Debrand logo

.gitignore

@@ -19,4 +19,4 @@ SOURCES/rexml-3.3.6.gem
 SOURCES/ruby2_keywords-0.0.5.gem
 SOURCES/sinatra-2.2.4.gem
 SOURCES/tilt-2.3.0.gem
-SOURCES/tornado-6.1.0.tar.gz
+SOURCES/tornado-6.1.0.pcs.1.tar.gz

.pcs.metadata

@@ -19,4 +19,4 @@ ae09ea83748b55875edc3708fffba90db180cb8e SOURCES/rack-test-2.1.0.gem
 d017b9e4d1978e0b3ccc3e2a31493809e4693cd3 SOURCES/ruby2_keywords-0.0.5.gem
 fa6a6c98f885e93f54c23dd0454cae906e82c31b SOURCES/sinatra-2.2.4.gem
 4a38a9a55887b2882182a2c5771e592efe514e5e SOURCES/tilt-2.3.0.gem
-c23c617c7a0205e465bebad5b8cdf289ae8402a2 SOURCES/tornado-6.1.0.tar.gz
+c65f61a0f55a342f142f2a6be2d5fcc7f4cab0c9 SOURCES/tornado-6.1.0.pcs.1.tar.gz

SOURCES/RHEL-65595-stop-sending-http-headers-to-ruby-part-of-pcsd.patch

@@ -0,0 +1,52 @@
+From 6142961fe0e39bdbba0d70f792fc27fb2bc096ba Mon Sep 17 00:00:00 2001
+From: Ivan Devat <idevat@redhat.com>
+Date: Thu, 7 Mar 2024 16:51:13 +0100
+Subject: [PATCH] stop sending http headers to ruby part of pcsd
+
+---
+ pcs/daemon/ruby_pcsd.py | 23 ++++++++++++++++++++++-
+ 1 file changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/pcs/daemon/ruby_pcsd.py b/pcs/daemon/ruby_pcsd.py
+index 4b3b0ea1..e07e17cc 100644
+--- a/pcs/daemon/ruby_pcsd.py
++++ b/pcs/daemon/ruby_pcsd.py
+@@ -87,13 +87,34 @@ class RubyDaemonRequest(
+         http_request: HTTPServerRequest = None,
+         payload=None,
+     ):
+-        headers = http_request.headers if http_request else HTTPHeaders()
++        # Headers from request are not propagated to ruby part. Ruby part doesn't
++        # work with standard headers in any special way. So, we send only path,
++        # method, query, body and special headers for communication between
++        # python part and ruby part. Tornado then adds necessary default
++        # headers. The motivation here is to prevent processing potentially
++        # maliciously crafted headers by rack.
++        headers = HTTPHeaders()
+         headers.add("X-Pcsd-Type", request_type)
+         if payload:
+             headers.add(
+                 "X-Pcsd-Payload",
+                 b64encode(json.dumps(payload).encode()).decode(),
+             )
++        if http_request:
++            for key, val in http_request.headers.get_all():
++                # From webui, POST request can come with either
++                # application/x-www-form-urlencoded or application/json content
++                # type. When we remove original HTTP headers, content type is
++                # added by tornado. But in the case of original application/json,
++                # tornado puts application/x-www-form-urlencoded there. To fix
++                # this let's keep the original header here in this case.
++                #
++                # The token, CIB_user and CIB_user_groups are transferred by the
++                # "Cookie" header and these information are evaluated in ruby.
++                if (
++                    key.lower() == "content-type" and val == "application/json"
++                ) or key.lower() == "cookie":
++                    headers.add(key, val)
+         return super(RubyDaemonRequest, cls).__new__(
+             cls,
+             request_type,
+-- 
+2.47.0
+

SPECS/pcs.spec

@@ -1,6 +1,6 @@
 Name: pcs
 Version: 0.10.18
-Release: 2%{?dist}.2.alma.1
+Release: 2%{?dist}.4.alma.1
 # https://docs.fedoraproject.org/en-US/packaging-guidelines/LicensingGuidelines/
 # https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#Good_Licenses
 # GPL-2.0-only: pcs
@@ -55,7 +55,7 @@ ExclusiveArch: i686 x86_64 s390x ppc64le aarch64
 
 # DO NOT UPDATE
 # Tornado 6.2 requires Python 3.7+
-%global tornado_version    6.1.0
+%global tornado_version    6.1.0.pcs.1
 
 %global pcs_bundled_dir pcs_bundled
 %global pcsd_public_dir pcsd/public
@@ -87,7 +87,7 @@ Source0: %{url}/archive/%{?v_prefix}%{version_or_commit}/%{pcs_source_name}.tar.
 Source1: HAM-logo.png
 
 Source41: https://github.com/ondrejmular/pyagentx/archive/v%{pyagentx_version}/pyagentx-%{pyagentx_version}.tar.gz
-Source42: https://github.com/tornadoweb/tornado/archive/v%{tornado_version}/tornado-%{tornado_version}.tar.gz
+Source42: https://github.com/CtrlZmaster/tornado/archive/v%{tornado_version}/tornado-%{tornado_version}.tar.gz
 Source43: https://github.com/ericvsmith/dataclasses/archive/%{dataclasses_version}/dataclasses-%{dataclasses_version}.tar.gz
 Source44: https://github.com/konradhalas/dacite/archive/v%{dacite_version}/dacite-%{dacite_version}.tar.gz
 Source45: https://pypi.python.org/packages/source/p/python-dateutil/python-dateutil-%{dateutil_version}.tar.gz
@@ -115,6 +115,7 @@ Source95: https://rubygems.org/downloads/ruby2_keywords-%{version_rubygem_ruby2_
 # Patch1: bzNUMBER-01-name.patch
 Patch1: do-not-support-cluster-setup-with-udp-u-transport.patch
 Patch2: RHEL-17280-01-disable-new-webui-routes.patch
+Patch3: RHEL-65595-stop-sending-http-headers-to-ruby-part-of-pcsd.patch
 
 # git for patches
 BuildRequires: git-core
@@ -304,6 +305,7 @@ update_times_patch(){
 # update_times_patch %%{PATCH1}
 update_times_patch %{PATCH1}
 update_times_patch %{PATCH2}
+update_times_patch %{PATCH3}
 
 # generate .tarball-version if building from an untagged commit, not a released version
 # autogen uses git-version-gen which uses .tarball-version for generating version number
@@ -560,9 +562,17 @@ remove_all_tests
 %license pyagentx_LICENSE.txt
 
 %changelog
-* Mon Sep 16 2024 Eduard Abdullin <eabdullin@almalinux.org> - 0.10.18-2.el8_10.2.alma
+* Mon Mar 17 2025 Eduard Abdullin <eabdullin@almalinux.org> - 0.10.18-2.4.alma.1
 - Debrand logo
 
+* Tue Mar 4 2025 Michal Pospisil <mpospisi@redhat.com> - 0.10.18-2%dist.3
+- Fixed CVE-2024-52804 by patching bundled Tornado
+  Resolves: RHEL-81924
+
+* Wed Dec 4 2024 Michal Pospisil <mpospisi@redhat.com> - 0.10.18-2.el8_10.3
+- Prevented any future HTTP header-based attacks on puma/sinatra by removing any headers not recognized by pcsd
+  Resolves: RHEL-65595
+
 * Thu Aug 29 2024 Michal Pospisil <mpospisi@redhat.com> - 0.10.18-2.el8_10.2
 - Updated rubygem rexml
   Resolves: RHEL-52409, RHEL-52788, RHEL-55997