From 54b1d828ead3ff04cb26eca17251073fd45a4d48 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Wed, 28 May 2025 12:26:27 +0000 Subject: [PATCH] Import from CS git --- .gitignore | 4 +- .pcs.metadata | 4 +- ...147-support-for-query-limits-in-rack.patch | 45 +++++++++++++++++++ SPECS/pcs.spec | 16 +++++-- 4 files changed, 61 insertions(+), 8 deletions(-) create mode 100644 SOURCES/RHEL-90147-support-for-query-limits-in-rack.patch diff --git a/.gitignore b/.gitignore index c83d406..c9e362b 100644 --- a/.gitignore +++ b/.gitignore @@ -12,11 +12,11 @@ SOURCES/pcs-0.10.18.tar.gz SOURCES/puma-6.4.0.gem SOURCES/pyagentx-0.4.pcs.2.tar.gz SOURCES/python-dateutil-2.8.2.tar.gz -SOURCES/rack-2.2.8.1.gem +SOURCES/rack-2.2.16.gem SOURCES/rack-protection-2.2.4.gem SOURCES/rack-test-2.1.0.gem SOURCES/rexml-3.3.6.gem SOURCES/ruby2_keywords-0.0.5.gem SOURCES/sinatra-2.2.4.gem SOURCES/tilt-2.3.0.gem -SOURCES/tornado-6.1.0.pcs.1.tar.gz +SOURCES/tornado-6.1.0.pcs.2.tar.gz diff --git a/.pcs.metadata b/.pcs.metadata index cdb2304..7618a82 100644 --- a/.pcs.metadata +++ b/.pcs.metadata @@ -12,11 +12,11 @@ b3cd873042b17021355b68f1f7aa313f0c1f3fee SOURCES/pcs-0.10.18.tar.gz d6049c4555f3c9d198e6eb1d7e53ce9b68e175ff SOURCES/puma-6.4.0.gem 3176b2f2b332c2b6bf79fe882e83feecf3d3f011 SOURCES/pyagentx-0.4.pcs.2.tar.gz c2ba10c775b7a52a4b57cac4d4110a0c0f812a82 SOURCES/python-dateutil-2.8.2.tar.gz -fcdee79d1b0bb7e3666bad96321fc124bc8215e9 SOURCES/rack-2.2.8.1.gem +807c69f4ebada58686cee22884623063745007c2 SOURCES/rack-2.2.16.gem 5347315a7283f0b04443e924ed4eaa17807432c8 SOURCES/rack-protection-2.2.4.gem ae09ea83748b55875edc3708fffba90db180cb8e SOURCES/rack-test-2.1.0.gem 89f8446e89976f3677767d426a4edc6ccba574be SOURCES/rexml-3.3.6.gem d017b9e4d1978e0b3ccc3e2a31493809e4693cd3 SOURCES/ruby2_keywords-0.0.5.gem fa6a6c98f885e93f54c23dd0454cae906e82c31b SOURCES/sinatra-2.2.4.gem 4a38a9a55887b2882182a2c5771e592efe514e5e SOURCES/tilt-2.3.0.gem -c65f61a0f55a342f142f2a6be2d5fcc7f4cab0c9 SOURCES/tornado-6.1.0.pcs.1.tar.gz +3e0fc1e17c45a8e25bdd6ade8dbbc522f64f2ae1 SOURCES/tornado-6.1.0.pcs.2.tar.gz diff --git a/SOURCES/RHEL-90147-support-for-query-limits-in-rack.patch b/SOURCES/RHEL-90147-support-for-query-limits-in-rack.patch new file mode 100644 index 0000000..79a67b8 --- /dev/null +++ b/SOURCES/RHEL-90147-support-for-query-limits-in-rack.patch @@ -0,0 +1,45 @@ +From 0ad47ec40b7a9a2cb6bdbdf11e1e5b3c59f49b8b Mon Sep 17 00:00:00 2001 +From: Miroslav Lisik +Date: Tue, 20 May 2025 16:34:18 +0200 +Subject: [PATCH] support for query limits in rack + +--- + pcsd/conf/pcsd | 6 ++++++ + pcsd/pcsd.rb | 5 +++++ + 2 files changed, 11 insertions(+) + +diff --git a/pcsd/conf/pcsd b/pcsd/conf/pcsd +index 98df4744..65a9c9a9 100644 +--- a/pcsd/conf/pcsd ++++ b/pcsd/conf/pcsd +@@ -45,5 +45,11 @@ PCSD_SESSION_LIFETIME=3600 + # is 50 (even if set lower). + PCSD_RESTART_AFTER_REQUESTS=200 + ++# These environment variables set the maximum query