Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 897926 (CVE-2022-48340, CVE-2023-26253)

Summary: sys-cluster/glusterfs: multiple vulnerabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Jaco Kroon <jaco>
Status: CONFIRMED ---    
Severity: normal CC: cluster, jpds, proxy-maint, security
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B? [upstream]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-02-26 17:48:33 UTC 
CVE-2022-48340 (https://github.com/gluster/glusterfs/issues/3732):

In Gluster GlusterFS 11.0, there is an xlators/cluster/dht/src/dht-common.c dht_setxattr_mds_cbk use-after-free.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-02-26 17:50:28 UTC 
CVE-2023-26253 (https://github.com/gluster/glusterfs/issues/3954):

In Gluster GlusterFS 11.0, there is an xlators/mount/fuse/src/fuse-bridge.c notify stack-based buffer over-read.
Comment 2 Jaco Kroon 2023-02-26 18:18:07 UTC 
We don't currently have 11.0 in the tree.  Due to vagueness of the actual reports it's unclear if the same applies to <11.0 releases.  Would have to track the fix commits and then see when they were introduced.
Comment 3 Jaco Kroon 2023-05-09 12:54:43 UTC 
This doesn't apply to glusterfs < 11 as far as I can determine.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-12 15:48:27 UTC 
(In reply to Jaco Kroon from comment #3)
> This doesn't apply to glusterfs < 11 as far as I can determine.

But the upstream bugs aren't closed? Why?