Debian Bug report logs -
#896128
glusterfs: CVE-2018-1088 privilege escalation flaw
Reported by: Markus Koschany <apo@debian.org>
Date: Thu, 19 Apr 2018 21:09:01 UTC
Severity: grave
Tags: security, upstream
Found in version 4.0.1-1
Fixed in version glusterfs/4.0.2-1
Done: Patrick Matthäi <pmatthaei@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Patrick Matthäi <pmatthaei@debian.org>:
Bug#896128; Package glusterfs.
(Thu, 19 Apr 2018 21:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Markus Koschany <apo@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Patrick Matthäi <pmatthaei@debian.org>.
(Thu, 19 Apr 2018 21:09:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: glusterfs
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for glusterfs.
CVE-2018-1088[0]:
| A privilege escalation flaw was found in gluster 3.x snapshot
| scheduler. Any gluster client allowed to mount gluster volumes could
| also mount shared gluster storage volume and escalate privileges by
| scheduling malicious cronjob via symlink.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-1088
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1088
Please adjust the affected versions in the BTS as needed.
Regards,
Markus
[signature.asc (application/pgp-signature, attachment)]
Marked as found in versions 4.0.1-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 19 Apr 2018 21:33:04 GMT) (full text, mbox, link).
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 19 Apr 2018 21:33:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Patrick Matthäi <pmatthaei@debian.org>:
Bug#896128; Package glusterfs.
(Wed, 25 Apr 2018 06:21:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Patrick Matthäi <pmatthaei@debian.org>.
(Wed, 25 Apr 2018 06:21:09 GMT) (full text, mbox, link).
Message #14 received at 896128@bugs.debian.org (full text, mbox, reply):
Hi,
On Thu, Apr 19, 2018 at 11:07:13PM +0200, Markus Koschany wrote:
> Package: glusterfs
> X-Debbugs-CC: team@security.debian.org
> Severity: grave
> Tags: security
>
> Hi,
>
> The following vulnerability was published for glusterfs.
>
> CVE-2018-1088[0]:
> | A privilege escalation flaw was found in gluster 3.x snapshot
> | scheduler. Any gluster client allowed to mount gluster volumes could
> | also mount shared gluster storage volume and escalate privileges by
> | scheduling malicious cronjob via symlink.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2018-1088
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1088
>
> Please adjust the affected versions in the BTS as needed.
When fixing the issue, please see
https://bugzilla.redhat.com/show_bug.cgi?id=1570891 . The original
patches did make possible that where auth.allow is used, all clients
could mount volumes. So this comment just to make sure the complete
fix will be applied, updated notes on security-tracker.
Regards,
Salvatore
Reply sent
to Patrick Matthäi <pmatthaei@debian.org>:
You have taken responsibility.
(Wed, 25 Apr 2018 15:54:05 GMT) (full text, mbox, link).
Notification sent
to Markus Koschany <apo@debian.org>:
Bug acknowledged by developer.
(Wed, 25 Apr 2018 15:54:05 GMT) (full text, mbox, link).
Message #19 received at 896128-close@bugs.debian.org (full text, mbox, reply):
Source: glusterfs
Source-Version: 4.0.2-1
We believe that the bug you reported is fixed in the latest version of
glusterfs, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 896128@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Patrick Matthäi <pmatthaei@debian.org> (supplier of updated glusterfs package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 25 Apr 2018 15:27:23 +0200
Source: glusterfs
Binary: glusterfs-client glusterfs-server glusterfs-common
Architecture: source amd64
Version: 4.0.2-1
Distribution: unstable
Urgency: high
Maintainer: Patrick Matthäi <pmatthaei@debian.org>
Changed-By: Patrick Matthäi <pmatthaei@debian.org>
Description:
glusterfs-client - clustered file-system (client package)
glusterfs-common - GlusterFS common libraries and translator modules
glusterfs-server - clustered file-system (server package)
Closes: 895666 896128
Changes:
glusterfs (4.0.2-1) unstable; urgency=high
.
* New upstream release.
- Fixes privilege escalation flaw in snapshot scheduler, described in
CVE-2018-1088.
Closes: #896128
* Bump Standards-Version to 4.1.4.
* Fix systemd unit file installation.
Closes: #895666
Checksums-Sha1:
1dc68aff7ffa492d891897f4b8adf4556aa11c4e 2157 glusterfs_4.0.2-1.dsc
e148403f2dc36778e1aef476f7797c7e8a911ed6 7643713 glusterfs_4.0.2.orig.tar.gz
e2429e1e0c43a096efb19c229423c5e12ff0caaf 17448 glusterfs_4.0.2-1.debian.tar.xz
6bbf76924a7e382d06d67d8faf5d8b489cb27553 31932 glusterfs-client-dbgsym_4.0.2-1_amd64.deb
32ea7b5182d6e5214e9f761d3ba399ec1ee58122 2299008 glusterfs-client_4.0.2-1_amd64.deb
912f58da90ce7aa65e3a16969ef2643b2736dae8 15575500 glusterfs-common-dbgsym_4.0.2-1_amd64.deb
9775a863f19a703454cda3ce0cac2318fa2c6903 5509656 glusterfs-common_4.0.2-1_amd64.deb
63a5370a55427bee178c5728e3903a44943e283a 640520 glusterfs-server-dbgsym_4.0.2-1_amd64.deb
c0fcd854dabe7fb3f17a034a178ea378914cf416 2468376 glusterfs-server_4.0.2-1_amd64.deb
93a441bea83da4212dd469f3f2a453abea4adf08 10157 glusterfs_4.0.2-1_amd64.buildinfo
Checksums-Sha256:
3d17c93fad06e9e845d210921d063f309897891ee81e9c183b2aa33718600efa 2157 glusterfs_4.0.2-1.dsc
ef32c64a7d2625b40657a5333447ccc5378248aa23c53283f2ca91a893f7c9f5 7643713 glusterfs_4.0.2.orig.tar.gz
091876a7fc767aaf83f81441e9271b1323061662b901f71389d9ea54bf646820 17448 glusterfs_4.0.2-1.debian.tar.xz
27fa7dff32a4993cef26a425a9f2ca6f265107ca5a87cc48345614a6b9ef1959 31932 glusterfs-client-dbgsym_4.0.2-1_amd64.deb
d89c0b66c87d18e5515e9ee595a3e312641febdf40218a16ea10f90fe6dc6a40 2299008 glusterfs-client_4.0.2-1_amd64.deb
48388af173ddb54e315b9885d18bf3627f56552afe4506c4748bf71acb3c8da0 15575500 glusterfs-common-dbgsym_4.0.2-1_amd64.deb
bfa09b8c56cd19475a29409f048b7ee1216697b0e0df2f21d808599e97e75811 5509656 glusterfs-common_4.0.2-1_amd64.deb
1573349db517856f76badbe621814a15453b78a71d315833949bfa55f15b89a0 640520 glusterfs-server-dbgsym_4.0.2-1_amd64.deb
bab11e2f2a69fe14d1105077e6a22675f38efa5457f3dc142b8be6e4850ce4a0 2468376 glusterfs-server_4.0.2-1_amd64.deb
fab7c29b26b31e2db2dd89bb9514f84ecf1e5fd0bec1c67cad0fd31aa5043a19 10157 glusterfs_4.0.2-1_amd64.buildinfo
Files:
70982be6aa9cd3f28daec477900a6b64 2157 admin optional glusterfs_4.0.2-1.dsc
5f9c6fa1259cc91b22eae87f962ff0e0 7643713 admin optional glusterfs_4.0.2.orig.tar.gz
bf39b4f234d3cae6bbaeecb98b8378f4 17448 admin optional glusterfs_4.0.2-1.debian.tar.xz
b8960a37c2f336b17cd5d8b5bcff01b4 31932 debug optional glusterfs-client-dbgsym_4.0.2-1_amd64.deb
6153cd9721d1b829efab807c861187f5 2299008 admin optional glusterfs-client_4.0.2-1_amd64.deb
c58770b263920903a9103f2130f9b9cb 15575500 debug optional glusterfs-common-dbgsym_4.0.2-1_amd64.deb
0eae4f5b39937291701ece8f1ba00f8d 5509656 admin optional glusterfs-common_4.0.2-1_amd64.deb
0654725a3b8a30cdd78f238e42c5811d 640520 debug optional glusterfs-server-dbgsym_4.0.2-1_amd64.deb
fbd02bac0d615f72558e693c72d23498 2468376 admin optional glusterfs-server_4.0.2-1_amd64.deb
f6e7b77ef1938f3d5a4ac816088b70d0 10157 admin optional glusterfs_4.0.2-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEWKA9xYJCWk3IuQ4TEtmwSpDL2OQFAlrglrcACgkQEtmwSpDL
2ORyUA/+NSSzvXx/LJ+HnalGbyKm5hbWEsDiNCpDgcGDewbBHc8q486sUvgPFQgm
+53N0biwK2YIuu21E+nxlEiuDezURBkz/GdhS1NeUEUNQwjw0vL3HMq33XVpeimh
VHK9Okw7Kcf29og6uXz3BeL9ajGQEMh8gMKaChIAIqpGGILEr7qw/fpnQFKO1Ncw
O6GZAZEQXL3eW0UJ6nF3W6RqUfVjLNe/CNIY+mJBwbZqLB/53eLPB7F2joGpTiTM
s1VQZK1MSQZOy7f4JqUbR4p9VRyCHA4N9Oy/s0SrrKbfehbzBDG5r8zZX+eBBoTE
MYqKUkY1PGC2fWbTgdSfVu4xflpFV0Nsq9rxW3xISpt0rTyyLeLJG8RnsCunnauB
CaKCtPNsF/WZy2I+ga5IRl1E8tukkE4aznfg2o0uheNoTTr4IDCnR6+ri9MykaYA
DjxpHx84cLJvk1ZugQ8s5PlC+e+oo4beENz4OnS1tWwlgrVsdhx4c9md+2KIg1fB
KjYCZD/axBt8Ef3H7YaX3sY8r8R1XxvZu8xvdv9pA43isIOb+pjgPac575T0dAvS
1GEm2zrk2Zu1UppJdMD5Ip6S/bnyDkE38HtF3zfWa77bqhcCNxDEFgxPDJv/A8Kl
rkinAF80mhIY23/MNdZcePqXc8Uz9aqotG8wOSTQ/Em5dzujPDA=
=WIFH
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 24 May 2018 07:25:43 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:21:22 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon