glusterfs: CVE-2017-15096: Null pointer dereference

Debian Bug report logs - #880017
glusterfs: CVE-2017-15096: Null pointer dereference

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: glusterfs: CVE-2017-15096: Null pointer dereference

Date: Sat, 28 Oct 2017 14:40:08 +0200

Source: glusterfs
Version: 3.12.1-1
Severity: important
Tags: patch security upstream
Forwarded: https://bugzilla.redhat.com/show_bug.cgi?id=1502928

Hi,

the following vulnerability was published for glusterfs.

CVE-2017-15096[0]:
| A flaw was found in GlusterFS in versions prior to 3.10. A null
| pointer dereference in send_brick_req function in
| glusterfsd/src/gf_attach.c may be used to cause denial of service.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-15096
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15096
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1502928
[2] http://git.gluster.org/cgit/glusterfs.git/commit/?id=1f48d17fee0cac95648ec34d13f038b27ef5c6ac

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #12 received at 880017-close@bugs.debian.org (full text, mbox, reply):

From: Patrick Matthäi <pmatthaei@debian.org>

To: 880017-close@bugs.debian.org

Subject: Bug#880017: fixed in glusterfs 3.12.2-1

Date: Mon, 06 Nov 2017 15:15:36 +0000

Source: glusterfs
Source-Version: 3.12.2-1

We believe that the bug you reported is fixed in the latest version of
glusterfs, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 880017@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Patrick Matthäi <pmatthaei@debian.org> (supplier of updated glusterfs package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 06 Nov 2017 14:42:55 +0100
Source: glusterfs
Binary: glusterfs-client glusterfs-server glusterfs-common
Architecture: source amd64
Version: 3.12.2-1
Distribution: unstable
Urgency: high
Maintainer: Patrick Matthäi <pmatthaei@debian.org>
Changed-By: Patrick Matthäi <pmatthaei@debian.org>
Description:
 glusterfs-client - clustered file-system (client package)
 glusterfs-common - GlusterFS common libraries and translator modules
 glusterfs-server - clustered file-system (server package)
Closes: 880017
Changes:
 glusterfs (3.12.2-1) unstable; urgency=high
 .
   * New upstream release.
     - Fixes CVE-2017-15096:
       A flaw was found in GlusterFS in versions prior to 3.10. A null pointer
       dereference in send_brick_req function in glusterfsd/src/gf_attach.c may
       be used to cause denial of service.
       Closes: #880017
     - Remove merged patch 03-spelling-errors.
   * Remove init scripts from .install file to avoid a FTBFS on backporting.
   * Remove obsolete build dependency on dh-systemd.
   * Bump Standards-Version to 4.1.1 (no changes required).
   * Use secure URI in debian/watch and for the homepage control field.
   * Add patch 01-spelling-error.
   * Do not set DEB_HOST_MULTIARCH.
Checksums-Sha1:
 0e4325fef3bb8ad808a89c81ee089a872a0ce528 2215 glusterfs_3.12.2-1.dsc
 561c9bf5aa8fb767dc51fc20a7849c8888a2e5cd 9404275 glusterfs_3.12.2.orig.tar.gz
 d1d0084fa38e3b79935b82b7b744c6aedd425b8d 16124 glusterfs_3.12.2-1.debian.tar.xz
 00ad99e1b583ae884176b5b1ad317cd8fd8cc52f 32700 glusterfs-client-dbgsym_3.12.2-1_amd64.deb
 62879649a6d9619c2149c0dbbaf905cbb549fc49 4335112 glusterfs-client_3.12.2-1_amd64.deb
