Bug 16619

Summary: Security issue in glusterfs
Product: Mageia Reporter: Thomas Spuhler <thomas>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: lewyssmith, sysadmin-bugs, thomas
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: x86_64   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/656223/
Whiteboard: MGA4-64-OK MGA4-32-OK advisory
Source RPM: glusterfs CVE:
Status comment:

Description Thomas Spuhler 2015-08-20 18:21:30 CEST 
Description of problem:

A CVE has been requested for a security issue in glusterfs:
http://openwall.com/lists/oss-security/2015/08/18/7


Version-Release number of selected component (if applicable):
3.4.1-1.2
This bug has been fixed in mga5 with a patch, Bug # 16469



Reproducible: 

Steps to Reproduce:
Thomas Spuhler 2015-08-20 18:22:11 CEST

Status: NEW => ASSIGNED
CC: (none) => thomas
Assignee: bugsquad => thomas

Rémi Verschelde 2015-08-20 18:22:58 CEST

Summary: Security issue has been found => Security issue in glusterfs

Comment 1 Thomas Spuhler 2015-08-20 19:33:07 CEST 
This bug has been fixed by 
- added CVE patch
and
- fixed permission glusterd.service ( removed the execution bit)
This wasn't part of the CVE


glusterfs-3.4.1-1.3.mga4.src.rpm
lib64glusterfs0-3.4.1-1.3.mga4.x86_64.rpm
lib64glusterfs-devel-3.4.1-1.3.mga4.x86_64.rpm
glusterfs-common-3.4.1-1.3.mga4.x86_64.rpm
glusterfs-client-3.4.1-1.3.mga4.x86_64.rpm
glusterfs-server-3.4.1-1.3.mga4.x86_64.rpm
lusterfs-geo-replication-3.4.1-1.3.mga4.x86_64.rpm
and corresponding i586

Assigning it to QA

Assignee: thomas => qa-bugs

Samuel Verschelde 2015-08-21 11:07:12 CEST

Component: RPM Packages => Security

Comment 2 Lewis Smith 2015-08-24 20:16:39 CEST 
Testing MGA4 x64 OK

Installed pre this update:
 glusterfs-client-3.4.1-1.2.mga4
 glusterfs-common-3.4.1-1.2.mga4
 glusterfs-geo-replication-3.4.1-1.2.mga4
 glusterfs-server-3.4.1-1.2.mga4
 lib64glusterfs0-3.4.1-1.2.mga4
MCC system/Services & Daemons showed both
 glusterd
 glusterfsd
suspended, but ticked for starting at boot. Both started OK manually.

-rwxr-xr-x 1 root root /usr/lib/systemd/system/glusterd.service*
-rw-r--r-- 1 root root /usr/lib/systemd/system/glusterfsd.service

Updated this without problems to:
 glusterfs-client-3.4.1-1.3.mga4
 glusterfs-common-3.4.1-1.3.mga4
 glusterfs-geo-replication-3.4.1-1.3.mga4
 glusterfs-server-3.4.1-1.3.mga4
 lib64glusterfs0-3.4.1-1.3.mga4
MCC system/Services & Daemons showed both
 glusterd
 glusterfsd
as running; & ticked to start at boot.

-rw-r--r-- 1 root root /usr/lib/systemd/system/glusterd.service
-rw-r--r-- 1 root root /usr/lib/systemd/system/glusterfsd.service
which is now correct for glusterd.service

WITHOUT any functional testing, this update is deemed OK.

CC: (none) => lewyssmith
Whiteboard: (none) => MGA4-64-OK

Comment 3 James Kerr 2015-08-29 17:09:55 CEST 
Testing on mga-4-32

Installed existing version:

glusterfs-client-3.4.1-1.2.mga4
glusterfs-server-3.4.1-1.2.mga4
libglusterfs0-3.4.1-1.2.mga4
glusterfs-common-3.4.1-1.2.mga4
glusterfs-geo-replication-3.4.1-1.2.mga4

Permissions:

-rwxr-xr-x 1 root root 300 Apr  8 19:23 /usr/lib/systemd/system/glusterd.service
-rw-r--r-- 1 root root 544 Mar 23 02:37 /usr/lib/systemd/system/glusterfsd.service

Updated to testing:

glusterfs-server-3.4.1-1.3.mga4
libglusterfs0-3.4.1-1.3.mga4
glusterfs-client-3.4.1-1.3.mga4
glusterfs-common-3.4.1-1.3.mga4
glusterfs-geo-replication-3.4.1-1.3.mga4

Permissions:

-rw-r--r-- 1 root root 300 Aug 20 18:27 /usr/lib/systemd/system/glusterd.service
-rw-r--r-- 1 root root 544 Mar 23 02:37 /usr/lib/systemd/system/glusterfsd.service

The execution bits have been removed from glusterd.service

After a reboot both glusterd and glusterfsd were running.
Comment 4 James Kerr 2015-08-29 17:11:58 CEST 
I've OK'd this update for mga4-32, even though I have not been able to test that the security vulnerability has been fixed.

Whiteboard: MGA4-64-OK => MGA4-64-OK MGA4-32-OK

Comment 5 James Kerr 2015-08-29 17:19:03 CEST 
Proposed advisory:

***********************************************
Updated glusterfs packages fix security vulnerability and remove unnecessary execution bits.

There were cases where setuid() could fail even when the  caller is UID 0
The glusterd.service file was set as executable but that is not necessary.
This update resolves both of these issues.

References:
https://bugs.mageia.org/show_bug.cgi?id=16619
http://openwall.com/lists/oss-security/2015/08/18/7

Source rpm:
glusterfs-3.4.1-1.3.mga4

**********************************************************
Comment 6 James Kerr 2015-08-29 17:28:21 CEST 
Validated update

The advisory needs to be uploaded to SVN

The packages can then be pushed to updates

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 7 Rémi Verschelde 2015-08-30 13:06:11 CEST 
Advisory uploaded (still no CVE attributed upstream btw).

Whiteboard: MGA4-64-OK MGA4-32-OK => MGA4-64-OK MGA4-32-OK advisory

Comment 8 Mageia Robot 2015-08-30 16:29:04 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0334.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-08-31 23:31:28 CEST

URL: (none) => http://lwn.net/Vulnerabilities/656223/