Bug#849538: jessie-pu: package ceph/0.80.7-2+deb8u2

2017-01-06 Thread Adam D. Barratt 
Control: tags -1 + pending

On Sat, 2016-12-31 at 17:08 +, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Wed, 2016-12-28 at 11:38 +0100, Gaudenz Steinlin wrote:
> > I would like to update ceph with the next stable point release to fix
> > the 4 security issues listed below. These are all minor issues which did
> > not warrant a DSA on their own, but are still worth fixing.
> > 
> > https://security-tracker.debian.org/tracker/CVE-2016-9579
> > https://security-tracker.debian.org/tracker/CVE-2016-5009
> > https://security-tracker.debian.org/tracker/CVE-2016-7031
> > https://security-tracker.debian.org/tracker/CVE-2016-8626
> 
> Please go ahead.

Uploaded and flagged for acceptance.

Regards,

Adam

Bug#849538: jessie-pu: package ceph/0.80.7-2+deb8u2

2016-12-31 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Wed, 2016-12-28 at 11:38 +0100, Gaudenz Steinlin wrote:
> I would like to update ceph with the next stable point release to fix
> the 4 security issues listed below. These are all minor issues which did
> not warrant a DSA on their own, but are still worth fixing.
> 
> https://security-tracker.debian.org/tracker/CVE-2016-9579
> https://security-tracker.debian.org/tracker/CVE-2016-5009
> https://security-tracker.debian.org/tracker/CVE-2016-7031
> https://security-tracker.debian.org/tracker/CVE-2016-8626

Please go ahead.

Regards,

Adam

Bug#849538: jessie-pu: package ceph/0.80.7-2+deb8u2

2016-12-28 Thread Gaudenz Steinlin 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi

I would like to update ceph with the next stable point release to fix
the 4 security issues listed below. These are all minor issues which did
not warrant a DSA on their own, but are still worth fixing.

https://security-tracker.debian.org/tracker/CVE-2016-9579
https://security-tracker.debian.org/tracker/CVE-2016-5009
https://security-tracker.debian.org/tracker/CVE-2016-7031
https://security-tracker.debian.org/tracker/CVE-2016-8626

The complete debdiff is attached below. I have already built the
package, but not yet uploaded. As soon as I get your OK I'll upload the
package.

Gaudenz

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing'), (100, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.8.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=de_CH.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru ceph-0.80.7/debian/changelog ceph-0.80.7/debian/changelog
--- ceph-0.80.7/debian/changelog	2016-01-15 10:42:14.0 +0100
+++ ceph-0.80.7/debian/changelog	2016-12-28 10:47:36.0 +0100
@@ -1,3 +1,14 @@
+ceph (0.80.7-2+deb8u2) jessie; urgency=medium
+
+  * [78329e] Upstream fix for CVE-2016-9579 (short CORS request)
+(Closes: #849048)
+  * [514d48] Upstream fix for CVE-2016-5009 (mon DoS) (Closes: #829661)
+  * [7ae81b] Upstream fix for CVE-2016-7031 (anonymous read on ACL)
+(Closes: #838026)
+  * [86ac46] Upstream fix for CVE-2016-8626 (RGW DoS) (Closes: #844200)
+
+ -- Gaudenz Steinlin   Wed, 28 Dec 2016 10:47:36 +0100
+
 ceph (0.80.7-2+deb8u1) jessie; urgency=medium
 
   * [61b5e0] Patch to fix CVE-2015-5245 applied from upstream (Closes: #798567)
diff -Nru ceph-0.80.7/debian/gbp.conf ceph-0.80.7/debian/gbp.conf
--- ceph-0.80.7/debian/gbp.conf	2016-01-15 10:41:01.0 +0100
+++ ceph-0.80.7/debian/gbp.conf	2016-12-27 21:47:49.0 +0100
@@ -1,5 +1,5 @@
 [DEFAULT]
-debian-branch = jessie-security
+debian-branch = jessie
 pristine-tar = True
 
 [import-orig]
diff -Nru ceph-0.80.7/debian/patches/cve-2016-5009_mon_dos.patch ceph-0.80.7/debian/patches/cve-2016-5009_mon_dos.patch
--- ceph-0.80.7/debian/patches/cve-2016-5009_mon_dos.patch	1970-01-01 01:00:00.0 +0100
+++ ceph-0.80.7/debian/patches/cve-2016-5009_mon_dos.patch	2016-12-28 10:47:27.0 +0100
@@ -0,0 +1,99 @@
+commit b78a1be835706e7dabc505be343945d0ac05697d
+Author: Kefu Chai 
+Date:   Thu Jun 30 13:24:22 2016 +0800
+
+mon: Monitor: validate prefix on handle_command()
+
+Fixes: http://tracker.ceph.com/issues/16297
+
+Signed-off-by: You Ji 
+(cherry picked from commit 7cb3434fed03a5497abfd00bcec7276b70df0654)
+
+Conflicts:
+src/mon/Monitor.cc (the signature of Monitor::reply_command()
+changed a little bit in master, so adapt the
+commit to work with the old method)
+
+--- a/src/mon/Monitor.cc
 b/src/mon/Monitor.cc
+@@ -2214,7 +2214,19 @@
+ return;
+   }
+ 
+-  cmd_getval(g_ceph_context, cmdmap, "prefix", prefix);
++  // check return value. If no prefix parameter provided,
++  // return value will be false, then return error info.
++  if(!cmd_getval(g_ceph_context, cmdmap, "prefix", prefix)) {
++reply_command(m, -EINVAL, "command prefix not found", 0);
++return;
++  }
++
++  // check prefix is empty
++  if (prefix.empty()) {
++reply_command(m, -EINVAL, "command prefix must not be empty", 0);
++return;
++  }
++
+   if (prefix == "get_command_descriptions") {
+ bufferlist rdata;
+ Formatter *f = new_formatter("json");
+@@ -2235,6 +2247,15 @@
+   boost::scoped_ptr f(new_formatter(format));
+ 
+   get_str_vec(prefix, fullcmd);
++
++  // make sure fullcmd is not empty.
++  // invalid prefix will cause empty vector fullcmd.
++  // such as, prefix=";,,;"
++  if (fullcmd.empty()) {
++reply_command(m, -EINVAL, "command requires a prefix to be valid", 0);
++return;
++  }
++
+   module = fullcmd[0];
+ 
+   // validate command is in leader map
+--- a/src/test/librados/cmd.cc
 b/src/test/librados/cmd.cc
+@@ -49,6 +49,41 @@
+   rados_buffer_free(buf);
+   rados_buffer_free(st);
+ 
++  cmd[0] = (char *)"";
++  ASSERT_EQ(-EINVAL, rados_mon_command(cluster, (const char **)cmd, 1, "{}", 2, , , , ));
++  rados_buffer_free(buf);
++  rados_buffer_free(st);
++
++  cmd[0] = (char *)"{}";
++  ASSERT_EQ(-EINVAL, rados_mon_command(cluster, (const char **)cmd, 1, "", 0, , , , ));
++  rados_buffer_free(buf);
++  rados_buffer_free(st);
++
++  cmd[0] = (char *)"{\"abc\":\"something\"}";
++  ASSERT_EQ(-EINVAL, rados_mon_command(cluster, (const char **)cmd, 1, "", 0, , , , ));
++  rados_buffer_free(buf);
++  rados_buffer_free(st);
++
++  cmd[0] = (char