 5d14a50a7cfa23060e9d364695900c4397a8ece6 13426720 glusterfs-common-dbgsym_3.12.2-1_amd64.deb
 4d37ddc1a268fe72e9f82222bcc4e2b6e29fe2b1 7326384 glusterfs-common_3.12.2-1_amd64.deb
 d5bce9b0e8188707fda86a58e0d304a85f04f086 618044 glusterfs-server-dbgsym_3.12.2-1_amd64.deb
 45775a4f3a6bc506f0073488394c6732bde75b9e 4499768 glusterfs-server_3.12.2-1_amd64.deb
 527792ad5af723dab53f1c0e302dd7522d49fee0 9907 glusterfs_3.12.2-1_amd64.buildinfo
Checksums-Sha256:
 3d351945b45a6a7c404b4cde567fc7b1fd2efdf106cd6392edcace51b45b30fa 2215 glusterfs_3.12.2-1.dsc
 6f9fbf8183df9e012a2c95f3ac3fad303443218beef4fd060f4af57c0bdbc069 9404275 glusterfs_3.12.2.orig.tar.gz
 5e5326a8a66d68f0d69782e6eff582a79cceee61b08f84189bad5cdad91d9181 16124 glusterfs_3.12.2-1.debian.tar.xz
 b1d207e5d877c11c2aaba0e55ce92ec010241bd19f230aeaeb537a55b2c65aa9 32700 glusterfs-client-dbgsym_3.12.2-1_amd64.deb
 9206bfd1dc6086158cd88478613b799a10230164dec672c5d191576e30462968 4335112 glusterfs-client_3.12.2-1_amd64.deb
 abbea23f7f55602c0dac7a3962a97ea7e555f17ec4d95097fb30055783d14d3a 13426720 glusterfs-common-dbgsym_3.12.2-1_amd64.deb
 d8639370b28c642af494f3f8475478522bd58272247aae609d6213155fe5e7e4 7326384 glusterfs-common_3.12.2-1_amd64.deb
 1f97a6550ed2ab898c055fa8171ff37f40aa9a89e98c93be0e6cddf870a9fc91 618044 glusterfs-server-dbgsym_3.12.2-1_amd64.deb
 9201d96db180304008665c6401d50d3c99b2b50a763904eba20d2c3f1c8c9dfb 4499768 glusterfs-server_3.12.2-1_amd64.deb
 82fcd4d4c18baf6f8fec362d3eb65f41d93c58fa40878d08faaebce4e8503c28 9907 glusterfs_3.12.2-1_amd64.buildinfo
Files:
 a4cad74aeaa124cd0de2fdf1e10acb82 2215 admin optional glusterfs_3.12.2-1.dsc
 5119d330c92f155af7f161a8fa40a942 9404275 admin optional glusterfs_3.12.2.orig.tar.gz
 231641c932d4098d4d1a84fea37f7fb0 16124 admin optional glusterfs_3.12.2-1.debian.tar.xz
 9ba1ae6dd10849730d13491a7aa48cde 32700 debug optional glusterfs-client-dbgsym_3.12.2-1_amd64.deb
 a04ecf17e8405b3bc70ff2f0e40db61a 4335112 admin optional glusterfs-client_3.12.2-1_amd64.deb
 585b89c1b8954130ceee806a6449e246 13426720 debug optional glusterfs-common-dbgsym_3.12.2-1_amd64.deb
 390fdab3a515b01b6105f4465404ee26 7326384 admin optional glusterfs-common_3.12.2-1_amd64.deb
 3e47339cf34418f3455500058a03aac1 618044 debug optional glusterfs-server-dbgsym_3.12.2-1_amd64.deb
 b6b182c42bb0c65d13f47da9ef943487 4499768 admin optional glusterfs-server_3.12.2-1_amd64.deb
 bf5d689d1906eb72e526ce2752903fc9 9907 admin optional glusterfs_3.12.2-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEWKA9xYJCWk3IuQ4TEtmwSpDL2OQFAloAbkkACgkQEtmwSpDL
2OSCWg//QzqEJrH5NfkpcaUP33dedwmegEIAbGYJkNTIQdXkyZLiGYNu2d4LwLxU
BSCCaGAsd2zbxXEA7pzGH9WEbmEPeqSFDYmzayO5yzzRNg5xmfBypkcovwP66ekI
t/DLOa7N2varbmKU39KJcW1B54P/syiVm+MtT+ncd7RrTdp9FZMQDdb9yboMdOOu
y9z+shAqBCLD1rnSNLY4t7u0C2wys+aNcMyhOfVmPIOF/nkErI49HAOXXB91E52+
jqLjAiaXs3ot1ePem4INH+i84txUnHnvvOPx3lQlbAXfRNEHFaStrORMRCYE3GjH
QmUciEotcYn7IVWwYGOY3QSrOf7vC8RodxB4aVH+VLG0pd9sGkMvPUhrlpAy7B6Z
hPpUzNUQchTtKJ3qYAoB2pYY4onqRpLdeHCVi0rCB2YjTt57ocjjJUuRGI47zc5/
cFJPYlJky7VY7S02I2wypoBEzFL3SR38jGwKPieiFswVw4iUu6mpDFLowF8b1PhL
tmaVntRdcihTMgtVViRXkZaRr2IgvPx7CRlQJH6o40pkcNV/DlW7uaTsDjyOqISs
mTsNKmBlXj1PqV4IlhdIC03m0VoqJxee1Sw1Y4I+28MWxzqOaOFT0Ev62IOiw/Qg
WsM3+F9hdzokrJeR0b6HCD3Qir4oXPZt/2RdzCo7ZtQXYcWBYHc=
=pQCz
-----END PGP SIGNATURE-----

