Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 658606 (CVE-2018-10841) - <sys-cluster/glusterfs-4.1.8: access trusted peer group via remote-host command (CVE-2018-10841)
Summary: <sys-cluster/glusterfs-4.1.8: access trusted peer group via remote-host comma...
Status: RESOLVED FIXED
Alias: CVE-2018-10841
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://review.gluster.org/#/c/20328/
Whiteboard: B1 [glsa+ cve]
Keywords:
Depends on: CVE-2018-14651, CVE-2018-14652, CVE-2018-14653, CVE-2018-14654, CVE-2018-14659, CVE-2018-14660, CVE-2018-14661
Blocks:
  Show dependency tree
 
Reported: 2018-06-20 19:49 UTC by Florian Schuhmacher
Modified: 2019-04-02 04:28 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Schuhmacher 2018-06-20 19:49:04 UTC
A flaw was found in glusterfs which can lead to privilege escalation on 
gluster server nodes.

It was found that any gluster client authenticated via TLS could use
gluster cli with --remote-host command to add itself to gluster trusted 
pool and perform all gluster operations like peer probe itself or other 
machines, start, stop, delete volumes etc.


Gentoo Security Scout
Florian Schuhmacher
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2018-06-22 11:05:44 UTC
Upstream patch: http://git.gluster.org/cgit/glusterfs.git/commit/?id=e8d928e34680079e42be6947ffacc4ddd7defca2
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2019-03-24 13:09:33 UTC
Maintainers, please confirm.

https://review.gluster.org/#/c/glusterfs/+/20328/
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2019-03-28 20:19:36 UTC
Upstream released 4.1.8... 22 hours ago and the patch is in that release.
Comment 4 Larry the Git Cow gentoo-dev 2019-03-28 20:43:32 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7ad0e566365b914c27b06a36e7a26209c957511c

commit 7ad0e566365b914c27b06a36e7a26209c957511c
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2019-03-28 20:40:20 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2019-03-28 20:43:19 +0000

    sys-cluster/glusterfs: bup to fix outstanding security issues
    
    * This bump addresses multiple CVEs that have been fixed upstream
    
    Bug: https://bugs.gentoo.org/658606
    Bug: https://bugs.gentoo.org/664336
    Bug: https://bugs.gentoo.org/670088
    
    Signed-off-by: Aaron Bauman <bman@gentoo.org>

 sys-cluster/glusterfs/Manifest               |   1 +
 sys-cluster/glusterfs/glusterfs-4.1.8.ebuild | 226 +++++++++++++++++++++++++++
 2 files changed, 227 insertions(+)
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2019-04-02 04:28:01 UTC
This issue was resolved and addressed in
 GLSA 201904-06 at https://security.gentoo.org/glsa/201904-06
by GLSA coordinator Aaron Bauman (b-man).