Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1625097
Summary: | CVE-2018-10907 glusterfs: Stack-based buffer overflow in server-rpc-fops.c allows remote attackers to execute arbitrary code | |||
---|---|---|---|---|
Product: | [Community] GlusterFS | Reporter: | Amar Tumballi <atumball> | |
Component: | protocol | Assignee: | Amar Tumballi <atumball> | |
Status: | CLOSED CURRENTRELEASE | QA Contact: | ||
Severity: | high | Docs Contact: | ||
Priority: | high | |||
Version: | 4.1 | CC: | anoopcs, bugs, extras-qa, humble.devassy, jonathansteffan, kkeithle, matthias, ndevos, ramkrsna, sisharma | |
Target Milestone: | --- | Keywords: | Security, SecurityTracking | |
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | glusterfs-5.0 | Doc Type: | Release Note | |
Doc Text: | Story Points: | --- | ||
Clone Of: | 1625080 | |||
: | 1625654 (view as bug list) | Environment: | ||
Last Closed: | 2018-09-10 06:40:17 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 1625080 | |||
Bug Blocks: | 1625654 |
Description
Amar Tumballi
2018-09-04 06:23:25 UTC
REVIEW: https://review.gluster.org/21070 (protocol: don't use alloca) posted (#1) for review on master by Amar Tumballi COMMIT: https://review.gluster.org/21070 committed in master by "Amar Tumballi" <amarts> with a commit message- protocol: don't use alloca current implementation of alloca can cause issues when strings larger than the allocated buffer is passed to the xdr. Hence it makes sense to allow XDR decode functions to deal with memory allocations, which we can free later. Fixes: bz#1625097 Change-Id: I3a05553f5702de9575c244649ca0e5ac9abaac94 Signed-off-by: Amar Tumballi <amarts> REVIEW: https://review.gluster.org/21099 (protocol: don't use alloca) posted (#1) for review on release-4.1 by Amar Tumballi COMMIT: https://review.gluster.org/21099 committed in release-4.1 by "jiffin tony Thottan" <jthottan> with a commit message- protocol: don't use alloca current implementation of alloca can cause issues when strings larger than the allocated buffer is passed to the xdr. Hence it makes sense to allow XDR decode functions to deal with memory allocations, which we can free later. Fixes: bz#1625097 Change-Id: I3a05553f5702de9575c244649ca0e5ac9abaac94 Signed-off-by: Amar Tumballi <amarts> This bug is getting closed because a release has been made available that should address the reported issue. In case the problem is still not fixed with glusterfs-4.1.4, please open a new bug report. glusterfs-4.1.4 has been announced on the Gluster mailinglists [1], packages for several distributions should become available in the near future. Keep an eye on the Gluster Users mailinglist [2] and the update infrastructure for your distribution. [1] https://lists.gluster.org/pipermail/announce/2018-September/000112.html [2] https://www.gluster.org/pipermail/gluster-users/ This bug is getting closed because a release has been made available that should address the reported issue. In case the problem is still not fixed with glusterfs-5.0, please open a new bug report. glusterfs-5.0 has been announced on the Gluster mailinglists [1], packages for several distributions should become available in the near future. Keep an eye on the Gluster Users mailinglist [2] and the update infrastructure for your distribution. [1] https://lists.gluster.org/pipermail/announce/2018-October/000115.html [2] https://www.gluster.org/pipermail/gluster-users/ |