glusterfs: Multiple security issues

Debian Bug report logs - #909215
glusterfs: Multiple security issues

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>

To: submit@bugs.debian.org

Subject: glusterfs: Multiple security issues

Date: Wed, 19 Sep 2018 21:50:01 +0200

[Message part 1 (text/plain, inline)]

Package: glusterfs
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for glusterfs.

CVE-2018-10904[0]:
| It was found that glusterfs server does not properly sanitize file
| paths in the "trusted.io-stats-dump" extended attribute which is used
| by the "debug/io-stats" translator. Attacker can use this flaw to
| create files and execute arbitrary code. To exploit this attacker
| would require sufficient access to modify the extended attributes of
| files on a gluster volume.

CVE-2018-10907[1]:
| It was found that glusterfs server is vulnerable to multiple stack
| based buffer overflows due to functions in server-rpc-fopc.c
| allocating fixed size buffers using 'alloca(3)'. An authenticated
| attacker could exploit this by mounting a gluster volume and sending a
| string longer that the fixed buffer size to cause crash or potential
| code execution.

CVE-2018-10911[2]:
| A flaw was found in the way dic_unserialize function of glusterfs does
| not handle negative key length values. An attacker could use this flaw
| to read memory from other locations into the stored dict value.

CVE-2018-10913[3]:
| An information disclosure vulnerability was discovered in glusterfs
| server. An attacker could issue a xattr request via glusterfs FUSE to
| determine the existence of any file.

CVE-2018-10914[4]:
| It was found that an attacker could issue a xattr request via
| glusterfs FUSE to cause gluster brick process to crash which will
| result in a remote denial of service. If gluster multiplexing is
| enabled this will result in a crash of multiple bricks and gluster
| volumes.

CVE-2018-10923[5]:
| It was found that the "mknod" call derived from mknod(2) can create
| files pointing to devices on a glusterfs server node. An authenticated
| attacker could use this to create an arbitrary device and read data
| from any device attached to the glusterfs server node.

CVE-2018-10926[6]:
| A flaw was found in RPC request using gfs3_mknod_req supported by
| glusterfs server. An authenticated attacker could use this flaw to
| write files to an arbitrary location via path traversal and execute
| arbitrary code on a glusterfs server node.

CVE-2018-10927[7]:
| A flaw was found in RPC request using gfs3_lookup_req in glusterfs
| server. An authenticated attacker could use this flaw to leak
| information and execute remote denial of service by crashing gluster
| brick process.

CVE-2018-10928[8]:
| A flaw was found in RPC request using gfs3_symlink_req in glusterfs
| server which allows symlink destinations to point to file paths
| outside of the gluster volume. An authenticated attacker could use
| this flaw to create arbitrary symlinks pointing anywhere on the server
| and execute arbitrary code on glusterfs server nodes.

CVE-2018-10929[9]:
| A flaw was found in RPC request using gfs2_create_req in glusterfs
| server. An authenticated attacker could use this flaw to create
| arbitrary files and execute arbitrary code on glusterfs server nodes.

CVE-2018-10930[10]:
| A flaw was found in RPC request using gfs3_rename_req in glusterfs
| server. An authenticated attacker could use this flaw to write to a
| destination outside the gluster volume.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-10904
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10904
[1] https://security-tracker.debian.org/tracker/CVE-2018-10907
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10907
[2] https://security-tracker.debian.org/tracker/CVE-2018-10911
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10911
[3] https://security-tracker.debian.org/tracker/CVE-2018-10913
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10913
[4] https://security-tracker.debian.org/tracker/CVE-2018-10914
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10914
[5] https://security-tracker.debian.org/tracker/CVE-2018-10923
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10923
[6] https://security-tracker.debian.org/tracker/CVE-2018-10926
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10926
[7] https://security-tracker.debian.org/tracker/CVE-2018-10927
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10927
[8] https://security-tracker.debian.org/tracker/CVE-2018-10928
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10928
[9] https://security-tracker.debian.org/tracker/CVE-2018-10929
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10929
[10] https://security-tracker.debian.org/tracker/CVE-2018-10930
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10930

Please adjust the affected versions in the BTS as needed.

