Bug#698502: unblock: glusterfs/3.2.7-4
Am 19.01.2013 18:14, schrieb Julien Cristau:
Control: tag -1 moreinfo
On Sat, Jan 19, 2013 at 14:27:47 +0100, Patrick Matthäi wrote:
+diff -Naur glusterfs-3.2.7.orig/libglusterfs/src/statedump.c glusterfs-3.2.7/libglusterfs/src/statedump.c
+--- glusterfs-3.2.7.orig/libglusterfs/src/statedump.c 2012-06-10 19:44:15.000000000 +0200
++++ glusterfs-3.2.7/libglusterfs/src/statedump.c 2013-01-19 13:49:26.415982036 +0100
+@@ -408,12 +404,13 @@
+ void
+ gf_proc_dump_info (int signum)
+ {
+- int ret = -1;
+- glusterfs_ctx_t *ctx = NULL;
+-
++ int ret = -1;
++ glusterfs_ctx_t *ctx = NULL;
++ char brick_name[PATH_MAX] = {0,};
++ char tmp_dump_name[] = "/tmp/dumpXXXXXX";
++ char path[PATH_MAX] = {0,};
+
+ gf_proc_dump_lock ();
+- ret = gf_proc_dump_open ();
+ if (ret < 0)
+ goto out;
+
How can that possibly work?
Cheers,
Julien
I have uploaded an fixed version. diff from 3.2.7-3 to 3.2.7-5 looks now
like:
diff -Naur '--exclude=.svn' 3.2.7-3/debian/changelog
3.2.7-5/debian/changelog
--- 3.2.7-3/debian/changelog 2012-11-12 20:37:46.218864002 +0100
+++ 3.2.7-5/debian/changelog 2013-01-25 09:11:02.145164496 +0100
@@ -1,3 +1,20 @@
+glusterfs (3.2.7-5) unstable; urgency=medium
+
+ * Updated broken patch 04-CVE-2012-4417. Added missing calls to
+ gf_proc_dump_* functions.
+ Closes: #693112
+
+ -- Patrick Matthäi <pmatthaei@debian.org> Fri, 25 Jan 2013 09:00:53 +0100
+
+glusterfs (3.2.7-4) unstable; urgency=medium
+
+ * Add backported upstream patch 04-CVE-2012-4417 to fix CVE-2012-4417:
+ glusterfs allows local users to overwrite arbitrary files via a symlink
+ attack on temporary files with predictable names.
+ Closes: #693112
+
+ -- Patrick Matthäi <pmatthaei@debian.org> Sat, 19 Jan 2013 13:53:18 +0100
+
glusterfs (3.2.7-3) unstable; urgency=low
* Remove duplicated and faulty call of the glusterd daemon from the init
diff -Naur '--exclude=.svn' 3.2.7-3/debian/patches/04-CVE-2012-4417.diff
3.2.7-5/debian/patches/04-CVE-2012-4417.diff
--- 3.2.7-3/debian/patches/04-CVE-2012-4417.diff 1970-01-01
01:00:00.000000000 +0100
+++ 3.2.7-5/debian/patches/04-CVE-2012-4417.diff 2013-01-25
09:11:02.145164496 +0100
@@ -0,0 +1,122 @@
+# Backported upstream patch to fix CVE-2012-4417:
+# GlusterFS 3.3.0, as used in Red Hat Storage server 2.0, allows local
users to
+# overwrite arbitrary files via a symlink attack on temporary files with
+# predictable names.
+# Closes: #693112
+
+diff -Naur glusterfs-3.2.7.orig/libglusterfs/src/common-utils.h
glusterfs-3.2.7/libglusterfs/src/common-utils.h
+--- glusterfs-3.2.7.orig/libglusterfs/src/common-utils.h
2012-06-10 19:44:15.000000000 +0200
++++ glusterfs-3.2.7/libglusterfs/src/common-utils.h 2013-01-25
08:57:35.601175617 +0100
+@@ -134,6 +134,16 @@
+ } \
+ } while (0);
+
++#define GF_REMOVE_SLASH_FROM_PATH(path, string) \
++ do { \
++ int i = 0; \
++ for (i = 1; i < strlen (path); i++) { \
++ string[i-1] = path[i]; \
++ if (string[i-1] == '/') \
++ string[i-1] = '-'; \
++ } \
++ } while (0)
++
+ #define GF_FILE_CONTENT_REQUESTED(_xattr_req,_content_limit) \
+ (dict_get_uint64 (_xattr_req, "glusterfs.content",
_content_limit) == 0)
+
+diff -Naur glusterfs-3.2.7.orig/libglusterfs/src/statedump.c
glusterfs-3.2.7/libglusterfs/src/statedump.c
+--- glusterfs-3.2.7.orig/libglusterfs/src/statedump.c 2012-06-10
19:44:15.000000000 +0200
++++ glusterfs-3.2.7/libglusterfs/src/statedump.c 2013-01-25
08:57:35.601175617 +0100
+@@ -62,15 +62,11 @@
+
+
+ static int
+-gf_proc_dump_open (void)
++gf_proc_dump_open (char *tmpname)
+ {
+- char path[256];
+ int dump_fd = -1;
+
+- memset (path, 0, sizeof (path));
+- snprintf (path, sizeof (path), "%s.%d", GF_DUMP_LOGFILE_ROOT,
getpid ());
+-
+- dump_fd = open (path, O_CREAT|O_RDWR|O_TRUNC|O_APPEND, 0600);
++ dump_fd = mkstemp (tmpname);
+ if (dump_fd < 0)
+ return -1;
+
+@@ -408,37 +404,45 @@
+ void
+ gf_proc_dump_info (int signum)
+ {
+- int ret = -1;
+- glusterfs_ctx_t *ctx = NULL;
+-
++ int ret = -1;
++ glusterfs_ctx_t *ctx = NULL;
++ char brick_name[PATH_MAX] = {0,};
++ char tmp_dump_name[] = "/tmp/dumpXXXXXX";
++ char path[PATH_MAX] = {0,};
+
+ gf_proc_dump_lock ();
+- ret = gf_proc_dump_open ();
+- if (ret < 0)
+- goto out;
+
+ ret = gf_proc_dump_options_init ();
+
+ if (ret < 0)
+ goto out;
+
+- if (GF_PROC_DUMP_IS_OPTION_ENABLED (mem))
+- gf_proc_dump_mem_info ();
+-
+ ctx = glusterfs_ctx_get ();
+
+- if (ctx) {
+- if (GF_PROC_DUMP_IS_OPTION_ENABLED (iobuf))
+- iobuf_stats_dump (ctx->iobuf_pool);
+- if (GF_PROC_DUMP_IS_OPTION_ENABLED (callpool))
+- gf_proc_dump_pending_frames (ctx->pool);
+- if (ctx->active)
+- gf_proc_dump_xlator_info (ctx->active->top);
++ if (!ctx)
++ goto out;
+
+- }
++ if (ctx->cmd_args.brick_name) {
++ GF_REMOVE_SLASH_FROM_PATH (ctx->cmd_args.brick_name,
brick_name);
++ } else
++ strncpy (brick_name, "glusterdump", sizeof (brick_name));
++
++ snprintf (path, sizeof path, "%s/%s.%d.dump.%"PRIu64, "/tmp",
++ brick_name, getpid(), (uint64_t) time (NULL));
++
++ ret = gf_proc_dump_open (tmp_dump_name);
++ if (GF_PROC_DUMP_IS_OPTION_ENABLED (mem))
++ gf_proc_dump_mem_info ();
++ if (GF_PROC_DUMP_IS_OPTION_ENABLED (iobuf))
++ iobuf_stats_dump (ctx->iobuf_pool);
++ if (GF_PROC_DUMP_IS_OPTION_ENABLED (callpool))
++ gf_proc_dump_pending_frames (ctx->pool);
++ if (ctx->active)
++ gf_proc_dump_xlator_info (ctx->active->top);
+
+ gf_proc_dump_close ();
+ out:
++ rename (tmp_dump_name, path);
+ gf_proc_dump_unlock ();
+
+ return;
+diff -Naur
glusterfs-3.2.7.orig/xlators/mgmt/glusterd/src/glusterd-utils.c
glusterfs-3.2.7/xlators/mgmt/glusterd/src/glusterd-utils.c
+--- glusterfs-3.2.7.orig/xlators/mgmt/glusterd/src/glusterd-utils.c
2012-06-10 19:44:17.000000000 +0200
++++ glusterfs-3.2.7/xlators/mgmt/glusterd/src/glusterd-utils.c
2013-01-25 08:57:35.601175617 +0100
+@@ -63,7 +63,7 @@
+ #define MOUNTV3_VERSION 3
+ #define MOUNTV1_VERSION 1
+
+-char *glusterd_sock_dir = "/tmp";
++char *glusterd_sock_dir = "/var/run";
+ static glusterd_lock_t lock;
+
+ static int32_t
diff -Naur '--exclude=.svn' 3.2.7-3/debian/patches/series
3.2.7-5/debian/patches/series
--- 3.2.7-3/debian/patches/series 2012-11-12 20:37:46.218864002 +0100
+++ 3.2.7-5/debian/patches/series 2013-01-25 09:11:02.145164496 +0100
@@ -1,3 +1,4 @@
01-manpage-errors.diff
02-spelling-error.diff
03-glusterd-crash-gcc-optimizations.diff
+04-CVE-2012-4417.diff
--
/*
Mit freundlichem Gruß / With kind regards,
Patrick Matthäi
GNU/Linux Debian Developer
Blog: http://www.linux-dev.org/
E-Mail: pmatthaei@debian.org
patrick@linux-dev.org
*/
Reply to: