670088 – (CVE-2018-14651, CVE-2018-14652, CVE-2018-14653, CVE-2018-14654, CVE-2018-14659, CVE-2018-14660, CVE-2018-14661) <sys-cluster/glusterfs-4.1.8: Multiple vulnerabilities (CVE-2018-14651, CVE-2018-14652, CVE-2018-14653, CVE-2018-14654, CVE-2018-14659, CVE-2018-14660, CVE-2018-14661)

Bug 670088 (CVE-2018-14651, CVE-2018-14652, CVE-2018-14653, CVE-2018-14654, CVE-2018-14659, CVE-2018-14660, CVE-2018-14661) - <sys-cluster/glusterfs-4.1.8: Multiple vulnerabilities (CVE-2018-14651, CVE-2018-14652, CVE-2018-14653, CVE-2018-14654, CVE-2018-14659, CVE-2018-14660, CVE-2018-14661)

Summary: <sys-cluster/glusterfs-4.1.8: Multiple vulnerabilities (CVE-2018-14651, CVE-2...

Status:	RESOLVED FIXED

Alias:	CVE-2018-14651, CVE-2018-14652, CVE-2018-14653, CVE-2018-14654, CVE-2018-14659, CVE-2018-14660, CVE-2018-14661

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	https://www.openwall.com/lists/oss-se...
Whiteboard:	B3 [glsa cve]
Keywords:

Depends on:
Blocks:	CVE-2018-10841 CVE-2018-10904, CVE-2018-10907, CVE-2018-10911, CVE-2018-10913, CVE-2018-10914, CVE-2018-10923, CVE-2018-10924, CVE-2018-10926, CVE-2018-10927, CVE-2018-10928, CVE-2018-10929, CVE-2018-10930
	Show dependency tree

Reported:	2018-11-01 13:49 UTC by Vlad K.
Modified:	2019-08-12 23:47 UTC (History)
CC List:	2 users (show)

See Also:	CVE-2018-1088 658700 CVE-2018-10841
Package list:	=sys-cluster/glusterfs-4.1.8
Runtime testing required:	Yes

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Vlad K. 2018-11-01 13:49:00 UTC

* CVE-2018-14651

  https://www.redhat.com/security/data/cve/CVE-2018-14651.html

  It was found that the fix for CVE-2018-10927, CVE-2018-10928, CVE-2018-10929,
  CVE-2018-10930, and CVE-2018-10926 was incomplete. A remote, authenticated
  attacker could use one of these flaws to execute arbitrary code, create
  arbitrary files, or cause denial of service on glusterfs server nodes via
  symlinks to relative paths.


* CVE-2018-14652

  https://www.redhat.com/security/data/cve/CVE-2018-14652.html

  A buffer overflow was found in strncpy of the pl_getxattr() function. An
  authenticated attacker could remotely overflow the buffer by sending a buffer
  of larger length than the size of the key resulting in remote denial of
  service.


* CVE-2018-14653

  https://www.redhat.com/security/data/cve/CVE-2018-14653.html

  A buffer overflow on the heap was found in gf_getspec_req RPC request. A
  remote, authenticated attacker could use this flaw to cause denial of service
  and read arbitrary files on glusterfs server node.


* CVE-2018-14654 

  https://www.redhat.com/security/data/cve/CVE-2018-14654.html

  A flaw was found in the way glusterfs server handles client requests. A
  remote, authenticated attacker could set arbitrary values for the
  GF_XATTROP_ENTRY_IN_KEY and GF_XATTROP_ENTRY_OUT_KEY during xattrop file
  operation resulting in creation and deletion of arbitrary files on glusterfs
  server node.


* CVE-2018-14659

  https://www.redhat.com/security/data/cve/CVE-2018-14659.html

  A flaw was found in glusterfs server which allowed clients to create io-stats
  dumps on server node. A remote, authenticated attacker could use this flaw to
  create io-stats dump on a server without any limitation and utilizing all
  available inodes resulting in remote denial of service.


* CVE-2018-14660 

  https://www.redhat.com/security/data/cve/CVE-2018-14660.html

  A flaw was found in glusterfs server which allowed repeated usage of
  GF_META_LOCK_KEY xattr. A remote, authenticated attacker could use this flaw
  to create multiple locks for single inode by using setxattr repetitively
  resulting in memory exhaustion of glusterfs server node.


