[AUTO-CHERRYPICK] [AutoPR- Security] Patch ceph for CVE-2024-48916 [HIGH] - branch 3.0-dev (#14466)

CBL-Mariner-Bot · azurelinux-security · carlapgavilan · web-flow · commit 62b844486da9 · 2025-08-11T12:15:35.000-07:00
Co-authored-by: Azure Linux Security Servicing Account &lt;azurelinux-security@microsoft.com&gt;
Co-authored-by: carlapgavilan &lt;carlapgavilan@gmail.com&gt;
diff --git a/SPECS/ceph/CVE-2024-48916.patch b/SPECS/ceph/CVE-2024-48916.patch
@@ -0,0 +1,31 @@
+From be105ab62fd4c93be9f9e5896e28c702534b0c56 Mon Sep 17 00:00:00 2001
+From: Pritha Srivastava <prsrivas@redhat.com>
+Date: Tue, 5 Nov 2024 12:03:00 +0530
+Subject: [PATCH] rgw/sts: fix to disallow unsupported JWT algorithms while
+ authenticating AssumeRoleWithWebIdentity using JWT obtained from an external
+ IDP.
+
+fixes: https://tracker.ceph.com/issues/68836
+
+Signed-off-by: Pritha Srivastava <prsrivas@redhat.com>
+---
+ src/rgw/rgw_rest_sts.cc | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/rgw/rgw_rest_sts.cc b/src/rgw/rgw_rest_sts.cc
+index 09f77f61d..23328236a 100644
+--- a/src/rgw/rgw_rest_sts.cc
++++ b/src/rgw/rgw_rest_sts.cc
+@@ -444,6 +444,9 @@ WebTokenEngine::validate_signature(const DoutPrefixProvider* dpp, const jwt::dec
+                               .allow_algorithm(jwt::algorithm::ps512{cert});
+ 
+                 verifier.verify(decoded);
++              } else {
++                ldpp_dout(dpp, 0) << "Unsupported algorithm: " << algorithm << dendl;
++                throw -EINVAL;
+               }
+             } catch (std::runtime_error& e) {
+               ldpp_dout(dpp, 0) << "Signature validation failed: " << e.what() << dendl;
+-- 
+2.45.4
+
diff --git a/SPECS/ceph/ceph.spec b/SPECS/ceph/ceph.spec
@@ -5,7 +5,7 @@
 Summary:        User space components of the Ceph file system
 Name:           ceph
 Version:        18.2.2
-Release:        9%{?dist}
+Release:        10%{?dist}
 License:        LGPLv2 and LGPLv3 and CC-BY-SA and GPLv2 and Boost and BSD and MIT and Public Domain and GPLv3 and ASL-2.0
 URL:            https://ceph.io/
 Vendor:         Microsoft Corporation
@@ -29,6 +29,7 @@ Patch14:        CVE-2025-1744.patch
 Patch15:        CVE-2021-28361.patch
 Patch16:        CVE-2020-14378.patch
 Patch17:        CVE-2025-52555.patch
+Patch18:        CVE-2024-48916.patch
 #
 # Copyright (C) 2004-2019 The Ceph Project Developers. See COPYING file
 # at the top-level directory of this distribution and at
@@ -2019,6 +2020,9 @@ exit 0
 %config %{_sysconfdir}/prometheus/ceph/ceph_default_alerts.yml
 
 %changelog
+* Fri Aug 01 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 18.2.2-10
+- Patch for CVE-2024-48916
+
 * Tue Jul 01 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 18.2.2-9
 - Patch for CVE-2025-52555
 
