[PATCH] client: disallow unprivileged users to escalate root  privileges

An unprivileged user can `chmod 777` a directory owned by root
and gain access. Fix this bug and also add a test case for the
same.

Signed-off-by: Xiubo Li <xiubli@redhat.com>
Signed-off-by: Venky Shankar <vshankar@redhat.com>
origin: backport, https://github.com/ceph/ceph/commit/b6d85b595ea7c9e0fca10d5e77a48102110fe22c
bug-github-pull: https://github.com/ceph/ceph/pull/60314
bug: https://github.com/ceph/ceph/security/advisories/GHSA-89hm-qq33-2fjm
bug-debian: https://bugs.debian.org/1108410

Gbp-Pq: Name CVE-2025-52555-1.patch

CVE-2023-43040 rgw: Fix bucket validation against POST policies

It's possible that user could provide a form part as a part of a POST
object upload that uses 'bucket' as a key; in this case, it was
overriding what was being set in the validation env (which is the real
bucket being modified). The result of this is that a user could actually
upload to any bucket accessible by the specified access key by matching
the bucket in the POST policy in said POST form part.

Fix this simply by setting the bucket to the correct value after the
POST form parts are processed, ignoring the form part above if
specified.

bug: https://tracker.ceph.com/issues/63004
bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053690
bug-debian-security: https://deb.freexian.com/extended-lts/tracker/CVE-2023-43040

Signed-off-by: Joshua Baergen <jbaergen@digitalocean.com>
origin: backport, https://github.com/ceph/ceph/commit/479976538fe8f51edfea597443ba0c0209d3f39f

Gbp-Pq: Name CVE-2023-43040.patch

ceph-volume: honour osd_dmcrypt_key_size option

ceph-volume doesn't honour osd_dmcrypt_key_size.
It means the default size is always applied.

It also changes the default value in `get_key_size_from_conf()`

From cryptsetup manpage:

> For XTS mode you can optionally set a key size of 512 bits with the -s option.

Using more than 512bits will end up with the following error message:

```
Key size in XTS mode must be 256 or 512 bits.
```

Fixes: https://tracker.ceph.com/issues/54006
Signed-off-by: Guillaume Abrioux <gabrioux@redhat.com>
(cherry picked from commit 47c33179f9a15ae95cc1579a421be89378602656)

origin: https://github.com/ceph/ceph/commit/f69339e00f582ec64b843ff58b66817975fca0d7
bug: https://tracker.ceph.com/issues/54006

Gbp-Pq: Name CVE-2021-3979.patch

CVE-2022-3650: ceph-crash: fix stderr handling

Bug: a77b47eeeb5770eeefcf4619ab2105ee7a6a003e
Signed-off-by: Tim Serong <tserong@suse.com>
Bug-Debian: https://bugs.debian.org/1024932
Origin: upstream, https://github.com/ceph/ceph/commit/45915540559126a652f8d9d105723584cfc63439
Last-Update: 2022-11-28

Popen.communicate() returns a tuple (stdout, stderr), and stderr
will be of type bytes, hence the need to decode it before checking
if it's an empty string or not.

Gbp-Pq: Name CVE-2022-3650_2_ceph-crash_fix_stderr_handling.patch

CVE-2022-3650: ceph-crash: drop privleges to run as "ceph" user, rather than root

Bug: https://tracker.ceph.com/issues/57967
Signed-off-by: Tim Serong <tserong@suse.com>
Origin: upstream, https://github.com/ceph/ceph/commit/130c9626598bc3a75942161e6cce7c664c447382
Bug-Debian: https://bugs.debian.org/1024932
Last-Update: 2022-11-28

If privileges cannot be dropped, log an error and exit.  This commit
also catches and logs exceptions when scraping the crash path, without
which ceph-crash would just exit if it encountered an error.

Gbp-Pq: Name CVE-2022-3650_1_ceph-crash_drop_privleges_to_run_as_ceph_user_rather_than_root.patch

allow BGP-to-the-host style binding

Forwarded: no
Last-Update: 2021-04-21

Gbp-Pq: Name allow-bgp-to-host.patch

Fix systemd ceph-osd.target

Forwarded: no
Last-Update: 2021-01-28

This helps when rebooting.

Gbp-Pq: Name fix-ceph-osd-systemd-target.patch

Another cmakelists fix

Forwarded: no
Last-Update: 2021-01-08

This fixes the last Boost 1.74 compatibility problems.

Gbp-Pq: Name another-cmakelists-fix.patch

cmake: add 1.74 to known versions

Bug-Debian: https://bugs.debian.org/977243
Origin: upstream, https://github.com/ceph/ceph/commit/b6a94da6149e50bdd43752919d7c01b04c59f79e.patch
Last-Update: 2020-12-13

Gbp-Pq: Name cmake_add_1.74_to_known_versions.patch

cmake: define BOOST_ASIO_USE_TS_EXECUTOR_AS_DEFAULT for

Signed-off-by: Kefu Chai <kchai@redhat.com>
Origin: upstream, https://github.com/ceph/ceph/commit/3d708219092d0e89a1434c30ffc8a4999f062cc0.patch
Bug-Debian: https://bugs.debian.org/977243
Last-Update: 2021-03-24

Boost.Asio users

see also
https://www.boost.org/doc/libs/1_74_0/doc/html/boost_asio/std_executors.html#boost_asio.std_executors.polymorphic_i_o_executor

we could use `asio::any_io_executor` later on though for better
performance.

also, define CMP0093, so FindBoost reports Boost_VERSION in x.y.z
format. it is simpler to use `VERSION_GREATER_EQUAL` to compare its
version with 1.74 instead of its C macro version ("107000").

