897926 – (CVE-2022-48340, CVE-2023-26253) sys-cluster/glusterfs: multiple vulnerabilities

Bug 897926 (CVE-2022-48340, CVE-2023-26253) - sys-cluster/glusterfs: multiple vulnerabilities

Summary: sys-cluster/glusterfs: multiple vulnerabilities

Status:	CONFIRMED

Alias:	CVE-2022-48340, CVE-2023-26253

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Jaco Kroon

URL:
Whiteboard:	B? [upstream]
Keywords:

Depends on:
Blocks:

Reported:	2023-02-26 17:48 UTC by John Helmert III
Modified:	2023-05-12 15:48 UTC (History)
CC List:	4 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2023-02-26 17:48:33 UTC

CVE-2022-48340 (https://github.com/gluster/glusterfs/issues/3732):

In Gluster GlusterFS 11.0, there is an xlators/cluster/dht/src/dht-common.c dht_setxattr_mds_cbk use-after-free.

Comment 1 John Helmert III archtester

2023-02-26 17:50:28 UTC

CVE-2023-26253 (https://github.com/gluster/glusterfs/issues/3954):

In Gluster GlusterFS 11.0, there is an xlators/mount/fuse/src/fuse-bridge.c notify stack-based buffer over-read.

Comment 2 Jaco Kroon 2023-02-26 18:18:07 UTC

We don't currently have 11.0 in the tree.  Due to vagueness of the actual reports it's unclear if the same applies to <11.0 releases.  Would have to track the fix commits and then see when they were introduced.

Comment 3 Jaco Kroon 2023-05-09 12:54:43 UTC

This doesn't apply to glusterfs < 11 as far as I can determine.

Comment 4 John Helmert III archtester

2023-05-12 15:48:27 UTC

(In reply to Jaco Kroon from comment #3)
> This doesn't apply to glusterfs < 11 as far as I can determine.

But the upstream bugs aren't closed? Why?