Description of problem: A CVE has been requested for a security issue in glusterfs: http://openwall.com/lists/oss-security/2015/08/18/7 Version-Release number of selected component (if applicable): 3.4.1-1.2 This bug has been fixed in mga5 with a patch, Bug # 16469 Reproducible: Steps to Reproduce:
Status: NEW => ASSIGNEDCC: (none) => thomasAssignee: bugsquad => thomas
Summary: Security issue has been found => Security issue in glusterfs
This bug has been fixed by - added CVE patch and - fixed permission glusterd.service ( removed the execution bit) This wasn't part of the CVE glusterfs-3.4.1-1.3.mga4.src.rpm lib64glusterfs0-3.4.1-1.3.mga4.x86_64.rpm lib64glusterfs-devel-3.4.1-1.3.mga4.x86_64.rpm glusterfs-common-3.4.1-1.3.mga4.x86_64.rpm glusterfs-client-3.4.1-1.3.mga4.x86_64.rpm glusterfs-server-3.4.1-1.3.mga4.x86_64.rpm lusterfs-geo-replication-3.4.1-1.3.mga4.x86_64.rpm and corresponding i586 Assigning it to QA
Assignee: thomas => qa-bugs
Component: RPM Packages => Security
Testing MGA4 x64 OK Installed pre this update: glusterfs-client-3.4.1-1.2.mga4 glusterfs-common-3.4.1-1.2.mga4 glusterfs-geo-replication-3.4.1-1.2.mga4 glusterfs-server-3.4.1-1.2.mga4 lib64glusterfs0-3.4.1-1.2.mga4 MCC system/Services & Daemons showed both glusterd glusterfsd suspended, but ticked for starting at boot. Both started OK manually. -rwxr-xr-x 1 root root /usr/lib/systemd/system/glusterd.service* -rw-r--r-- 1 root root /usr/lib/systemd/system/glusterfsd.service Updated this without problems to: glusterfs-client-3.4.1-1.3.mga4 glusterfs-common-3.4.1-1.3.mga4 glusterfs-geo-replication-3.4.1-1.3.mga4 glusterfs-server-3.4.1-1.3.mga4 lib64glusterfs0-3.4.1-1.3.mga4 MCC system/Services & Daemons showed both glusterd glusterfsd as running; & ticked to start at boot. -rw-r--r-- 1 root root /usr/lib/systemd/system/glusterd.service -rw-r--r-- 1 root root /usr/lib/systemd/system/glusterfsd.service which is now correct for glusterd.service WITHOUT any functional testing, this update is deemed OK.
CC: (none) => lewyssmithWhiteboard: (none) => MGA4-64-OK
Testing on mga-4-32 Installed existing version: glusterfs-client-3.4.1-1.2.mga4 glusterfs-server-3.4.1-1.2.mga4 libglusterfs0-3.4.1-1.2.mga4 glusterfs-common-3.4.1-1.2.mga4 glusterfs-geo-replication-3.4.1-1.2.mga4 Permissions: -rwxr-xr-x 1 root root 300 Apr 8 19:23 /usr/lib/systemd/system/glusterd.service -rw-r--r-- 1 root root 544 Mar 23 02:37 /usr/lib/systemd/system/glusterfsd.service Updated to testing: glusterfs-server-3.4.1-1.3.mga4 libglusterfs0-3.4.1-1.3.mga4 glusterfs-client-3.4.1-1.3.mga4 glusterfs-common-3.4.1-1.3.mga4 glusterfs-geo-replication-3.4.1-1.3.mga4 Permissions: -rw-r--r-- 1 root root 300 Aug 20 18:27 /usr/lib/systemd/system/glusterd.service -rw-r--r-- 1 root root 544 Mar 23 02:37 /usr/lib/systemd/system/glusterfsd.service The execution bits have been removed from glusterd.service After a reboot both glusterd and glusterfsd were running.
I've OK'd this update for mga4-32, even though I have not been able to test that the security vulnerability has been fixed.
Whiteboard: MGA4-64-OK => MGA4-64-OK MGA4-32-OK
Proposed advisory: *********************************************** Updated glusterfs packages fix security vulnerability and remove unnecessary execution bits. There were cases where setuid() could fail even when the caller is UID 0 The glusterd.service file was set as executable but that is not necessary. This update resolves both of these issues. References: https://bugs.mageia.org/show_bug.cgi?id=16619 http://openwall.com/lists/oss-security/2015/08/18/7 Source rpm: glusterfs-3.4.1-1.3.mga4 **********************************************************
Validated update The advisory needs to be uploaded to SVN The packages can then be pushed to updates
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory uploaded (still no CVE attributed upstream btw).
Whiteboard: MGA4-64-OK MGA4-32-OK => MGA4-64-OK MGA4-32-OK advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0334.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/656223/