Regards,

Markus

[signature.asc (application/pgp-signature, attachment)]

Message #12 received at 909215-close@bugs.debian.org (full text, mbox, reply):

From: Patrick Matthäi <pmatthaei@debian.org>

To: 909215-close@bugs.debian.org

Subject: Bug#909215: fixed in glusterfs 4.1.4-1

Date: Thu, 20 Sep 2018 10:50:03 +0000

Source: glusterfs
Source-Version: 4.1.4-1

We believe that the bug you reported is fixed in the latest version of
glusterfs, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 909215@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Patrick Matthäi <pmatthaei@debian.org> (supplier of updated glusterfs package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 20 Sep 2018 11:29:33 +0200
Source: glusterfs
Binary: glusterfs-client glusterfs-server glusterfs-common
Architecture: source amd64
Version: 4.1.4-1
Distribution: unstable
Urgency: high
Maintainer: Patrick Matthäi <pmatthaei@debian.org>
Changed-By: Patrick Matthäi <pmatthaei@debian.org>
Description:
 glusterfs-client - clustered file-system (client package)
 glusterfs-common - GlusterFS common libraries and translator modules
 glusterfs-server - clustered file-system (server package)
Closes: 909215
Changes:
 glusterfs (4.1.4-1) unstable; urgency=high
 .
   * New upstream release.
     - This release fixes multiple security issues:
       - CVE-2018-10904: Unsanitized file names in debug/io-stats translator can
         allow remote attackers to execute arbitrary code.
       - CVE-2018-10907: Stack-based buffer overflow in server-rpc-fops.c allows
         remote attackers to execute arbitrary code.
       - CVE-2018-10911: Improper deserialization in dict.c:dict_unserialize()
         can allow attackers to read arbitrary memory.
       - CVE-2018-10913: Information Exposure in posix_get_file_contents function
         in posix-helpers.c.
       - CVE-2018-10914: remote denial of service of gluster volumes via
         posix_get_file_contents function in posix-helpers.c.
       - CVE-2018-10923: I/O to arbitrary devices on storage server.
       - CVE-2018-10926: Device files can be created in arbitrary locations.
       - CVE-2018-10927: File status information leak and denial of service.
       - CVE-2018-10928: Improper resolution of symlinks allows for privilege
         escalation.
       - CVE-2018-10929: Arbitrary file creation on storage server allows for
         execution of arbitrary code.
       - CVE-2018-10930: Files can be renamed outside volume.
       Closes: #909215
   * Remove extra documentation file from libdir.
Checksums-Sha1:
 1132c186cff6c1a0810cefaedc8d564f4c56e28c 2157 glusterfs_4.1.4-1.dsc
 5128070adce6597a4134273bd92dd33be41570e9 7801583 glusterfs_4.1.4.orig.tar.gz
 5c0340bc38b7b85460582cb712f01e3e20f249ae 17712 glusterfs_4.1.4-1.debian.tar.xz
 e82ed4362006f13708723a7b740500311b1ae9c5 37596 glusterfs-client-dbgsym_4.1.4-1_amd64.deb
 3c405979fcb02293e542cb70e90e96dbc2a99936 2358740 glusterfs-client_4.1.4-1_amd64.deb
 c5945cdb2eba573f91d37ee520925fccc21d0487 18547272 glusterfs-common-dbgsym_4.1.4-1_amd64.deb
 42ff39c490937e6c642e7c87771000374f449ab5 5691972 glusterfs-common_4.1.4-1_amd64.deb
