Bug#781030: unblock: glusterfs/3.5.2-2
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package glusterfs
It fixes CVE-2014-3619 and closes #781018
diff -Naur '--exclude=.svn' 3.5.2-1/debian/changelog 3.5.2-2/debian/changelog
--- 3.5.2-1/debian/changelog 2014-08-01 13:17:51.262203834 +0200
+++ 3.5.2-2/debian/changelog 2015-03-23 15:47:19.949358143 +0100
@@ -1,3 +1,11 @@
+glusterfs (3.5.2-2) unstable; urgency=high
+
+ * Add patch 01-CVE-2014-3619 to fix a fragment header infinite loop DoS in
+ glusterfs as described in CVE-2014-3619.
+ Closes: #781018
+
+ -- Patrick Matthäi <pmatthaei@debian.org> Mon, 23 Mar 2015 15:35:25 +0100
+
glusterfs (3.5.2-1) unstable; urgency=medium
* New upstream release.
diff -Naur '--exclude=.svn' 3.5.2-1/debian/patches/01-CVE-2014-3619.diff 3.5.2-2/debian/patches/01-CVE-2014-3619.diff
--- 3.5.2-1/debian/patches/01-CVE-2014-3619.diff 1970-01-01 01:00:00.000000000 +0100
+++ 3.5.2-2/debian/patches/01-CVE-2014-3619.diff 2015-03-23 15:47:19.953358498 +0100
@@ -0,0 +1,55 @@
+# Upstream patch to fix CVE-2014-3619 (fragment header infinite loop DoS)
+# URL: https://bugzilla.redhat.com/show_bug.cgi?id=1138145
+# Patch: http://review.gluster.org/#/c/8662/4
+
+diff -Naur glusterfs-3.5.2.orig/rpc/rpc-transport/socket/src/socket.c glusterfs-3.5.2/rpc/rpc-transport/socket/src/socket.c
+--- glusterfs-3.5.2.orig/rpc/rpc-transport/socket/src/socket.c 2014-07-31 13:05:35.000000000 +0200
++++ glusterfs-3.5.2/rpc/rpc-transport/socket/src/socket.c 2015-03-23 15:28:00.765389702 +0100
+@@ -375,10 +375,11 @@
+ /* first call after passing SP_STATE_READING_FRAGHDR */
+ in->ra_max = min (RPC_FRAGSIZE (in->fraghdr), GF_SOCKET_RA_MAX);
+ /* Note that the in->iobuf is the primary iobuf into which
+- headers are read into. By using this itself as our
++ headers are read into, and in->frag.fragcurrent points to
++ some position in the buffer. By using this itself as our
+ read-ahead cache, we can avoid memory copies in iov_load
+ */
+- in->ra_buf = iobuf_ptr (in->iobuf);
++ in->ra_buf = in->frag.fragcurrent;
+ }
+
+ /* fill read-ahead */
+@@ -1986,9 +1987,22 @@
+ goto out;
+ }
+
++ if (in->iobuf == NULL) {
++ /* first fragment */
++ frag->fragcurrent = iobuf_ptr (iobuf);
++ } else {
++ /* second or further fragment */
++ memcpy(iobuf_ptr (iobuf), iobuf_ptr (in->iobuf),
++ in->total_bytes_read - RPC_FRAGSIZE(in->fraghdr));
++ iobuf_unref (in->iobuf);
++ frag->fragcurrent = (char *) iobuf_ptr (iobuf) +
++ in->total_bytes_read - RPC_FRAGSIZE(in->fraghdr);
++ frag->pending_vector->iov_base = frag->fragcurrent;
++ in->pending_vector = frag->pending_vector;
++ }
++
+ in->iobuf = iobuf;
+ in->iobuf_size = 0;
+- frag->fragcurrent = iobuf_ptr (iobuf);
+ in->record_state = SP_STATE_READING_FRAG;
+ /* fall through */
+
+@@ -2003,6 +2017,9 @@
+ frag->bytes_read = 0;
+
+ if (!RPC_LASTFRAG (in->fraghdr)) {
++ in->pending_vector = in->vector;
++ in->pending_vector->iov_base = &in->fraghdr;
++ in->pending_vector->iov_len = sizeof(in->fraghdr);
+ in->record_state = SP_STATE_READING_FRAGHDR;
+ break;
+ }
diff -Naur '--exclude=.svn' 3.5.2-1/debian/patches/series 3.5.2-2/debian/patches/series
--- 3.5.2-1/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ 3.5.2-2/debian/patches/series 2015-03-23 15:47:19.953358498 +0100
@@ -0,0 +1 @@
+01-CVE-2014-3619.diff
unblock glusterfs/3.5.2-2
-- System Information:
Debian Release: 7.8
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Reply to: