[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

glusterfs setuid issue

I spent some time on this issue without a CVE assigned:

CVE-2015-XXXX [fuse check return value of setuid]
	- glusterfs <unfixed>
	NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/08/18/6
	NOTE: http://review.gluster.org/#/c/10780/
	NOTE: https://github.com/gluster/glusterfs/commit/b5ceb1a9de9af563b0f91e2a3138fa5a95cad9f6

I don't believe this is a security issue at all:

- The two unchecked setuid() calls are setuid(geteuid()).  This isn't
  dropping privileges.  If the effective uid is 0 then this sets real
  and saved uids to 0 as well.  Otherwise it does nothing.
- It can't fail due to process limits, because if it changes the real
  uid then we must have all effective uid of 0 and the process limit
  is ignored.
- Since Linux 3.1 setuid() never fails because of the process limit.
  Thus wheezy and jessie should be unaffected, even if there's some
  flaw in the first two points.
- This code appears to be used in fusermount-glusterfs, but that isn't
  included in the packages for squeeze or wheezy.


Ben Hutchings
Experience is what causes a person to make new mistakes instead of old ones.

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: