Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 897926 (CVE-2022-48340, CVE-2023-26253) - sys-cluster/glusterfs: multiple vulnerabilities
Summary: sys-cluster/glusterfs: multiple vulnerabilities
Status: CONFIRMED
Alias: CVE-2022-48340, CVE-2023-26253
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Jaco Kroon
URL:
Whiteboard: B? [upstream]
Keywords:
Depends on:
Blocks:
 
Reported: 2023-02-26 17:48 UTC by John Helmert III
Modified: 2023-05-12 15:48 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-02-26 17:48:33 UTC
CVE-2022-48340 (https://github.com/gluster/glusterfs/issues/3732):

In Gluster GlusterFS 11.0, there is an xlators/cluster/dht/src/dht-common.c dht_setxattr_mds_cbk use-after-free.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-02-26 17:50:28 UTC
CVE-2023-26253 (https://github.com/gluster/glusterfs/issues/3954):

In Gluster GlusterFS 11.0, there is an xlators/mount/fuse/src/fuse-bridge.c notify stack-based buffer over-read.
Comment 2 Jaco Kroon 2023-02-26 18:18:07 UTC
We don't currently have 11.0 in the tree.  Due to vagueness of the actual reports it's unclear if the same applies to <11.0 releases.  Would have to track the fix commits and then see when they were introduced.
Comment 3 Jaco Kroon 2023-05-09 12:54:43 UTC
This doesn't apply to glusterfs < 11 as far as I can determine.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-12 15:48:27 UTC
(In reply to Jaco Kroon from comment #3)
> This doesn't apply to glusterfs < 11 as far as I can determine.

But the upstream bugs aren't closed? Why?