Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 718956 (CVE-2020-12059) - <sys-cluster/ceph-14.2.0: Possible crash in RGW process via invalid XML in POST (CVE-2020-12059)
Summary: <sys-cluster/ceph-14.2.0: Possible crash in RGW process via invalid XML in PO...
Status: RESOLVED FIXED
Alias: CVE-2020-12059
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-04-23 02:34 UTC by Sam James
Modified: 2021-02-20 19:44 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-23 02:34:36 UTC
Description:
"An issue was discovered in Ceph through 13.2.9. A POST request with an invalid tagging XML can crash the RGW process by triggering a NULL pointer exception."

----
@maintainer(s), can you clarify if versions in tree are affected?
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-07-04 19:38:15 UTC
Upstream issue says Nautilus+ (>=14.x?) is unaffected.

https://tracker.ceph.com/issues/44967#note-7
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-12-20 07:44:45 UTC
If 12.x was affected, then cleanup was done here:

commit 5fa3176d02695d7dd7074f4d89df9f89990de333
Author: Patrick McLean <patrick.mclean@sony.com>
Date:   Wed Nov 18 23:29:05 2020 -0800

    sys-cluster/ceph: remove old

    Copyright: Sony Interactive Entertainment Inc.
    Package-Manager: Portage-3.0.9, Repoman-3.0.2
    Signed-off-by: Patrick McLean <chutzpah@gentoo.org>

 delete mode 100644 sys-cluster/ceph/ceph-12.2.12-r3.ebuild


Since 14.x is unaffected, the earliest 14.x version we had looks to be 14.2.0 so that will go in summary. Needs GLSA vote.
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2021-02-20 19:44:26 UTC
GLSA Vote: No

Repository is clean, all done!