Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 670088 (CVE-2018-14651, CVE-2018-14652, CVE-2018-14653, CVE-2018-14654, CVE-2018-14659, CVE-2018-14660, CVE-2018-14661) - <sys-cluster/glusterfs-4.1.8: Multiple vulnerabilities (CVE-2018-14651, CVE-2018-14652, CVE-2018-14653, CVE-2018-14654, CVE-2018-14659, CVE-2018-14660, CVE-2018-14661)
Summary: <sys-cluster/glusterfs-4.1.8: Multiple vulnerabilities (CVE-2018-14651, CVE-2...
Status: RESOLVED FIXED
Alias: CVE-2018-14651, CVE-2018-14652, CVE-2018-14653, CVE-2018-14654, CVE-2018-14659, CVE-2018-14660, CVE-2018-14661
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.openwall.com/lists/oss-se...
Whiteboard: B3 [glsa cve]
Keywords:
Depends on:
Blocks: CVE-2018-10841 CVE-2018-10904, CVE-2018-10907, CVE-2018-10911, CVE-2018-10913, CVE-2018-10914, CVE-2018-10923, CVE-2018-10924, CVE-2018-10926, CVE-2018-10927, CVE-2018-10928, CVE-2018-10929, CVE-2018-10930
  Show dependency tree
 
Reported: 2018-11-01 13:49 UTC by Vlad K.
Modified: 2019-08-12 23:47 UTC (History)
2 users (show)

See Also:
Package list:
=sys-cluster/glusterfs-4.1.8
Runtime testing required: Yes
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Vlad K. 2018-11-01 13:49:00 UTC
* CVE-2018-14651

  https://www.redhat.com/security/data/cve/CVE-2018-14651.html

  It was found that the fix for CVE-2018-10927, CVE-2018-10928, CVE-2018-10929,
  CVE-2018-10930, and CVE-2018-10926 was incomplete. A remote, authenticated
  attacker could use one of these flaws to execute arbitrary code, create
  arbitrary files, or cause denial of service on glusterfs server nodes via
  symlinks to relative paths.


* CVE-2018-14652

  https://www.redhat.com/security/data/cve/CVE-2018-14652.html

  A buffer overflow was found in strncpy of the pl_getxattr() function. An
  authenticated attacker could remotely overflow the buffer by sending a buffer
  of larger length than the size of the key resulting in remote denial of
  service.


* CVE-2018-14653

  https://www.redhat.com/security/data/cve/CVE-2018-14653.html

  A buffer overflow on the heap was found in gf_getspec_req RPC request. A
  remote, authenticated attacker could use this flaw to cause denial of service
  and read arbitrary files on glusterfs server node.


* CVE-2018-14654 

  https://www.redhat.com/security/data/cve/CVE-2018-14654.html

  A flaw was found in the way glusterfs server handles client requests. A
  remote, authenticated attacker could set arbitrary values for the
  GF_XATTROP_ENTRY_IN_KEY and GF_XATTROP_ENTRY_OUT_KEY during xattrop file
  operation resulting in creation and deletion of arbitrary files on glusterfs
  server node.


* CVE-2018-14659

  https://www.redhat.com/security/data/cve/CVE-2018-14659.html

  A flaw was found in glusterfs server which allowed clients to create io-stats
  dumps on server node. A remote, authenticated attacker could use this flaw to
  create io-stats dump on a server without any limitation and utilizing all
  available inodes resulting in remote denial of service.


* CVE-2018-14660 

  https://www.redhat.com/security/data/cve/CVE-2018-14660.html

  A flaw was found in glusterfs server which allowed repeated usage of
  GF_META_LOCK_KEY xattr. A remote, authenticated attacker could use this flaw
  to create multiple locks for single inode by using setxattr repetitively
  resulting in memory exhaustion of glusterfs server node.


* CVE-2018-14661

  https://www.redhat.com/security/data/cve/CVE-2018-14661.html

  It was found that usage of snprintf function in feature/locks translator of
  glusterfs server was vulnerable to a format string attack. A remote,
  authenticated attacker could use this flaw to cause remote denial of service.