Gbp-Pq: Name cmake_define_BOOST_ASIO_USE_TS_EXECUTOR_AS_DEFAULT_for_Boost.Asio_users.patch

Make Ceph Python 3.9 aware

Forwarded: no
Last-Update: 2020-11-28

Add versions of interpreters Ceph didn't know about.

Gbp-Pq: Name make-ceph-python-3.9-aware.patch

mds-purgequeue-use_uint64_t

===================================================================

Gbp-Pq: Name mds-purgequeue-use_uint64_t.patch

Link with -pthread instead of -lpthread to fix FTBFS on riscv64

Forwarded: no
Last-Update: 2020-03-01

Gbp-Pq: Name riscv64-link-pthread.patch

add-option-to-disable-ceph-dencoder

===================================================================

Gbp-Pq: Name add-option-to-disable-ceph-dencoder.patch

fix-bash-completion-location

Gbp-Pq: Name fix-bash-completion-location

debian-armel-armhf-buildflags

Gbp-Pq: Name debian-armel-armhf-buildflags.patch

[PATCH] os/bluestore/BlueFS: use uint64_t for `len`

change the type of parameter `len` of `BlueFS::_read_random()` from
`size_t` to `uint64_t`.

i think the type of `size_t` comes from
`rocksdb::RandomAccessFile::Read(uint64_t offset, size_t n,
rocksdb::Slice* result, char* scratch)`. and when we implement this
method, we continued using `n`'s type. but, we are using it with
`std::min()`, for instance, where the template parameter type deduction
fails if the lhs and rhs parameters' types are different. so probaly the
better solution is to use `uint64_t` directly to avoid the the cast and
specializing the template.

Signed-off-by: Kefu Chai <kchai@redhat.com>
Gbp-Pq: Name bluefs-use-uint64_t-for-len.patch

Adds max_connections to test display.

Origin: upstream, https://github.com/civetweb/civetweb/pull/776/commits/3b8eb36676f70d06f8918ccf62029207c49cdda0
Bug: https://github.com/civetweb/civetweb/issues/775
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ceph/+bug/1838109

Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ceph/+bug/1838109
Gbp-Pq: Name civetweb-755-1.8-somaxconn-configurable_test.patch

Makes SOMAXCONN user-configurable.

Origin: upstream, https://github.com/civetweb/civetweb/pull/776/commits/febab7dc38c9671577603425c54c20f841e27f97
Bug: https://github.com/civetweb/civetweb/issues/775
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ceph/+bug/1838109

Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ceph/+bug/1838109
Gbp-Pq: Name civetweb-755-1.8-somaxconn-configurable.patch

Adds max_connections to reference configuration.

Origin: upstream, https://github.com/civetweb/civetweb/pull/776/commits/3b8eb36676f70d06f8918ccf62029207c49cdda0
Bug: https://github.com/civetweb/civetweb/issues/775
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ceph/+bug/1838109

Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ceph/+bug/1838109
Gbp-Pq: Name civetweb-755-1.8-somaxconn-configurable_conf.patch

Avoid use of size_t when necessary

Forwarded: no

On 32 bit architectures size_t is not a 64 bit type, which
causes comparison mismatch failures during compilation.

Gbp-Pq: Name 32bit-avoid-size_t.patch

Avoid overloading on 32 bit architectures

Forwarded: no

unsigned and size_t are equivalent on 32 bit architectures,
so only define the size_t based overload of advance on 64
bit architectures.
https://wiki.debian.org/ArchitectureSpecificsMemo

Gbp-Pq: Name 32bit-avoid-overloading.patch

disable-crypto

===================================================================

Gbp-Pq: Name disable-crypto.patch

use --release 7 instead of -source/-target

Bug-Ubuntu: https://launchpad.net/bugs/1756854
Bug-Ubuntu: https://launchpad.net/bugs/1766998
Forwarded: no
Last-Update: 2018-04-24

Instead of -source/-target ceph should be build with --release for OpenJDK 9
or later so that the bootclasspath is also set, as per JEP-247, otherwise it
risks incurring into binary incompatibility when run with an earlier OpenJDK.
OpenJDK 11 minimum compatibility release has been updated to 7.
Last-Update: 2018-04-24
Gbp-Pq: Name update-java-source-target-flags.patch

ceph (14.2.21-1+deb11u1) bullseye-security; urgency=medium

  [ Thomas Goirand ]

  * CVE-2022-3650: privilege escalation from the ceph user to root. Applied
    upstream patches (Closes: #1024932).

  [ Bastien Roucariès ]
  * CVE-2021-3979:
    A key length flaw was found. An attacker can exploit the
    fact that the key length is incorrectly passed in an
    encryption algorithm to create a non random key,
    which is weaker and can be exploited for loss of
    confidentiality and integrity on encrypted disks.
  * CVE-2023-43040 rgw: Fix bucket validation against POST policies
    (Closes: #1053690)
  * CVE-2025-52555: an unprivileged user can escalate to root
    privileges in a ceph-fuse mounted CephFS by chmod 777
    a directory owned by root to gain access. The result
    of this is that a user could read, write and execute
    to any directory owned by root as long as they chmod
    777 it. This impacts confidentiality, integrity, and availability.
    (Closes: #1108410)

[dgit import unpatched ceph 14.2.21-1+deb11u1]

Import ceph_14.2.21-1+deb11u1.debian.tar.xz

[dgit import tarball ceph 14.2.21-1+deb11u1 ceph_14.2.21-1+deb11u1.debian.tar.xz]

Import ceph_14.2.21.orig.tar.gz

[dgit import orig ceph_14.2.21.orig.tar.gz]