[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#698502: unblock: glusterfs/3.2.7-4

Am 19.01.2013 18:14, schrieb Julien Cristau:

Control: tag -1 moreinfo

On Sat, Jan 19, 2013 at 14:27:47 +0100, Patrick Matthäi wrote:


+diff -Naur glusterfs-3.2.7.orig/libglusterfs/src/statedump.c glusterfs-3.2.7/libglusterfs/src/statedump.c
+--- glusterfs-3.2.7.orig/libglusterfs/src/statedump.c  2012-06-10 19:44:15.000000000 +0200
++++ glusterfs-3.2.7/libglusterfs/src/statedump.c       2013-01-19 13:49:26.415982036 +0100
+@@ -408,12 +404,13 @@
+ void
+ gf_proc_dump_info (int signum)
+ {
+-        int               ret = -1;
+-        glusterfs_ctx_t   *ctx = NULL;
+-
++        int                   ret = -1;
++        glusterfs_ctx_t      *ctx = NULL;
++        char brick_name[PATH_MAX] = {0,};
++        char      tmp_dump_name[] = "/tmp/dumpXXXXXX";
++        char       path[PATH_MAX] = {0,};
+
+         gf_proc_dump_lock ();
+-        ret = gf_proc_dump_open ();
+         if (ret < 0)
+                 goto out;
+


How can that possibly work?

Cheers,
Julien
I have uploaded an fixed version. diff from 3.2.7-3 to 3.2.7-5 looks now like:
diff -Naur '--exclude=.svn' 3.2.7-3/debian/changelog 3.2.7-5/debian/changelog 
--- 3.2.7-3/debian/changelog    2012-11-12 20:37:46.218864002 +0100
+++ 3.2.7-5/debian/changelog    2013-01-25 09:11:02.145164496 +0100
@@ -1,3 +1,20 @@
+glusterfs (3.2.7-5) unstable; urgency=medium
+
+  * Updated broken patch 04-CVE-2012-4417. Added missing calls to
+    gf_proc_dump_* functions.
+    Closes: #693112
+
+ -- Patrick Matthäi <pmatthaei@debian.org>  Fri, 25 Jan 2013 09:00:53 +0100
+
+glusterfs (3.2.7-4) unstable; urgency=medium
+
+  * Add backported upstream patch 04-CVE-2012-4417 to fix CVE-2012-4417:
+    glusterfs allows local users to overwrite arbitrary files via a symlink
+    attack on temporary files with predictable names.
+    Closes: #693112
+
+ -- Patrick Matthäi <pmatthaei@debian.org>  Sat, 19 Jan 2013 13:53:18 +0100
+
 glusterfs (3.2.7-3) unstable; urgency=low