Message #17 received at 880017@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 880017@bugs.debian.org

Subject: Re: Bug#880017: glusterfs: CVE-2017-15096: Null pointer dereference

Date: Mon, 6 Nov 2017 17:41:35 +0100

Control: reopen -1
Control: found -1 3.12.1-1
Control: found -1 3.12.2-1

Hi Patrick,

On Sat, Oct 28, 2017 at 02:40:08PM +0200, Salvatore Bonaccorso wrote:
> Source: glusterfs
> Version: 3.12.1-1
> Severity: important
> Tags: patch security upstream
> Forwarded: https://bugzilla.redhat.com/show_bug.cgi?id=1502928
> 
> Hi,
> 
> the following vulnerability was published for glusterfs.
> 
> CVE-2017-15096[0]:
> | A flaw was found in GlusterFS in versions prior to 3.10. A null
> | pointer dereference in send_brick_req function in
> | glusterfsd/src/gf_attach.c may be used to cause denial of service.
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2017-15096
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15096
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1502928
> [2] http://git.gluster.org/cgit/glusterfs.git/commit/?id=1f48d17fee0cac95648ec34d13f038b27ef5c6ac

The patch is missing to be applied though in the 3.12.2-1 version
marking the bug as fixing. Thus reopening. The issue has only
been fixed after the v3.12.2 release in release-3.12.

Regards,
Salvatore

Message #28 received at 880017@bugs.debian.org (full text, mbox, reply):

From: Patrick Matthäi <pmatthaei@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 880017@bugs.debian.org

Subject: Re: Bug#880017: glusterfs: CVE-2017-15096: Null pointer dereference

Date: Tue, 7 Nov 2017 10:50:04 +0100

Am 06.11.2017 um 17:41 schrieb Salvatore Bonaccorso:
> Control: reopen -1
> Control: found -1 3.12.1-1
> Control: found -1 3.12.2-1
>
> Hi Patrick,
>
> On Sat, Oct 28, 2017 at 02:40:08PM +0200, Salvatore Bonaccorso wrote:
>> Source: glusterfs
>> Version: 3.12.1-1
>> Severity: important
>> Tags: patch security upstream
>> Forwarded: https://bugzilla.redhat.com/show_bug.cgi?id=1502928
>>
>> Hi,
>>
>> the following vulnerability was published for glusterfs.
>>
>> CVE-2017-15096[0]:
>> | A flaw was found in GlusterFS in versions prior to 3.10. A null
>> | pointer dereference in send_brick_req function in
>> | glusterfsd/src/gf_attach.c may be used to cause denial of service.
>>
>> If you fix the vulnerability please also make sure to include the
>> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>>
>> For further information see:
>>
>> [0] https://security-tracker.debian.org/tracker/CVE-2017-15096
>>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15096
>> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1502928
>> [2] http://git.gluster.org/cgit/glusterfs.git/commit/?id=1f48d17fee0cac95648ec34d13f038b27ef5c6ac
> The patch is missing to be applied though in the 3.12.2-1 version
> marking the bug as fixing. Thus reopening. The issue has only
> been fixed after the v3.12.2 release in release-3.12.
Thanks for pointing me on this fault :/
I have uploaded a fixed package with the patch included now
>
> Regards,
> Salvatore

-- 
/*
Mit freundlichem Gruß / With kind regards,
 Patrick Matthäi
 GNU/Linux Debian Developer

  Blog: http://www.linux-dev.org/
E-Mail: pmatthaei@debian.org
        patrick@linux-dev.org
*/

Message #33 received at 880017-close@bugs.debian.org (full text, mbox, reply):

From: Patrick Matthäi <pmatthaei@debian.org>

To: 880017-close@bugs.debian.org

Subject: Bug#880017: fixed in glusterfs 3.12.2-2

Date: Tue, 07 Nov 2017 10:05:13 +0000

Source: glusterfs
Source-Version: 3.12.2-2

We believe that the bug you reported is fixed in the latest version of
glusterfs, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 880017@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Patrick Matthäi <pmatthaei@debian.org> (supplier of updated glusterfs package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 07 Nov 2017 09:27:58 +0100
Source: glusterfs
Binary: glusterfs-client glusterfs-server glusterfs-common
Architecture: source amd64
Version: 3.12.2-2
Distribution: unstable
Urgency: high
Maintainer: Patrick Matthäi <pmatthaei@debian.org>
Changed-By: Patrick Matthäi <pmatthaei@debian.org>
Description:
 glusterfs-client - clustered file-system (client package)
 glusterfs-common - GlusterFS common libraries and translator modules
 glusterfs-server - clustered file-system (server package)
Closes: 880017
Changes:
 glusterfs (3.12.2-2) unstable; urgency=high
 .
   * Add patch 03-CVE-2017-15096 to realy fix CVE-2017-15096 now.
     Closes: #880017
Checksums-Sha1:
 cd414b86672a6c47605350b0c8ce8066dba2a283 2215 glusterfs_3.12.2-2.dsc
 9d9c7fcd19e380729e857f3b9a2ed67c28d7e89c 16760 glusterfs_3.12.2-2.debian.tar.xz
 358fc4f7c8616361535c214242954c4fda112e83 32704 glusterfs-client-dbgsym_3.12.2-2_amd64.deb
 b51ada4b0645b2aa5971c70c0d6183e1a2e492f7 4335168 glusterfs-client_3.12.2-2_amd64.deb
 0468b21cd5d77f885249af5b8fc899050ca39bc1 13426504 glusterfs-common-dbgsym_3.12.2-2_amd64.deb
 2472b4529287a97a33d3e992c3a5bb53ef661f9c 7327364 glusterfs-common_3.12.2-2_amd64.deb
 72220a28326d90f8c80853fcceb73c7fc2bf3893 618160 glusterfs-server-dbgsym_3.12.2-2_amd64.deb
 19fc26e8c3efd6ac5a9fa461c8798536592d0f1b 4499648 glusterfs-server_3.12.2-2_amd64.deb
 63bc8e565cadf10783e837acb5b44fe98c343bbb 9907 glusterfs_3.12.2-2_amd64.buildinfo
Checksums-Sha256:
 27063f41dea0e84ffe4c339c885011854b4c90247c11d30ff82b155ada8b3912 2215 glusterfs_3.12.2-2.dsc
 df1c8ecc356deeb40069875124ad9d8c9e898d76a78e26513d39cb968476450a 16760 glusterfs_3.12.2-2.debian.tar.xz
 d35824fec7d49352cf3bac32892cd46765be1091cc339cd6cdaab80b1b1d9ee7 32704 glusterfs-client-dbgsym_3.12.2-2_amd64.deb
 c84bd4fc5105c855563fe4f931fb981a02e23f634233d3f6c5e00c3fbd26a258 4335168 glusterfs-client_3.12.2-2_amd64.deb
 a8d62a3e5f9008ed6ad94a1b7c2fc47edc96b1869e41b009d9e279ac405fcb1c 13426504 glusterfs-common-dbgsym_3.12.2-2_amd64.deb
 7efa052c083f5f5000269f1e8270c2d4dd2c2f8e44747da514d626e930609f20 7327364 glusterfs-common_3.12.2-2_amd64.deb
 7f3d15cc29dca86f6b8a81892974ca91bbb072ebc8e8be9bcc0b5610c371d102 618160 glusterfs-server-dbgsym_3.12.2-2_amd64.deb
 fd0b6badf0a47720a1f71ad2ad3457e3f5ab2ab672cffd6748db26b4d2091f9c 4499648 glusterfs-server_3.12.2-2_amd64.deb
 1b463ea4abe9c9513a34ee1f6df9fd968c5809739d0a880b53014f112e4b1b3c 9907 glusterfs_3.12.2-2_amd64.buildinfo
Files:
 868cf6295f5c295287c73a262cce52b2 2215 admin optional glusterfs_3.12.2-2.dsc
 50b1233d1d2c013acf6423ee89263775 16760 admin optional glusterfs_3.12.2-2.debian.tar.xz
 baa343945e6213159be21f221187930e 32704 debug optional glusterfs-client-dbgsym_3.12.2-2_amd64.deb
 4aa741631e08f55972a8eb86a6312dc0 4335168 admin optional glusterfs-client_3.12.2-2_amd64.deb
 d25158cb845ed93f76c8ed97420ccc03 13426504 debug optional glusterfs-common-dbgsym_3.12.2-2_amd64.deb
 5fcaf0a4cfbd8b7ebeed6fbbb26d6c98 7327364 admin optional glusterfs-common_3.12.2-2_amd64.deb
 2b4d4e4a239bf66f40f4fb5f6c864096 618160 debug optional glusterfs-server-dbgsym_3.12.2-2_amd64.deb
 6cb4a9c22194882066553150518f821a 4499648 admin optional glusterfs-server_3.12.2-2_amd64.deb
 ab191bbda125cdd4e69c74f772a7c6ba 9907 admin optional glusterfs_3.12.2-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEWKA9xYJCWk3IuQ4TEtmwSpDL2OQFAloBf+gACgkQEtmwSpDL
2OSIyg//Qor+mU9xfZcKz0zhVG0b81kLvUDqTMFfUax7OfwxEaAgwmZ7AEZONcOO
CTIzHEPbnUFsj5p1nYaCNbcNT7BdEmVgmE6BUK/ViKEEaU1ER6KPRt0HqDfbdESM
ej0yVpAfl5gNqO+WIZVWCQRaPHiO3r4uiT5TaIR7GVcFk0I5dEXJYvj0W0zudn0B
3vdWCP9xtCLKMGZ9YzDUM9jkI3MWs+xa5KUHKwe/Hfh66S8/OV1bAcz2XLwRen2y
vAIFMt9xWAmqDw4MszC86J+gSSXK3o+lGmVG5YhdYpC7FhAF0STWMTkoccvoXAqA
gfLBg2cA/QjALPSAuluaSmB+kCxMKLiETTrH14iLQJPDtydJ6QLYHI9xL+PDPOyq
Yyq69ptt4xW+wFwMW31nsrgPmb0CgXavD+Z/4dEyaM+cw9FmH+CRTZgNVXtqbtoH
LhIBUcOJV46Znq0J9Opg476JsoIkWMi0GAXWOwPSZJEM3wYy0ms6E06kL1XqCwAg
i3tmGiXlwshJKHCT5/cmCbEB7u00bOcha1viUBsWpTRHg5yWPRBYOK3IMgExKZP0
CByHh+YK2yeeNdoKPJ0PVsyyeoWaGt6szhyCzZhcbxyWs2yiPOd9a/SmGmW3BE3l
LpqbwzXenftH9q3ogkCQN3W105MznULnip0rJg/aHuJ7zqCSG80=
=5NWS
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.