I spent some time on this issue without a CVE assigned: CVE-2015-XXXX [fuse check return value of setuid] - glusterfs <unfixed> NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/08/18/6 NOTE: http://review.gluster.org/#/c/10780/ NOTE: https://github.com/gluster/glusterfs/commit/b5ceb1a9de9af563b0f91e2a3138fa5a95cad9f6 I don't believe this is a security issue at all: - The two unchecked setuid() calls are setuid(geteuid()). This isn't dropping privileges. If the effective uid is 0 then this sets real and saved uids to 0 as well. Otherwise it does nothing. - It can't fail due to process limits, because if it changes the real uid then we must have all effective uid of 0 and the process limit is ignored. - Since Linux 3.1 setuid() never fails because of the process limit. Thus wheezy and jessie should be unaffected, even if there's some flaw in the first two points. - This code appears to be used in fusermount-glusterfs, but that isn't included in the packages for squeeze or wheezy. Ben. -- Ben Hutchings Experience is what causes a person to make new mistakes instead of old ones.
Attachment:
signature.asc
Description: This is a digitally signed message part