* CVE-2018-14661

  https://www.redhat.com/security/data/cve/CVE-2018-14661.html

  It was found that usage of snprintf function in feature/locks translator of
  glusterfs server was vulnerable to a format string attack. A remote,
  authenticated attacker could use this flaw to cause remote denial of service.


--
Gentoo Security Scout
Vladimir Krstulja

Comment 1 Yury German Gentoo Infrastructure

2019-03-24 12:34:41 UTC

Maintainers please confirm but this looks like it was picked for 4.1.6.
Appropriate fixes:

CVE-2018-14651: https://review.gluster.org/#/c/glusterfs/+/21589/ 
CVE-2018-14652: https://review.gluster.org/#/c/glusterfs/+/21535/
CVE-2018-14653: https://review.gluster.org/#/c/glusterfs/+/21614/
CVE-2018-14654: https://review.gluster.org/#/c/glusterfs/+/21559/
CVE-2018-14659: https://review.gluster.org/#/c/glusterfs/+/21590/
CVE-2018-14660: https://review.gluster.org/#/c/glusterfs/+/21603/
CVE-2018-14661: https://review.gluster.org/#/c/glusterfs/+/21532/

Comment 2 Aaron Bauman (RETIRED) gentoo-dev

2019-03-28 20:25:23 UTC

(In reply to Yury German from comment #1)
> Maintainers please confirm but this looks like it was picked for 4.1.6.
> Appropriate fixes:
> 
> CVE-2018-14651: https://review.gluster.org/#/c/glusterfs/+/21589/ 
> CVE-2018-14652: https://review.gluster.org/#/c/glusterfs/+/21535/
> CVE-2018-14653: https://review.gluster.org/#/c/glusterfs/+/21614/
> CVE-2018-14654: https://review.gluster.org/#/c/glusterfs/+/21559/
> CVE-2018-14659: https://review.gluster.org/#/c/glusterfs/+/21590/
> CVE-2018-14660: https://review.gluster.org/#/c/glusterfs/+/21603/
> CVE-2018-14661: https://review.gluster.org/#/c/glusterfs/+/21532/

Agreed.  Latest version is 4.1.8 with additional fixes as well.

Comment 3 Larry the Git Cow gentoo-dev

2019-03-28 20:43:35 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7ad0e566365b914c27b06a36e7a26209c957511c

commit 7ad0e566365b914c27b06a36e7a26209c957511c
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2019-03-28 20:40:20 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2019-03-28 20:43:19 +0000

    sys-cluster/glusterfs: bup to fix outstanding security issues
    
    * This bump addresses multiple CVEs that have been fixed upstream
    
    Bug: https://bugs.gentoo.org/658606
    Bug: https://bugs.gentoo.org/664336
    Bug: https://bugs.gentoo.org/670088
    
    Signed-off-by: Aaron Bauman <bman@gentoo.org>

 sys-cluster/glusterfs/Manifest               |   1 +
 sys-cluster/glusterfs/glusterfs-4.1.8.ebuild | 226 +++++++++++++++++++++++++++
 2 files changed, 227 insertions(+)

Comment 4 Aaron Bauman (RETIRED) gentoo-dev

2019-03-28 20:46:52 UTC

@arches, please stabilize.

Comment 5 Agostino Sarubbo gentoo-dev

2019-03-30 10:46:55 UTC

amd64 stable

Comment 6 GLSAMaker/CVETool Bot gentoo-dev

2019-04-02 04:28:24 UTC

This issue was resolved and addressed in
 GLSA 201904-06 at https://security.gentoo.org/glsa/201904-06
by GLSA coordinator Aaron Bauman (b-man).

Comment 7 Aaron Bauman (RETIRED) gentoo-dev

2019-04-02 04:29:00 UTC

re-opened for final arches and cleanup.

Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev

2019-04-07 21:49:22 UTC

ppc64 stable

Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev

2019-04-08 06:09:38 UTC

ppc stable

Comment 10 Ultrabug gentoo-dev

2019-04-14 10:58:00 UTC

Only x86 arch left and I can drop vulnerable 4.1.5 from tree, all the rest I dropped already

Comment 11 Agostino Sarubbo gentoo-dev

2019-06-05 07:47:37 UTC

x86 stable.

Maintainer(s), please cleanup.

Comment 12 Ultrabug gentoo-dev

2019-06-05 15:46:28 UTC

cleanup done