-5461
+
+Stack overflow in vararg functions with many fixed parameters called
+with few arguments.
+
+Link: https://www.lua.org/bugs.html#5.2.2-1
+---
+ .../3rdparty/civetweb/src/third_party/lua-5.1.5/src/ldo.c       | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/jaegertracing/opentelemetry-cpp/third_party/prometheus-cpp/3rdparty/civetweb/src/third_party/lua-5.1.5/src/ldo.c b/src/jaegertracing/opentelemetry-cpp/third_party/prometheus-cpp/3rdparty/civetweb/src/third_party/lua-5.1.5/src/ldo.c
+index d1bf786cb..30333bfa5 100644
+--- a/src/jaegertracing/opentelemetry-cpp/third_party/prometheus-cpp/3rdparty/civetweb/src/third_party/lua-5.1.5/src/ldo.c
++++ b/src/jaegertracing/opentelemetry-cpp/third_party/prometheus-cpp/3rdparty/civetweb/src/third_party/lua-5.1.5/src/ldo.c
+@@ -274,7 +274,7 @@ int luaD_precall (lua_State *L, StkId func, int nresults) {
+     CallInfo *ci;
+     StkId st, base;
+     Proto *p = cl->p;
+-    luaD_checkstack(L, p->maxstacksize);
++    luaD_checkstack(L, p->maxstacksize + p->numparams);
+     func = restorestack(L, funcr);
+     if (!p->is_vararg) {  /* no varargs? */
+       base = func + 1;
+-- 
+2.34.1
+
diff --git a/SPECS/ceph/CVE-2015-9251.patch b/SPECS/ceph/CVE-2015-9251.patch
@@ -0,0 +1,32 @@
+From 124fa2abfde0939c5a7684be1c9f11565888a3a5 Mon Sep 17 00:00:00 2001
+From: Kevin Lockwood <v-klockwood@microsoft.com>
+Date: Tue, 28 Jan 2025 17:30:43 -0800
+Subject: [PATCH] [Medium] Patch ceph to fix CVE-2015-9251
+
+Link: https://github.com/jquery/jquery/commit/f60729f3903d17917dc351f3ac87794de379b0cc.patch
+---
+ qa/workunits/erasure-code/jquery.js | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/qa/workunits/erasure-code/jquery.js b/qa/workunits/erasure-code/jquery.js
+index 8c24ffc61..f4ce660b1 100644
+--- a/qa/workunits/erasure-code/jquery.js
++++ b/qa/workunits/erasure-code/jquery.js
+@@ -8245,6 +8245,14 @@ jQuery.ajaxPrefilter( "json jsonp", function( s, originalSettings, jqXHR ) {
+ 		return "script";
+ 	}
+ });
++
++// Prevent auto-execution of scripts when no explicit dataType was provided (See gh-2432)
++jQuery.ajaxPrefilter( function( s ) {
++    if ( s.crossDomain ) {
++        s.contents.script = false;
++    }
++} );
++
+ // Install script dataType
+ jQuery.ajaxSetup({
+ 	accepts: {
+-- 
+2.34.1
+
diff --git a/SPECS/ceph/CVE-2020-22217.patch b/SPECS/ceph/CVE-2020-22217.patch
@@ -0,0 +1,27 @@
+From 97568ddb836a9680c93335a3f8ca0f2c0616ccdc Mon Sep 17 00:00:00 2001
+From: Kevin Lockwood <v-klockwood@microsoft.com>
+Date: Mon, 27 Jan 2025 16:19:53 -0800
+Subject: [PATCH] Fix CVE-2020-22217 in c-ares
+
+Link: https://github.com/c-ares/c-ares/pull/332
+---
+ src/c-ares/ares_parse_soa_reply.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/c-ares/ares_parse_soa_reply.c b/src/c-ares/ares_parse_soa_reply.c
+index 35af0a75c..5924bbca9 100644
+--- a/src/c-ares/ares_parse_soa_reply.c
++++ b/src/c-ares/ares_parse_soa_reply.c
+@@ -65,6 +65,9 @@ ares_parse_soa_reply(const unsigned char *abuf, int alen,
+   status = ares__expand_name_for_response(aptr, abuf, alen, &qname, &len);
+   if (status != ARES_SUCCESS)
+     goto failed_stat;
++
++  if (alen <= len + HFIXEDSZ + 1)
++    goto failed;
+   aptr += len;
+ 
+   /* skip qtype & qclass */
+-- 
+2.34.1
+
diff --git a/SPECS/ceph/ceph.spec b/SPECS/ceph/ceph.spec
@@ -1,11 +1,11 @@
 #disable debuginfo because ceph-debuginfo rpm is too large
 %define debug_package %{nil}
 %define _unpackaged_files_terminate_build 0 
- 
+
 Summary:        User space components of the Ceph file system
 Name:           ceph
 Version:        18.2.2
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        LGPLv2 and LGPLv3 and CC-BY-SA and GPLv2 and Boost and BSD and MIT and Public Domain and GPLv3 and ASL-2.0
 URL:            https://ceph.io/
 Vendor:         Microsoft Corporation
@@ -14,6 +14,10 @@ Source0:        https://download.ceph.com/tarballs/%{name}-%{version}.tar.gz
 Patch0:         0034-src-pybind-rbd-rbd.pyx.patch
 Patch1:         0032-cmake-modules-BuildBoost.cmake.patch
 Patch2:         CVE-2024-52338.patch
+Patch3:         CVE-2014-5461.patch
+Patch4:         CVE-2020-22217.patch
+Patch5:         CVE-2015-9251.patch
+Patch6:         CVE-2012-6708.patch
 #
 # Copyright (C) 2004-2019 The Ceph Project Developers. See COPYING file
 # at the top-level directory of this distribution and at
@@ -895,7 +899,7 @@ This package provides a Ceph hardware monitoring agent.
 # common
 #################################################################################
 %prep
-%autosetup -p1 
+%autosetup -p1
 
 %build
 pwd
@@ -2004,6 +2008,12 @@ exit 0
 
 
 %changelog
+* Tue Jan 28 2025 Kevin Lockwood <v-klockwood@microsoft.com> - 18.2.2-4
+- Fix for CVE-2014-5461
+- Fix for CVE-2020-22217
+- Fix for CVE-2015-9251
+- Fix for CVE-2012-6708
+
 * Tue Jan 01 2025 Sandeep Karambelkar <skarambelkar@microsoft.com> - 18.2.2-3
 - Based on the package build logs, opentelemetry-cpp submodule is not being built
 - Removing opentelemetry-cpp to address below CVEs as this submodule is not relevant
