Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 334087 (CVE-2010-2526) - <sys-fs/lvm2-2.02.72: local DoS (CVE-2010-2526)
Summary: <sys-fs/lvm2-2.02.72: local DoS (CVE-2010-2526)
Status: RESOLVED FIXED
Alias: CVE-2010-2526
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://web.nvd.nist.gov/view/vuln/det...
Whiteboard: A3 [glsa]
Keywords:
Depends on: 324507 327689
Blocks:
  Show dependency tree
 
Reported: 2010-08-23 15:17 UTC by Paweł Hajdan, Jr. (RETIRED)
Modified: 2014-12-12 00:35 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-08-23 15:17:48 UTC
The cluster logical volume manager daemon (clvmd) in lvm2-cluster in LVM2 before 2.02.72, as used in Red Hat Global File System (GFS) and other products, does not verify client credentials upon a socket connection, which allows local users to cause a denial of service (daemon exit or logical-volume change) or possibly have unspecified other impact via crafted control commands.

We have an ebuild in portage, and I suggest we stabilize it. I'm not adding arches because the severity seems to be relatively low.
Comment 1 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2010-08-23 18:26:57 UTC
Arches, please stabilize =sys-fs/lvm2-2.02.73.
target keywords: alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86

The following are also needed at the same time for safe stabilization:
=sys-fs/udev-151-r4 (bug 324507)
=sys-fs/cryptsetup-1.1.2 (bug 327689)
Comment 2 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-08-24 02:11:40 UTC
x86 stable
Comment 3 Markos Chandras (RETIRED) gentoo-dev 2010-08-24 22:04:31 UTC
amd64 done
Comment 4 Jeroen Roovers gentoo-dev 2010-08-25 16:28:09 UTC
(In reply to comment #1)
> =sys-fs/udev-151-r4 (bug 324507)

HPPA needs a glibc patch before >sys-fs/udev-146 works properly.
Comment 5 Markus Meier gentoo-dev 2010-08-28 08:08:58 UTC
arm stable
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2010-08-28 19:10:59 UTC
alpha/ia64/s390/sh/sparc stable

@amd64: the version requested is .73, not .72
Comment 7 Markos Chandras (RETIRED) gentoo-dev 2010-08-28 22:38:24 UTC
(In reply to comment #6)
> alpha/ia64/s390/sh/sparc stable
> 
> @amd64: the version requested is .73, not .72
> 

Sorry my bad :-/ 

amd64 done again

Comment 8 Tony Vroon gentoo-dev 2010-09-01 15:35:19 UTC
Arches, please stable 2.02.73-r1 which fixes a linking bug that breaks snapshotting. See bug #335205 for further information.
Comment 9 Tony Vroon gentoo-dev 2010-09-01 16:09:24 UTC
+  01 Sep 2010; <chainsaw@gentoo.org> lvm2-2.02.73-r1.ebuild:
+  Fast tracking to AMD64 stable, --as-needed breakage fixed by Diego E.
+  "Flameeyes" Pettenò; closes bug #335205. For security bug #327689.
Comment 10 Stefan Behte (RETIRED) gentoo-dev Security 2010-09-01 20:06:09 UTC
CVE-2010-2526 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2526):
  The cluster logical volume manager daemon (clvmd) in lvm2-cluster in
  LVM2 before 2.02.72, as used in Red Hat Global File System (GFS) and
  other products, does not verify client credentials upon a socket
  connection, which allows local users to cause a denial of service
  (daemon exit or logical-volume change) or possibly have unspecified
  other impact via crafted control commands.

Comment 11 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-09-03 04:29:53 UTC
x86 stable
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2010-09-04 11:22:59 UTC
alpha/arm/ia64/s390/sh/sparc stable
Comment 13 Brent Baude (RETIRED) gentoo-dev 2010-09-06 20:42:14 UTC
ppc64 done
Comment 14 Samuli Suominen gentoo-dev 2010-09-07 10:57:06 UTC
(In reply to comment #13)
> ppc64 done
> 

ppc64 stabilized wrong version, should be 2.02.73-r1
Comment 15 Joe Jezak (RETIRED) gentoo-dev 2010-09-09 03:23:51 UTC
Marked ppc/ppc64 (the right version) stable.
Comment 16 Jeroen Roovers gentoo-dev 2010-10-29 06:19:29 UTC
Stable for HPPA.
Comment 17 Tim Sammut (RETIRED) gentoo-dev 2010-11-19 07:10:45 UTC
@ppc64, are you able to stabilize =sys-fs/2.02.73-r1 ? 

Thank you.
Comment 18 Brent Baude (RETIRED) gentoo-dev 2010-11-25 15:31:35 UTC
ppc64 done
Comment 19 Tim Sammut (RETIRED) gentoo-dev 2010-11-25 15:35:12 UTC
GLSA request filed.
Comment 20 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2011-09-13 06:41:25 UTC
security:
what is the status of this?
Comment 21 Tim Sammut (RETIRED) gentoo-dev 2011-09-13 15:42:33 UTC
@ppc, looks like we missed this somehow. Please stabilize =sys-fs/lvm2-2.02.73-r1. Thank you.


(In reply to comment #20)
> security:
> what is the status of this?

Robin, are you referring to the missed ppc stabilization, or something else?
Comment 22 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-09-22 11:33:06 UTC
ppc stable, last arch done
Comment 23 Tim Sammut (RETIRED) gentoo-dev 2011-09-22 14:18:35 UTC
Thanks again, folks. Reverting to [glsa].
Comment 24 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2012-03-27 02:37:57 UTC
security:
this has been pending a GLSA for many months now?
Comment 25 GLSAMaker/CVETool Bot gentoo-dev 2014-12-12 00:35:58 UTC
This issue was resolved and addressed in
 GLSA 201412-09 at http://security.gentoo.org/glsa/glsa-201412-09.xml
by GLSA coordinator Sean Amoss (ackle).