Bug 18758 - ctdb new regression caused by CVE-2015-8543 fix in kernel
Summary: ctdb new regression caused by CVE-2015-8543 fix in kernel
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/692179/
Whiteboard: advisory MGA5-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-06-22 01:11 CEST by David Walser
Modified: 2016-08-31 17:33 CEST (History)
3 users (show)

See Also:
Source RPM: ctdb-2.5.3-3.mga5.src.rpm, samba-4.4.4-2.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2016-06-22 01:11:37 CEST
Debian has issued an advisory on March 3:
https://www.debian.org/security/2016/dsa-3426

They have patches to fix the issue.

In Cauldron, ctdb is built from the samba SRPM.  I don't know if that version is still affected by this issue.  Mageia 5 at least should be.
Comment 1 Marja Van Waes 2016-06-23 08:53:03 CEST
(In reply to David Walser from comment #0)
> Debian has issued an advisory on March 3:
> https://www.debian.org/security/2016/dsa-3426
> 
> They have patches to fix the issue.
> 
> In Cauldron, ctdb is built from the samba SRPM.  I don't know if that
> version is still affected by this issue.  Mageia 5 at least should be.

Assigning to ctdb maintainer.

@ Shlomi

Is it possible for you to figure out whether samba in cauldron is affected, too?

CC: (none) => marja11
Assignee: bugsquad => shlomif

Comment 2 Shlomi Fish 2016-06-23 16:10:32 CEST
(In reply to Marja van Waes from comment #1)
> (In reply to David Walser from comment #0)
> > Debian has issued an advisory on March 3:
> > https://www.debian.org/security/2016/dsa-3426
> > 
> > They have patches to fix the issue.
> > 
> > In Cauldron, ctdb is built from the samba SRPM.  I don't know if that
> > version is still affected by this issue.  Mageia 5 at least should be.
> 
> Assigning to ctdb maintainer.
> 
> @ Shlomi
> 
> Is it possible for you to figure out whether samba in cauldron is affected,
> too?

I'll try to.
Comment 3 Shlomi Fish 2016-06-23 17:10:00 CEST
Based on reading the description here - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=813406 and studying the code then i don't think we are affected.
Comment 4 Marja Van Waes 2016-06-23 17:15:27 CEST
(In reply to Shlomi Fish from comment #3)
> Based on reading the description here -
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=813406 and studying the
> code then i don't think we are affected.

Great, thanks :-)

So only Mageia 5 needs to be fixed
Comment 5 Shlomi Fish 2016-06-23 17:28:36 CEST
(In reply to Shlomi Fish from comment #3)
> Based on reading the description here -
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=813406 and studying the
> code then i don't think we are affected.

Actually this line in system_linux.c looks a little suspicious in this respect:

463:    s = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL));

But I'm not sure if we're affected.
Comment 6 David Walser 2016-06-23 19:17:29 CEST
Given the range of versions that Debian patched, I don't see how our Mageia 5 package wouldn't be affected.  As for Cauldron, I would hope that a known issue like this would be fixed in the latest upstream Samba.
Comment 7 Shlomi Fish 2016-07-16 13:18:08 CEST
Hi all,

I uploaded ctdb-2.5.3-3.1.mga5 to mga5's core/updates_testing with the patch. Assigning to QA for testing.

Status: NEW => ASSIGNED
Assignee: shlomif => qa-bugs

Comment 8 David Walser 2016-07-17 17:15:42 CEST
Advisory:
========================

Updated ctdb package fixes security vulnerability:

The kernel fix for CVE-2015-8543 uncovered a bug in ctdb, leading to broken
clusters.  The ctdb package has been patched to fix this issue.

References:
https://www.debian.org/security/2016/dsa-3426
Dave Hodgins 2016-08-18 22:55:14 CEST

Keywords: (none) => validated_update
Whiteboard: (none) => advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 9 Dave Hodgins 2016-08-18 22:57:04 CEST
Just testing that the update installs cleanly

Whiteboard: advisory => advisory MGA5-64-OK

Comment 10 Mageia Robot 2016-08-31 17:33:30 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0281.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.