 a5f4ad5ca23bf9340c0d4a3806ae5fbb7f9ba41f 750984 glusterfs-server-dbgsym_4.1.4-1_amd64.deb
 02695590196384f196ed019cbcd2ad3716b629a0 2532168 glusterfs-server_4.1.4-1_amd64.deb
 c99a524aec109bee7027154bb30f1d0ae9714b00 10652 glusterfs_4.1.4-1_amd64.buildinfo
Checksums-Sha256:
 ba1a6351a063cc0b93bdd0a89d2aec6ca7ff0abf31acdbc06c2af3f76ed79cda 2157 glusterfs_4.1.4-1.dsc
 b940b6d1a57e4c6c7f5aa4f4caaa9bf9d2ff17fab496a9e38d7b4382af006d70 7801583 glusterfs_4.1.4.orig.tar.gz
 84abbb1ebc1441e5f09330c73ca72ee8b1e58c235fa22014ba8ffd98d73cf945 17712 glusterfs_4.1.4-1.debian.tar.xz
 2413bae34ff6b28b8154ce6d439765cb23465d0f0a9d527bdc4acf0c70dca83e 37596 glusterfs-client-dbgsym_4.1.4-1_amd64.deb
 bb18964f70579573031311aa35aba94db540f1fadda0b49cfb2aafbe5ccbd915 2358740 glusterfs-client_4.1.4-1_amd64.deb
 865997b8a51af3fc696d319c90c8145bb1e0b7a73ccc2c45c330fac5890746dd 18547272 glusterfs-common-dbgsym_4.1.4-1_amd64.deb
 02dcb7078f97abfa96ff43779229e3aa2d876bd9e0a9b281dfb617c6e9dc0d89 5691972 glusterfs-common_4.1.4-1_amd64.deb
 cab26267c39ce55526c751ce39bea77adb0d3d321918213eec407effa585fe11 750984 glusterfs-server-dbgsym_4.1.4-1_amd64.deb
 3912c378dc53948371d193c120f1cf18646e593062949bdab5132e7b69db4060 2532168 glusterfs-server_4.1.4-1_amd64.deb
 a42a0724f763c220bbce39e254f3c8278a7fb9edd95c65af8d25cb8cd7919ebc 10652 glusterfs_4.1.4-1_amd64.buildinfo
Files:
 7fada2bf7e85516cc7a7a1fefbdfa601 2157 admin optional glusterfs_4.1.4-1.dsc
 f367ad03011a41248d4f230f3d391765 7801583 admin optional glusterfs_4.1.4.orig.tar.gz
 56f18af3c4dc466ad5bcdc2520b13389 17712 admin optional glusterfs_4.1.4-1.debian.tar.xz
 2ea57a41cbf94f61ca2008174dea0f48 37596 debug optional glusterfs-client-dbgsym_4.1.4-1_amd64.deb
 6ce1fa45adee3c34da12872aba3dd168 2358740 admin optional glusterfs-client_4.1.4-1_amd64.deb
 30e9badb20923d96d432a301154fd582 18547272 debug optional glusterfs-common-dbgsym_4.1.4-1_amd64.deb
 aab6e779449e0c7d4753830428c12e77 5691972 admin optional glusterfs-common_4.1.4-1_amd64.deb
 891dcd71233ac434c261f2ed46565b8a 750984 debug optional glusterfs-server-dbgsym_4.1.4-1_amd64.deb
 64fa26e3a3fcb050ab764aaeb057852d 2532168 admin optional glusterfs-server_4.1.4-1_amd64.deb
 1dc638de5bd5eaf9b0147444ec14ca69 10652 admin optional glusterfs_4.1.4-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEWKA9xYJCWk3IuQ4TEtmwSpDL2OQFAlujd9wACgkQEtmwSpDL
2OSyiA//fzQ+HOaVLVigZreGyjw0QXjAzt1a4PN/txblt0s5Y7mfiY2fXOIHd2GV
p5Oj1G76neTrXHfXXDcDgUuP3umAUFAQ7iXJwWSMeGEuMVrPyUGngvN7zHP0wtAz
wsC7+7HD4aYP6Xvzt+82vZLj+oLhFN7OqulmIS4TKwSrwMK/6C8aCf7XvOZY0jUF
V3IM/kyKWQ2UsdbNyae9+jid2VHqqp4MgQG6KokjMhjTKjrrYBTHBOdvie5OnDwl
N1Z0po07zzUff424YOzk4YlpvwzUImEXNqF49FbSQlLdGEju8KkjE1K2LltpXytF
9R6xOk7yPSNKfAUR4zM+Wq1w6XLIo5UqzKqxLjCk0Nhj5sgQkJone8l8lcXA+vjB
kYDzBMJc7YqcgxfP2IoNzZ0VjWg+P5FmEHiKap3G3173UV4XZmi9glvTEWcJJcMU
s5KvCdAE5h44BfYjeQGB8iKiyVofZ08qufR1G+Hxv++kAKPKa60C6xoGA31JZKQd
m8mX1weuxl5De0B7ek4cofNV0mx4f3JspDxbv6ic/PcJbVnvrykXrrFENf3ihncB
Nm7tO20nn/Im2sciCRx5PYh4XZx281BvRmEUFnU+pLaxj1+Fma6Ccv0NzT3AGnxy
OH0EPhHGQ/BcyXU/HzgB8GIPyT7XzRchq5opgCvcn0VGSI/wyRM=
=EATa
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.