From ${URL} : A flaw was found in glusterfs. A null pointer dereference in in send_brick_req function in glusterfsd/src/gf_attach.c may cause denial of service. References: https://bugzilla.redhat.com/show_bug.cgi?id=1502928 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
I gather 3.10 and earlier were affected. I bumped to 3.12.3 and cleared all the older unstable versions anyway since they had other issues. Arch teams, please do your thing.
amd64 stable
ppc/ppc64 stable
x86 stable @ Maintainer(s): Please cleanup and drop <sys-cluster/glusterfs-3.12.3!
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dd3ee9c37a203fefe6c6de23136aa1542ea398ce commit dd3ee9c37a203fefe6c6de23136aa1542ea398ce Author: James Le Cuirot <chewi@gentoo.org> AuthorDate: 2017-11-28 10:08:04 +0000 Commit: James Le Cuirot <chewi@gentoo.org> CommitDate: 2017-11-28 10:08:04 +0000 sys-cluster/glusterfs: Drop vulnerable 3.6.5 Bug: https://bugs.gentoo.org/635172 Closes: https://bugs.gentoo.org/635172 Closes: https://bugs.gentoo.org/635172 Package-Manager: Portage-2.3.16, Repoman-2.3.6 sys-cluster/glusterfs/Manifest | 1 - sys-cluster/glusterfs/files/glusterd-r2.initd | 32 -- .../files/glusterfs-3.4.0-silent_rules.patch | 23 - ...libraries-using-LIBADD-instead-of-LDFLAGS.patch | 54 -- .../files/glusterfs-3.6.5-build-shared-only.patch | 547 --------------------- sys-cluster/glusterfs/glusterfs-3.6.5.ebuild | 182 ------- 6 files changed, 839 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dd3ee9c37a203fefe6c6de23136aa1542ea398ce commit dd3ee9c37a203fefe6c6de23136aa1542ea398ce Author: James Le Cuirot <chewi@gentoo.org> AuthorDate: 2017-11-28 10:08:04 +0000 Commit: James Le Cuirot <chewi@gentoo.org> CommitDate: 2017-11-28 10:08:04 +0000 sys-cluster/glusterfs: Drop vulnerable 3.6.5 Bug: https://bugs.gentoo.org/635172 Closes: https://bugs.gentoo.org/635172 Closes: https://bugs.gentoo.org/635172 Package-Manager: Portage-2.3.16, Repoman-2.3.6 sys-cluster/glusterfs/Manifest | 1 - sys-cluster/glusterfs/files/glusterd-r2.initd | 32 -- .../files/glusterfs-3.4.0-silent_rules.patch | 23 - ...libraries-using-LIBADD-instead-of-LDFLAGS.patch | 54 -- .../files/glusterfs-3.6.5-build-shared-only.patch | 547 --------------------- sys-cluster/glusterfs/glusterfs-3.6.5.ebuild | 182 ------- 6 files changed, 839 deletions(-) Additionally, it has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dd3ee9c37a203fefe6c6de23136aa1542ea398ce commit dd3ee9c37a203fefe6c6de23136aa1542ea398ce Author: James Le Cuirot <chewi@gentoo.org> AuthorDate: 2017-11-28 10:08:04 +0000 Commit: James Le Cuirot <chewi@gentoo.org> CommitDate: 2017-11-28 10:08:04 +0000 sys-cluster/glusterfs: Drop vulnerable 3.6.5 Bug: https://bugs.gentoo.org/635172 Closes: https://bugs.gentoo.org/635172 Closes: https://bugs.gentoo.org/635172 Package-Manager: Portage-2.3.16, Repoman-2.3.6 sys-cluster/glusterfs/Manifest | 1 - sys-cluster/glusterfs/files/glusterd-r2.initd | 32 -- .../files/glusterfs-3.4.0-silent_rules.patch | 23 - ...libraries-using-LIBADD-instead-of-LDFLAGS.patch | 54 -- .../files/glusterfs-3.6.5-build-shared-only.patch | 547 --------------------- sys-cluster/glusterfs/glusterfs-3.6.5.ebuild | 182 ------- 6 files changed, 839 deletions(-)}
Sorry, did a stupid in a the commit message there. Old is removed now.
(In reply to James Le Cuirot from comment #6) > Sorry, did a stupid in a the commit message there. Old is removed now. no problem, thanks for cleaning up. GLSA Vote: No
glusterd-3.13.3 compiles on amd64, but doesn't work on some amd64 machines. /etc/init.d/glusterd does not start, because /usr/sbin/glusterd fails with a segmentation fault. see https://bugzilla.redhat.com/show_bug.cgi?id=1519315
(In reply to Erik Zscheile from comment #8) > glusterd-3.13.3 compiles on amd64, but doesn't work on some amd64 machines. Hmm. I was using 3.12.2 for a little while and it was fine. Admittedly I didn't really try 3.12.3. Could you try 3.12.2? I think it would just be a case of renaming the ebuild.
(In reply to James Le Cuirot from comment #9) > (In reply to Erik Zscheile from comment #8) > > glusterd-3.13.3 compiles on amd64, but doesn't work on some amd64 machines. > > Hmm. I was using 3.12.2 for a little while and it was fine. Admittedly I > didn't really try 3.12.3. Could you try 3.12.2? I think it would just be a > case of renaming the ebuild. glusterfs-3.12.2 with libtirpc doesn't work. glusterfs-3.12.2 without libtirpc works.
(In reply to Erik Zscheile from comment #10) > glusterfs-3.12.2 with libtirpc doesn't work. > glusterfs-3.12.2 without libtirpc works. ok, glusterfs-3.12.3 with =net-libs/libtirpc-1.0.1-r1 works, but not with =netr-libs/libtirpc-1.0.2-r1.
(In reply to Erik Zscheile from comment #11) > (In reply to Erik Zscheile from comment #10) > > glusterfs-3.12.2 with libtirpc doesn't work. > > glusterfs-3.12.2 without libtirpc works. > > ok, glusterfs-3.12.3 with =net-libs/libtirpc-1.0.1-r1 works, > but not with =netr-libs/libtirpc-1.0.2-r1. Thanks for tracking this down. Are you able to take this to libtirpc upstream? I'm not the maintainer for that package (or even this package) and I don't know anything about it so I'm not in a position to mask it.
I tested glusterfs-3.12.3[libtirpc] again and it fails, now even with libtirpc-1.0.1-r1
(In reply to Erik Zscheile from comment #13) > I tested glusterfs-3.12.3[libtirpc] again and it fails, now even with > libtirpc-1.0.1-r1 Oh dear. This may be down to using libtirpc at all as we were using the RPC stuff bundled with glibc until 2.26. I see you're still on 2.25. You're sure that it works when not using libtirpc at all? If so, I'll alert dilfridge as he may have a clue here.
The segfault bug specially doesn't occur and I haven't discovered other bugs jet. glibc-2.25 is stable and without libtirpc works with glusterfs.
(In reply to Erik Zscheile from comment #15) > The segfault bug specially doesn't occur and I haven't discovered other bugs > jet. glibc-2.25 is stable and without libtirpc works with glusterfs. Okay, I'll let dilfridge know but you should open a new bug report so we can stop annoying the security guys.
https://bugs.gentoo.org/639838