--
Gentoo Security Scout
Vladimir Krstulja
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2019-03-24 12:34:41 UTC
Maintainers please confirm but this looks like it was picked for 4.1.6.
Appropriate fixes:

CVE-2018-14651: https://review.gluster.org/#/c/glusterfs/+/21589/ 
CVE-2018-14652: https://review.gluster.org/#/c/glusterfs/+/21535/
CVE-2018-14653: https://review.gluster.org/#/c/glusterfs/+/21614/
CVE-2018-14654: https://review.gluster.org/#/c/glusterfs/+/21559/
CVE-2018-14659: https://review.gluster.org/#/c/glusterfs/+/21590/
CVE-2018-14660: https://review.gluster.org/#/c/glusterfs/+/21603/
CVE-2018-14661: https://review.gluster.org/#/c/glusterfs/+/21532/
Comment 2 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-03-28 20:25:23 UTC
(In reply to Yury German from comment #1)
> Maintainers please confirm but this looks like it was picked for 4.1.6.
> Appropriate fixes:
> 
> CVE-2018-14651: https://review.gluster.org/#/c/glusterfs/+/21589/ 
> CVE-2018-14652: https://review.gluster.org/#/c/glusterfs/+/21535/
> CVE-2018-14653: https://review.gluster.org/#/c/glusterfs/+/21614/
> CVE-2018-14654: https://review.gluster.org/#/c/glusterfs/+/21559/
> CVE-2018-14659: https://review.gluster.org/#/c/glusterfs/+/21590/
> CVE-2018-14660: https://review.gluster.org/#/c/glusterfs/+/21603/
> CVE-2018-14661: https://review.gluster.org/#/c/glusterfs/+/21532/

Agreed.  Latest version is 4.1.8 with additional fixes as well.
Comment 3 Larry the Git Cow gentoo-dev 2019-03-28 20:43:35 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7ad0e566365b914c27b06a36e7a26209c957511c

commit 7ad0e566365b914c27b06a36e7a26209c957511c
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2019-03-28 20:40:20 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2019-03-28 20:43:19 +0000

    sys-cluster/glusterfs: bup to fix outstanding security issues
    
    * This bump addresses multiple CVEs that have been fixed upstream
    
    Bug: https://bugs.gentoo.org/658606
    Bug: https://bugs.gentoo.org/664336
    Bug: https://bugs.gentoo.org/670088
    
    Signed-off-by: Aaron Bauman <bman@gentoo.org>

 sys-cluster/glusterfs/Manifest               |   1 +
 sys-cluster/glusterfs/glusterfs-4.1.8.ebuild | 226 +++++++++++++++++++++++++++
 2 files changed, 227 insertions(+)
Comment 4 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-03-28 20:46:52 UTC
@arches, please stabilize.
Comment 5 Agostino Sarubbo gentoo-dev 2019-03-30 10:46:55 UTC
amd64 stable
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2019-04-02 04:28:24 UTC
This issue was resolved and addressed in
 GLSA 201904-06 at https://security.gentoo.org/glsa/201904-06
by GLSA coordinator Aaron Bauman (b-man).
Comment 7 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-04-02 04:29:00 UTC
re-opened for final arches and cleanup.
Comment 8 Sergei Trofimovich gentoo-dev 2019-04-07 21:49:22 UTC
ppc64 stable
Comment 9 Sergei Trofimovich gentoo-dev 2019-04-08 06:09:38 UTC
ppc stable
Comment 10 Ultrabug gentoo-dev 2019-04-14 10:58:00 UTC
Only x86 arch left and I can drop vulnerable 4.1.5 from tree, all the rest I dropped already
Comment 11 Agostino Sarubbo gentoo-dev 2019-06-05 07:47:37 UTC
x86 stable.

Maintainer(s), please cleanup.
Comment 12 Ultrabug gentoo-dev 2019-06-05 15:46:28 UTC
cleanup done