etcd: patch CVE-2023-32082

Details: https://nvd.nist.gov/vuln/detail/CVE-2023-32082

Pick the patch mentioned in the details of the report. (It was backported
to the 3.5 tree)

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>

meta-oe/recipes-extended/etcd/etcd/CVE-2023-32082.patch

@@ -0,0 +1,86 @@
+From 021ad998bed830f903b96ee9dcf87a35ca60c148 Mon Sep 17 00:00:00 2001
+From: Hitoshi Mitake <h.mitake@gmail.com>
+Date: Wed, 29 Mar 2023 20:46:32 +0900
+Subject: [PATCH] etcdserver: protect lease timetilive with auth
+
+CVE: CVE-2023-32082
+Upstream-Status: Backport [https://github.com/etcd-io/etcd/commit/d1b1aa9dbe8065fb2cb36fe035daf701ccabc4e0]
+
+Signed-off-by: Hitoshi Mitake <h.mitake@gmail.com>
+Co-authored-by: Benjamin Wang <wachao@vmware.com>
+(cherry picked from commit d1b1aa9dbe8065fb2cb36fe035daf701ccabc4e0)
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ server/etcdserver/v3_server.go | 52 +++++++++++++++++++++++++++++++++-
+ 1 file changed, 51 insertions(+), 1 deletion(-)
+
+diff --git a/server/etcdserver/v3_server.go b/server/etcdserver/v3_server.go
+index 0184b8d18..c8ce8c69c 100644
+--- a/server/etcdserver/v3_server.go
++++ b/server/etcdserver/v3_server.go
+@@ -336,7 +336,32 @@ func (s *EtcdServer) LeaseRenew(ctx context.Context, id lease.LeaseID) (int64, e
+ 	return -1, ErrCanceled
+ }
+ 
+-func (s *EtcdServer) LeaseTimeToLive(ctx context.Context, r *pb.LeaseTimeToLiveRequest) (*pb.LeaseTimeToLiveResponse, error) {
++func (s *EtcdServer) checkLeaseTimeToLive(ctx context.Context, leaseID lease.LeaseID) (uint64, error) {
++	rev := s.AuthStore().Revision()
++	if !s.AuthStore().IsAuthEnabled() {
++		return rev, nil
++	}
++	authInfo, err := s.AuthInfoFromCtx(ctx)
++	if err != nil {
++		return rev, err
++	}
++	if authInfo == nil {
++		return rev, auth.ErrUserEmpty
++	}
++
++	l := s.lessor.Lookup(leaseID)
++	if l != nil {
++		for _, key := range l.Keys() {
++			if err := s.AuthStore().IsRangePermitted(authInfo, []byte(key), []byte{}); err != nil {
++				return 0, err
++			}
++		}
++	}
++
++	return rev, nil
++}
++
++func (s *EtcdServer) leaseTimeToLive(ctx context.Context, r *pb.LeaseTimeToLiveRequest) (*pb.LeaseTimeToLiveResponse, error) {
+ 	if s.isLeader() {
+ 		if err := s.waitAppliedIndex(); err != nil {
+ 			return nil, err
+@@ -386,6 +411,31 @@ func (s *EtcdServer) LeaseTimeToLive(ctx context.Context, r *pb.LeaseTimeToLiveR
+ 	return nil, ErrCanceled
+ }
+ 
++func (s *EtcdServer) LeaseTimeToLive(ctx context.Context, r *pb.LeaseTimeToLiveRequest) (*pb.LeaseTimeToLiveResponse, error) {
++	var rev uint64
++	var err error
++	if r.Keys {
++		// check RBAC permission only if Keys is true
++		rev, err = s.checkLeaseTimeToLive(ctx, lease.LeaseID(r.ID))
++		if err != nil {
++			return nil, err
++		}
++	}
++
++	resp, err := s.leaseTimeToLive(ctx, r)
++	if err != nil {
++		return nil, err
++	}
++
++	if r.Keys {
++		if s.AuthStore().IsAuthEnabled() && rev != s.AuthStore().Revision() {
++			return nil, auth.ErrAuthOldRevision
++		}
++	}
++	return resp, nil
++}
++
++// LeaseLeases is really ListLeases !???
+ func (s *EtcdServer) LeaseLeases(ctx context.Context, r *pb.LeaseLeasesRequest) (*pb.LeaseLeasesResponse, error) {
+ 	ls := s.lessor.Leases()
+ 	lss := make([]*pb.LeaseStatus, len(ls))

meta-oe/recipes-extended/etcd/etcd_3.5.7.bb

@@ -8,6 +8,7 @@ SRC_URI = " \
     git://github.com/etcd-io/etcd;branch=release-3.5;protocol=https \
     file://0001-xxhash-bump-to-v2.1.2.patch;patchdir=src/${GO_IMPORT} \
     file://0001-test_lib.sh-remove-gobin-requirement-during-build.patch;patchdir=src/${GO_IMPORT} \
+    file://CVE-2023-32082.patch;patchdir=src/${GO_IMPORT} \
     file://etcd.service \
     file://etcd-existing.conf \
     file://etcd-new.service \