string bytesize and the ++# maximum number of query parameters that pcsd will attempt to parse. ++# See CVE-2025-46727 for details. ++#RACK_QUERY_PARSER_BYTESIZE_LIMIT=4194304 ++#RACK_QUERY_PARSER_PARAMS_LIMIT=4096 ++ + # Do not change + RACK_ENV=production +diff --git a/pcsd/pcsd.rb b/pcsd/pcsd.rb +index 11698f54..a2634e4e 100644 +--- a/pcsd/pcsd.rb ++++ b/pcsd/pcsd.rb +@@ -90,6 +90,11 @@ configure do + CAPABILITIES_PCSD = capabilities_pcsd.freeze + end + ++error Rack::QueryParser::QueryLimitError do ++ $logger.warn(env['sinatra.error'].message) ++ return 400, env['sinatra.error'].message ++end ++ + def run_cfgsync + node_connected = true + if Cfgsync::ConfigSyncControl.sync_thread_allowed?() +-- +2.49.0 + diff --git a/SPECS/pcs.spec b/SPECS/pcs.spec index 2dc8705..2dda3d3 100644 --- a/SPECS/pcs.spec +++ b/SPECS/pcs.spec @@ -1,6 +1,6 @@ Name: pcs Version: 0.10.18 -Release: 2%{?dist}.4 +Release: 2%{?dist}.5 # https://docs.fedoraproject.org/en-US/packaging-guidelines/LicensingGuidelines/ # https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#Good_Licenses # GPL-2.0-only: pcs @@ -39,7 +39,7 @@ ExclusiveArch: i686 x86_64 s390x ppc64le aarch64 %global version_rubygem_nio4r 2.5.9 %global version_rubygem_open4 1.3.4 %global version_rubygem_puma 6.4.0 -%global version_rubygem_rack 2.2.8.1 +%global version_rubygem_rack 2.2.16 %global version_rubygem_rack_protection 2.2.4 %global version_rubygem_rack_test 2.1.0 %global version_rubygem_rexml 3.3.6 @@ -55,7 +55,7 @@ ExclusiveArch: i686 x86_64 s390x ppc64le aarch64 # DO NOT UPDATE # Tornado 6.2 requires Python 3.7+ -%global tornado_version 6.1.0.pcs.1 +%global tornado_version 6.1.0.pcs.2 %global pcs_bundled_dir pcs_bundled %global pcsd_public_dir pcsd/public @@ -116,6 +116,7 @@ Source95: https://rubygems.org/downloads/ruby2_keywords-%{version_rubygem_ruby2_ Patch1: do-not-support-cluster-setup-with-udp-u-transport.patch Patch2: RHEL-17280-01-disable-new-webui-routes.patch Patch3: RHEL-65595-stop-sending-http-headers-to-ruby-part-of-pcsd.patch +Patch4: RHEL-90147-support-for-query-limits-in-rack.patch # git for patches BuildRequires: git-core @@ -306,6 +307,7 @@ update_times_patch(){ update_times_patch %{PATCH1} update_times_patch %{PATCH2} update_times_patch %{PATCH3} +update_times_patch %{PATCH4} # generate .tarball-version if building from an untagged commit, not a released version # autogen uses git-version-gen which uses .tarball-version for generating version number @@ -562,7 +564,13 @@ remove_all_tests %license pyagentx_LICENSE.txt %changelog -* Tue Mar 4 2025 Michal Pospisil - 0.10.18-2%dist.3 +* Thu May 22 2025 Michal Pospisil - 0.10.18-2%dist.5 +- Fixed CVE-2024-52804 by patching bundled Tornado + Resolves: RHEL-93167 +- Fixed CVE-2025-46727 by updating bundled rubygem rack + Resolves: RHEL-90147 + +* Tue Mar 4 2025 Michal Pospisil - 0.10.18-2%dist.4 - Fixed CVE-2024-52804 by patching bundled Tornado Resolves: RHEL-81924