diff --git a/SPECS/ceph/CVE-2012-6708.patch b/SPECS/ceph/CVE-2012-6708.patch new file mode 100644 index 00000000000..1df32083103 --- /dev/null +++ b/SPECS/ceph/CVE-2012-6708.patch @@ -0,0 +1,28 @@ +From c993d7d4b9ddb5d9dcb0c4120f798730aacfff0a Mon Sep 17 00:00:00 2001 +From: Kevin Lockwood +Date: Mon, 13 Jan 2025 14:53:54 -0800 +Subject: [PATCH] Adjust jQuery('html') detection to only match when html + starts with '<' (not counting space characters). Fixes #11290. + +Source: https://github.com/jquery/jquery/commit/05531fc4080ae24070930d15ae0cea7ae056457d.patch +--- + qa/workunits/erasure-code/jquery.js | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/qa/workunits/erasure-code/jquery.js b/qa/workunits/erasure-code/jquery.js +index 8c24ffc61..45c208837 100644 +--- a/qa/workunits/erasure-code/jquery.js ++++ b/qa/workunits/erasure-code/jquery.js +@@ -56,7 +56,8 @@ var + + // A simple way to check for HTML strings + // Prioritize #id over to avoid XSS via location.hash (#9521) +- rquickExpr = /^(?:[^#<]*(<[\w\W]+>)[^>]*$|#([\w\-]*)$)/, ++ // Strict HTML recognition (#11290: must start with <) ++ rquickExpr = /^(?:(<[\w\W]+>)[^>]*|#([\w-]*))$/, + + // Match a standalone tag + rsingleTag = /^<(\w+)\s*\/?>(?:<\/\1>|)$/, +-- +2.34.1 + diff --git a/SPECS/ceph/CVE-2014-5461.patch b/SPECS/ceph/CVE-2014-5461.patch new file mode 100644 index 00000000000..779156484c4 --- /dev/null +++ b/SPECS/ceph/CVE-2014-5461.patch @@ -0,0 +1,29 @@ +From 4c6ecee6fcb3c3deead402098c6de1cfd53bb91b Mon Sep 17 00:00:00 2001 +From: Kevin Lockwood +Date: Tue, 28 Jan 2025 15:47:50 -0800 +Subject: [PATCH] Patch ceph to fix CVE-2014-5461 + +Stack overflow in vararg functions with many fixed parameters called +with few arguments. + +Link: https://www.lua.org/bugs.html#5.2.2-1 +--- + .../3rdparty/civetweb/src/third_party/lua-5.1.5/src/ldo.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/jaegertracing/opentelemetry-cpp/third_party/prometheus-cpp/3rdparty/civetweb/src/third_party/lua-5.1.5/src/ldo.c b/src/jaegertracing/opentelemetry-cpp/third_party/prometheus-cpp/3rdparty/civetweb/src/third_party/lua-5.1.5/src/ldo.c +index d1bf786cb..30333bfa5 100644 +--- a/src/jaegertracing/opentelemetry-cpp/third_party/prometheus-cpp/3rdparty/civetweb/src/third_party/lua-5.1.5/src/ldo.c ++++ b/src/jaegertracing/opentelemetry-cpp/third_party/prometheus-cpp/3rdparty/civetweb/src/third_party/lua-5.1.5/src/ldo.c +@@ -274,7 +274,7 @@ int luaD_precall (lua_State *L, StkId func, int nresults) { + CallInfo *ci; + StkId st, base; + Proto *p = cl->p; +- luaD_checkstack(L, p->maxstacksize); ++ luaD_checkstack(L, p->maxstacksize + p->numparams); + func = restorestack(L, funcr); + if (!p->is_vararg) { /* no varargs? */ + base = func + 1; +-- +2.34.1 + diff --git a/SPECS/ceph/CVE-2015-9251.patch b/SPECS/ceph/CVE-2015-9251.patch new file mode 100644 index 00000000000..60617f2777a --- /dev/null +++ b/SPECS/ceph/CVE-2015-9251.patch @@ -0,0 +1,32 @@ +From 124fa2abfde0939c5a7684be1c9f11565888a3a5 Mon Sep 17 00:00:00 2001 +From: Kevin Lockwood +Date: Tue, 28 Jan 2025 17:30:43 -0800 +Subject: [PATCH] [Medium] Patch ceph to fix CVE-2015-9251 + +Link: https://github.com/jquery/jquery/commit/f60729f3903d17917dc351f3ac87794de379b0cc.patch +--- + qa/workunits/erasure-code/jquery.js | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/qa/workunits/erasure-code/jquery.js b/qa/workunits/erasure-code/jquery.js +index 8c24ffc61..f4ce660b1 100644 +--- a/qa/workunits/erasure-code/jquery.js ++++ b/qa/workunits/erasure-code/jquery.js +@@ -8245,6 +8245,14 @@ jQuery.ajaxPrefilter( "json jsonp", function( s, originalSettings, jqXHR ) { + return "script"; + } + }); ++ ++// Prevent auto-execution of scripts when no explicit dataType was provided (See gh-2432) ++jQuery.ajaxPrefilter( function( s ) { ++ if ( s.crossDomain ) { ++ s.contents.script = false; ++ } ++} ); ++ + // Install script dataType + jQuery.ajaxSetup({ + accepts: { +-- +2.34.1 + diff --git a/SPECS/ceph/CVE-2020-22217.patch b/SPECS/ceph/CVE-2020-22217.patch new file mode 100644 index 00000000000..62898d5dd23 --- /dev/null +++ b/SPECS/ceph/CVE-2020-22217.patch @@ -0,0 +1,27 @@ +From 97568ddb836a9680c93335a3f8ca0f2c0616ccdc Mon Sep 17 00:00:00 2001 +From: Kevin Lockwood +Date: Mon, 27 Jan 2025 16:19:53 -0800 +Subject: [PATCH] Fix CVE-2020-22217 in c-ares + +Link: https://github.com/c-ares/c-ares/pull/332 +--- + src/c-ares/ares_parse_soa_reply.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/c-ares/ares_parse_soa_reply.c b/src/c-ares/ares_parse_soa_reply.c +index 35af0a75c..5924bbca9 100644 +--- a/src/c-ares/ares_parse_soa_reply.c ++++ b/src/c-ares/ares_parse_soa_reply.c +@@ -65,6 +65,9 @@ ares_parse_soa_reply(const unsigned char *abuf, int alen, + status = ares__expand_name_for_response(aptr, abuf, alen, &qname, &len); + if (status != ARES_SUCCESS) + goto failed_stat; ++ ++ if (alen <= len + HFIXEDSZ + 1) ++ goto failed; + aptr += len; + + /* skip qtype & qclass */ +-- +2.34.1 + diff --git a/SPECS/ceph/ceph.spec b/SPECS/ceph/ceph.spec index 5b6a0045925..21eca3429e8 100644 --- a/SPECS/ceph/ceph.spec +++ b/SPECS/ceph/ceph.spec @@ -1,11 +1,11 @@ #disable debuginfo because ceph-debuginfo rpm is too large %define debug_package %{nil} %define _unpackaged_files_terminate_build 0 - + Summary: User space components of the Ceph file system Name: ceph Version: 18.2.2 -Release: 3%{?dist} +Release: 4%{?dist} License: LGPLv2 and LGPLv3 and CC-BY-SA and GPLv2 and Boost and BSD and MIT and Public Domain and GPLv3 and ASL-2.0 URL: https://ceph.io/ Vendor: Microsoft Corporation @@ -14,6 +14,10 @@ Source0: https://download.ceph.com/tarballs/%{name}-%{version}.tar.gz Patch0: 0034-src-pybind-rbd-rbd.pyx.patch Patch1: 0032-cmake-modules-BuildBoost.cmake.patch Patch2: CVE-2024-52338.patch +Patch3: CVE-2014-5461.patch +Patch4: CVE-2020-22217.patch +Patch5: CVE-2015-9251.patch +Patch6: CVE-2012-6708.patch # # Copyright (C) 2004-2019 The Ceph Project Developers. See COPYING file # at the top-level directory of this distribution and at @@ -895,7 +899,7 @@ This package provides a Ceph hardware monitoring agent. # common ################################################################################# %prep -%autosetup -p1 +%autosetup -p1 %build pwd @@ -2004,6 +2008,12 @@ exit 0 %changelog +* Tue Jan 28 2025 Kevin Lockwood - 18.2.2-4 +- Fix for CVE-2014-5461 +- Fix for CVE-2020-22217 +- Fix for CVE-2015-9251 +- Fix for CVE-2012-6708 + * Tue Jan 01 2025 Sandeep Karambelkar - 18.2.2-3 - Based on the package build logs, opentelemetry-cpp submodule is not being built - Removing opentelemetry-cpp to address below CVEs as this submodule is not relevant