Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 587568 (CVE-2016-5009) - <sys-cluster/ceph-{9.2.1-r2,10.2.2-r1}: mon_command crashes ceph monitors on receiving empty prefix (CVE-2016-5009)
Summary: <sys-cluster/ceph-{9.2.1-r2,10.2.2-r1}: mon_command crashes ceph monitors on ...
Alias: CVE-2016-5009
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa cve]
Depends on: 586128
  Show dependency tree
Reported: 2016-06-30 09:04 UTC by Agostino Sarubbo
Modified: 2016-07-07 23:29 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-06-30 09:04:05 UTC
From ${URL} :

Ceph monitors crash when an empty prefix is sent to mon_command by
User who has access to rados can crash ceph monitors by sending empty prefix
to mon_command via

upstream fixes:

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Patrick McLean gentoo-dev 2016-07-01 00:02:56 UTC
Fixed for 9.2 and 10.2 series:

Current patch does not apply to older 0.80 and 0.94 series
Comment 2 Yixun Lan archtester gentoo-dev 2016-07-01 02:13:39 UTC
Arches, please test and mark stable:
Target keywords: "amd64 x86"

Note: this bug depend on 586128
Comment 3 Agostino Sarubbo gentoo-dev 2016-07-01 08:29:45 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2016-07-01 08:31:24 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 5 Patrick McLean gentoo-dev 2016-07-01 17:55:58 UTC
Cleanup done.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2016-07-06 04:16:09 UTC
CVE-2016-5009 (
  A flaw was found in the way handle_command() function would validate prefix
  value from user. An authenticated attacker could send a specially crafted
  prefix value resulting in ceph monitor crash.
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2016-07-06 04:17:14 UTC
GLSA Vote: No
Comment 8 Lionel Bouton 2016-07-06 12:29:36 UTC
Is removing 0.94.x package the right solution here ? I'm surprised that a supported LTS version (0.94.x aka Hammer is LTS and is still supported upstream) doesn't have a patch available for CVE-2016-5009.

Removing Hammer packages when Firefly was the last stable version removes any upstream supported upgrade path (only Firefly -> Hammer -> Jewel is supported).

Has anyone verified that the Firefly -> Infernalis upgrade works on Gentoo ?

I ask because just before 0.80.10-r1 was removed it was reinstalled on several of our existing 0.80 installation (due to a USE flag change, as we removed "xfs") and the init scripts wanted all processes to run as a ceph user (which was not created) after that (init.d file was changed to start processes as the ceph user).
Running as ceph is how upstream advise Ceph to run for later version but this wasn't the case for Firefly. I had to manually create the user and chmod all files to start 0.80.10-r1 processes. This was not a big problem, but not one that I expected, especially as the first daemon restart was not done until several days after the reinstall.

I have new servers to install on our Ceph cluster and given :
- no upstream support for 0.80.x to 9.2.x upgrade,
- this past init.d glitch,
I'd like to be sure that migrating everything to a version not supported upstream anymore (which is the only path available right now) will at least be supported by Gentoo devs.

So was the upgrade tested ? Or is a 0.94.x package in the works ?
Comment 9 Lionel Bouton 2016-07-06 13:40:41 UTC
Extract from the Infernalis (9.2.x) release announcement

-- BEGIN --
Upgrading directly from Firefly v0.80.z is not recommended. It is possible to do a direct upgrade, but not without downtime. We recommend that clusters are first upgraded to Hammer v0.94.4 or a later v0.94.z release; only then is it possible to upgrade to Infernalis 9.2.z for an online upgrade (see below).
-- END --

We use Ceph to avoid downtime of our VMs, so we'll have to fetch an Hammer ebuild from archives if Gentoo doesn't package it.

In the current situation users who aren't aware of the upgrade limitations might have a very difficult time when they try to update their clusters and VMs crash/freeze...
Comment 10 Lionel Bouton 2016-07-07 15:09:02 UTC
Hammer fix has been merged in the hammer branch (so a 0.94.7 with this patch or the future 0.94.8 will not be affected) :

I'm not sure if I should open another bug about the lack of no-downtime upgrade path for current Gentoo Ceph installations and pointing to this patch or if someone should reopen this bug.

From a security point of view the bug is fixed but from an usability point of view Ceph is broken by the fix.
Comment 11 Yixun Lan archtester gentoo-dev 2016-07-07 23:29:49 UTC
hi Lionel Bouton, we decide to keep at least two LTS[0] versions in tree, which means I will get hammer (0.94.x) back, this should address your problem.

thanks for bringing this up