16619 – Security issue in glusterfs

Bug 16619 - Security issue in glusterfs

Summary: Security issue in glusterfs

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	4
Hardware:	x86_64 Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:

URL:	http://lwn.net/Vulnerabilities/656223/
Whiteboard:	MGA4-64-OK MGA4-32-OK advisory
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2015-08-20 18:21 CEST by Thomas Spuhler
Modified:	2015-08-31 23:31 CEST (History)
CC List:	3 users (show)

See Also:
Source RPM:	glusterfs
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Thomas Spuhler 2015-08-20 18:21:30 CEST

Description of problem:

A CVE has been requested for a security issue in glusterfs:
http://openwall.com/lists/oss-security/2015/08/18/7


Version-Release number of selected component (if applicable):
3.4.1-1.2
This bug has been fixed in mga5 with a patch, Bug # 16469



Reproducible: 

Steps to Reproduce:

Thomas Spuhler 2015-08-20 18:22:11 CEST

Status: NEW => ASSIGNED
CC: (none) => thomas
Assignee: bugsquad => thomas

Rémi Verschelde 2015-08-20 18:22:58 CEST

Summary: Security issue has been found => Security issue in glusterfs

Comment 1 Thomas Spuhler 2015-08-20 19:33:07 CEST

This bug has been fixed by 
- added CVE patch
and
- fixed permission glusterd.service ( removed the execution bit)
This wasn't part of the CVE


glusterfs-3.4.1-1.3.mga4.src.rpm
lib64glusterfs0-3.4.1-1.3.mga4.x86_64.rpm
lib64glusterfs-devel-3.4.1-1.3.mga4.x86_64.rpm
glusterfs-common-3.4.1-1.3.mga4.x86_64.rpm
glusterfs-client-3.4.1-1.3.mga4.x86_64.rpm
glusterfs-server-3.4.1-1.3.mga4.x86_64.rpm
lusterfs-geo-replication-3.4.1-1.3.mga4.x86_64.rpm
and corresponding i586

Assigning it to QA

Assignee: thomas => qa-bugs

Samuel Verschelde 2015-08-21 11:07:12 CEST

Component: RPM Packages => Security

Comment 2 Lewis Smith 2015-08-24 20:16:39 CEST

Testing MGA4 x64 OK

Installed pre this update:
 glusterfs-client-3.4.1-1.2.mga4
 glusterfs-common-3.4.1-1.2.mga4
 glusterfs-geo-replication-3.4.1-1.2.mga4
 glusterfs-server-3.4.1-1.2.mga4
 lib64glusterfs0-3.4.1-1.2.mga4
MCC system/Services & Daemons showed both
 glusterd
 glusterfsd
suspended, but ticked for starting at boot. Both started OK manually.

-rwxr-xr-x 1 root root /usr/lib/systemd/system/glusterd.service*
-rw-r--r-- 1 root root /usr/lib/systemd/system/glusterfsd.service

Updated this without problems to:
 glusterfs-client-3.4.1-1.3.mga4
 glusterfs-common-3.4.1-1.3.mga4
 glusterfs-geo-replication-3.4.1-1.3.mga4
 glusterfs-server-3.4.1-1.3.mga4
 lib64glusterfs0-3.4.1-1.3.mga4
MCC system/Services & Daemons showed both
 glusterd
 glusterfsd
as running; & ticked to start at boot.

-rw-r--r-- 1 root root /usr/lib/systemd/system/glusterd.service
-rw-r--r-- 1 root root /usr/lib/systemd/system/glusterfsd.service
which is now correct for glusterd.service

WITHOUT any functional testing, this update is deemed OK.

CC: (none) => lewyssmith
Whiteboard: (none) => MGA4-64-OK

Comment 3 James Kerr 2015-08-29 17:09:55 CEST

Testing on mga-4-32

Installed existing version:

glusterfs-client-3.4.1-1.2.mga4
glusterfs-server-3.4.1-1.2.mga4
libglusterfs0-3.4.1-1.2.mga4
glusterfs-common-3.4.1-1.2.mga4
glusterfs-geo-replication-3.4.1-1.2.mga4

Permissions:

-rwxr-xr-x 1 root root 300 Apr  8 19:23 /usr/lib/systemd/system/glusterd.service
-rw-r--r-- 1 root root 544 Mar 23 02:37 /usr/lib/systemd/system/glusterfsd.service

Updated to testing:

glusterfs-server-3.4.1-1.3.mga4
libglusterfs0-3.4.1-1.3.mga4
glusterfs-client-3.4.1-1.3.mga4
glusterfs-common-3.4.1-1.3.mga4
glusterfs-geo-replication-3.4.1-1.3.mga4

Permissions:

-rw-r--r-- 1 root root 300 Aug 20 18:27 /usr/lib/systemd/system/glusterd.service
-rw-r--r-- 1 root root 544 Mar 23 02:37 /usr/lib/systemd/system/glusterfsd.service

The execution bits have been removed from glusterd.service

After a reboot both glusterd and glusterfsd were running.

Comment 4 James Kerr 2015-08-29 17:11:58 CEST

I've OK'd this update for mga4-32, even though I have not been able to test that the security vulnerability has been fixed.

Whiteboard: MGA4-64-OK => MGA4-64-OK MGA4-32-OK

Comment 5 James Kerr 2015-08-29 17:19:03 CEST

Proposed advisory:

***********************************************
Updated glusterfs packages fix security vulnerability and remove unnecessary execution bits.

There were cases where setuid() could fail even when the  caller is UID 0
The glusterd.service file was set as executable but that is not necessary.
This update resolves both of these issues.

References:
https://bugs.mageia.org/show_bug.cgi?id=16619
http://openwall.com/lists/oss-security/2015/08/18/7

Source rpm:
glusterfs-3.4.1-1.3.mga4

**********************************************************

Comment 6 James Kerr 2015-08-29 17:28:21 CEST

Validated update

The advisory needs to be uploaded to SVN

The packages can then be pushed to updates

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 7 Rémi Verschelde 2015-08-30 13:06:11 CEST

Advisory uploaded (still no CVE attributed upstream btw).

Whiteboard: MGA4-64-OK MGA4-32-OK => MGA4-64-OK MGA4-32-OK advisory

Comment 8 Mageia Robot 2015-08-30 16:29:04 CEST

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0334.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-08-31 23:31:28 CEST

URL: (none) => http://lwn.net/Vulnerabilities/656223/

Note You need to log in before you can comment on or make changes to this bug.