From efa1ef31f4ec3807636b5683d8759cb7f46c175e Mon Sep 17 00:00:00 2001 From: Gyorgy Sarvari Date: Sat, 11 Oct 2025 15:34:54 +0200 Subject: [PATCH] etcd: patch CVE-2023-32082 Details: https://nvd.nist.gov/vuln/detail/CVE-2023-32082 Pick the patch mentioned in the details of the report. (It was backported to the 3.5 tree) Signed-off-by: Gyorgy Sarvari Signed-off-by: Anuj Mittal --- .../etcd/etcd/CVE-2023-32082.patch | 86 +++++++++++++++++++ meta-oe/recipes-extended/etcd/etcd_3.5.7.bb | 1 + 2 files changed, 87 insertions(+) create mode 100644 meta-oe/recipes-extended/etcd/etcd/CVE-2023-32082.patch diff --git a/meta-oe/recipes-extended/etcd/etcd/CVE-2023-32082.patch b/meta-oe/recipes-extended/etcd/etcd/CVE-2023-32082.patch new file mode 100644 index 0000000000..fe350265a4 --- /dev/null +++ b/meta-oe/recipes-extended/etcd/etcd/CVE-2023-32082.patch @@ -0,0 +1,86 @@ +From 021ad998bed830f903b96ee9dcf87a35ca60c148 Mon Sep 17 00:00:00 2001 +From: Hitoshi Mitake +Date: Wed, 29 Mar 2023 20:46:32 +0900 +Subject: [PATCH] etcdserver: protect lease timetilive with auth + +CVE: CVE-2023-32082 +Upstream-Status: Backport [https://github.com/etcd-io/etcd/commit/d1b1aa9dbe8065fb2cb36fe035daf701ccabc4e0] + +Signed-off-by: Hitoshi Mitake +Co-authored-by: Benjamin Wang +(cherry picked from commit d1b1aa9dbe8065fb2cb36fe035daf701ccabc4e0) +Signed-off-by: Gyorgy Sarvari +--- + server/etcdserver/v3_server.go | 52 +++++++++++++++++++++++++++++++++- + 1 file changed, 51 insertions(+), 1 deletion(-) + +diff --git a/server/etcdserver/v3_server.go b/server/etcdserver/v3_server.go +index 0184b8d18..c8ce8c69c 100644 +--- a/server/etcdserver/v3_server.go ++++ b/server/etcdserver/v3_server.go +@@ -336,7 +336,32 @@ func (s *EtcdServer) LeaseRenew(ctx context.Context, id lease.LeaseID) (int64, e + return -1, ErrCanceled + } + +-func (s *EtcdServer) LeaseTimeToLive(ctx context.Context, r *pb.LeaseTimeToLiveRequest) (*pb.LeaseTimeToLiveResponse, error) { ++func (s *EtcdServer) checkLeaseTimeToLive(ctx context.Context, leaseID lease.LeaseID) (uint64, error) { ++ rev := s.AuthStore().Revision() ++ if !s.AuthStore().IsAuthEnabled() { ++ return rev, nil ++ } ++ authInfo, err := s.AuthInfoFromCtx(ctx) ++ if err != nil { ++ return rev, err ++ } ++ if authInfo == nil { ++ return rev, auth.ErrUserEmpty ++ } ++ ++ l := s.lessor.Lookup(leaseID) ++ if l != nil { ++ for _, key := range l.Keys() { ++ if err := s.AuthStore().IsRangePermitted(authInfo, []byte(key), []byte{}); err != nil { ++ return 0, err ++ } ++ } ++ } ++ ++ return rev, nil ++} ++ ++func (s *EtcdServer) leaseTimeToLive(ctx context.Context, r *pb.LeaseTimeToLiveRequest) (*pb.LeaseTimeToLiveResponse, error) { + if s.isLeader() { + if err := s.waitAppliedIndex(); err != nil { + return nil, err +@@ -386,6 +411,31 @@ func (s *EtcdServer) LeaseTimeToLive(ctx context.Context, r *pb.LeaseTimeToLiveR + return nil, ErrCanceled + } + ++func (s *EtcdServer) LeaseTimeToLive(ctx context.Context, r *pb.LeaseTimeToLiveRequest) (*pb.LeaseTimeToLiveResponse, error) { ++ var rev uint64 ++ var err error ++ if r.Keys { ++ // check RBAC permission only if Keys is true ++ rev, err = s.checkLeaseTimeToLive(ctx, lease.LeaseID(r.ID)) ++ if err != nil { ++ return nil, err ++ } ++ } ++ ++ resp, err := s.leaseTimeToLive(ctx, r) ++ if err != nil { ++ return nil, err ++ } ++ ++ if r.Keys { ++ if s.AuthStore().IsAuthEnabled() && rev != s.AuthStore().Revision() { ++ return nil, auth.ErrAuthOldRevision ++ } ++ } ++ return resp, nil ++} ++ ++// LeaseLeases is really ListLeases !??? + func (s *EtcdServer) LeaseLeases(ctx context.Context, r *pb.LeaseLeasesRequest) (*pb.LeaseLeasesResponse, error) { + ls := s.lessor.Leases() + lss := make([]*pb.LeaseStatus, len(ls)) diff --git a/meta-oe/recipes-extended/etcd/etcd_3.5.7.bb b/meta-oe/recipes-extended/etcd/etcd_3.5.7.bb index 0794158a52..83847f871f 100644 --- a/meta-oe/recipes-extended/etcd/etcd_3.5.7.bb +++ b/meta-oe/recipes-extended/etcd/etcd_3.5.7.bb @@ -8,6 +8,7 @@ SRC_URI = " \ git://github.com/etcd-io/etcd;branch=release-3.5;protocol=https \ file://0001-xxhash-bump-to-v2.1.2.patch;patchdir=src/${GO_IMPORT} \ file://0001-test_lib.sh-remove-gobin-requirement-during-build.patch;patchdir=src/${GO_IMPORT} \ + file://CVE-2023-32082.patch;patchdir=src/${GO_IMPORT} \ file://etcd.service \ file://etcd-existing.conf \ file://etcd-new.service \