   * Remove duplicated and faulty call of the glusterd daemon from the init
diff -Naur '--exclude=.svn' 3.2.7-3/debian/patches/04-CVE-2012-4417.diff 3.2.7-5/debian/patches/04-CVE-2012-4417.diff --- 3.2.7-3/debian/patches/04-CVE-2012-4417.diff 1970-01-01 01:00:00.000000000 +0100 +++ 3.2.7-5/debian/patches/04-CVE-2012-4417.diff 2013-01-25 09:11:02.145164496 +0100 
@@ -0,0 +1,122 @@
+# Backported upstream patch to fix CVE-2012-4417:
+# GlusterFS 3.3.0, as used in Red Hat Storage server 2.0, allows local users to 
+# overwrite arbitrary files via a symlink attack on temporary files with
+# predictable names.
+# Closes: #693112
+
+diff -Naur glusterfs-3.2.7.orig/libglusterfs/src/common-utils.h glusterfs-3.2.7/libglusterfs/src/common-utils.h +--- glusterfs-3.2.7.orig/libglusterfs/src/common-utils.h 2012-06-10 19:44:15.000000000 +0200 ++++ glusterfs-3.2.7/libglusterfs/src/common-utils.h 2013-01-25 08:57:35.601175617 +0100 
+@@ -134,6 +134,16 @@
+                 }                                                       \
+       } while (0);
+
++#define GF_REMOVE_SLASH_FROM_PATH(path, string)                         \
++        do {                                                            \
++                int i = 0;                                              \
++                for (i = 1; i < strlen (path); i++) {                   \
++                        string[i-1] = path[i];                          \
++                        if (string[i-1] == '/')                         \
++                                string[i-1] = '-';                      \
++                }                                                       \
++        } while (0)
++
+ #define GF_FILE_CONTENT_REQUESTED(_xattr_req,_content_limit) \
+ (dict_get_uint64 (_xattr_req, "glusterfs.content", _content_limit) == 0) 
+
+diff -Naur glusterfs-3.2.7.orig/libglusterfs/src/statedump.c glusterfs-3.2.7/libglusterfs/src/statedump.c +--- glusterfs-3.2.7.orig/libglusterfs/src/statedump.c 2012-06-10 19:44:15.000000000 +0200 ++++ glusterfs-3.2.7/libglusterfs/src/statedump.c 2013-01-25 08:57:35.601175617 +0100 
+@@ -62,15 +62,11 @@
+
+
+ static int
+-gf_proc_dump_open (void)
++gf_proc_dump_open (char *tmpname)
+ {
+-        char path[256];
+         int  dump_fd = -1;
+
+-        memset (path, 0, sizeof (path));
+- snprintf (path, sizeof (path), "%s.%d", GF_DUMP_LOGFILE_ROOT, getpid ()); 
+-
+-        dump_fd = open (path, O_CREAT|O_RDWR|O_TRUNC|O_APPEND, 0600);
++        dump_fd = mkstemp (tmpname);
+         if (dump_fd < 0)
+                 return -1;
+
+@@ -408,37 +404,45 @@
+ void
+ gf_proc_dump_info (int signum)
+ {
+-        int               ret = -1;
+-        glusterfs_ctx_t   *ctx = NULL;
+-
++        int                   ret = -1;
++        glusterfs_ctx_t      *ctx = NULL;
++        char brick_name[PATH_MAX] = {0,};
++        char      tmp_dump_name[] = "/tmp/dumpXXXXXX";
++        char       path[PATH_MAX] = {0,};
+
+         gf_proc_dump_lock ();
+-        ret = gf_proc_dump_open ();
+-        if (ret < 0)
+-                goto out;
+
+         ret = gf_proc_dump_options_init ();
+
+         if (ret < 0)
+                 goto out;
+
+-        if (GF_PROC_DUMP_IS_OPTION_ENABLED (mem))
+-                gf_proc_dump_mem_info ();
+-
+         ctx = glusterfs_ctx_get ();
+
+-        if (ctx) {
+-                if (GF_PROC_DUMP_IS_OPTION_ENABLED (iobuf))
+-                        iobuf_stats_dump (ctx->iobuf_pool);
+-                if (GF_PROC_DUMP_IS_OPTION_ENABLED (callpool))
+-                        gf_proc_dump_pending_frames (ctx->pool);
+-                if (ctx->active)
+-                        gf_proc_dump_xlator_info (ctx->active->top);
++        if (!ctx)
++                goto out;
+
+-        }
++        if (ctx->cmd_args.brick_name) {
++ GF_REMOVE_SLASH_FROM_PATH (ctx->cmd_args.brick_name, brick_name); 
++        } else
++                strncpy (brick_name, "glusterdump", sizeof (brick_name));
++
++        snprintf (path, sizeof path, "%s/%s.%d.dump.%"PRIu64, "/tmp",
++                  brick_name, getpid(), (uint64_t) time (NULL));
++
++        ret = gf_proc_dump_open (tmp_dump_name);
++        if (GF_PROC_DUMP_IS_OPTION_ENABLED (mem))
++                gf_proc_dump_mem_info ();
++        if (GF_PROC_DUMP_IS_OPTION_ENABLED (iobuf))
++                iobuf_stats_dump (ctx->iobuf_pool);
++        if (GF_PROC_DUMP_IS_OPTION_ENABLED (callpool))
++                gf_proc_dump_pending_frames (ctx->pool);
++        if (ctx->active)
++                gf_proc_dump_xlator_info (ctx->active->top);
+
+         gf_proc_dump_close ();
+ out:
++        rename (tmp_dump_name, path);
+         gf_proc_dump_unlock ();
+
+         return;
+diff -Naur glusterfs-3.2.7.orig/xlators/mgmt/glusterd/src/glusterd-utils.c glusterfs-3.2.7/xlators/mgmt/glusterd/src/glusterd-utils.c +--- glusterfs-3.2.7.orig/xlators/mgmt/glusterd/src/glusterd-utils.c 2012-06-10 19:44:17.000000000 +0200 ++++ glusterfs-3.2.7/xlators/mgmt/glusterd/src/glusterd-utils.c 2013-01-25 08:57:35.601175617 +0100 
+@@ -63,7 +63,7 @@
+ #define MOUNTV3_VERSION 3
+ #define MOUNTV1_VERSION 1
+
+-char    *glusterd_sock_dir = "/tmp";
++char    *glusterd_sock_dir = "/var/run";
+ static glusterd_lock_t lock;
+
+ static int32_t
diff -Naur '--exclude=.svn' 3.2.7-3/debian/patches/series 3.2.7-5/debian/patches/series 
--- 3.2.7-3/debian/patches/series       2012-11-12 20:37:46.218864002 +0100
+++ 3.2.7-5/debian/patches/series       2013-01-25 09:11:02.145164496 +0100
@@ -1,3 +1,4 @@
 01-manpage-errors.diff
 02-spelling-error.diff
 03-glusterd-crash-gcc-optimizations.diff
+04-CVE-2012-4417.diff



--
/*
Mit freundlichem Gruß / With kind regards,
 Patrick Matthäi
 GNU/Linux Debian Developer

  Blog: http://www.linux-dev.org/
E-Mail: pmatthaei@debian.org
        patrick@linux-dev.org
*/
Reply to: