Bug 1625095
Summary: | CVE-2018-10930 glusterfs: Files can be renamed outside volume | |||
---|---|---|---|---|
Product: | [Community] GlusterFS | Reporter: | Amar Tumballi <atumball> | |
Component: | core | Assignee: | Amar Tumballi <atumball> | |
Status: | CLOSED CURRENTRELEASE | QA Contact: | ||
Severity: | high | Docs Contact: | ||
Priority: | high | |||
Version: | 4.1 | CC: | anoopcs, bugs, extras-qa, humble.devassy, jonathansteffan, kkeithle, matthias, ndevos, ramkrsna, sisharma | |
Target Milestone: | --- | Keywords: | Security, SecurityTracking | |
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | glusterfs-5.0 | Doc Type: | Release Note | |
Doc Text: | Story Points: | --- | ||
Clone Of: | 1625085 | |||
: | 1625664 (view as bug list) | Environment: | ||
Last Closed: | 2018-09-10 06:39:34 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 1625085 | |||
Bug Blocks: | 1612664, 1625664 |
Description
Amar Tumballi
2018-09-04 06:08:08 UTC
REVIEW: https://review.gluster.org/21068 (server-protocol: don't allow '../' path in 'name') posted (#1) for review on master by Amar Tumballi COMMIT: https://review.gluster.org/21068 committed in master by "Amar Tumballi" <amarts> with a commit message- server-protocol: don't allow '../' path in 'name' This will prevent any arbitrary file creation through glusterfs by modifying the client bits. Also check for the similar flaw inside posix too, so we prevent any changes in layers in-between. Fixes: bz#1625095 Signed-off-by: Amar Tumballi <amarts> Change-Id: Id9fe0ef6e86459e8ed85ab947d977f058c5ae06e REVIEW: https://review.gluster.org/21103 (server-protocol: don't allow '../' path in 'name') posted (#1) for review on release-4.1 by Amar Tumballi COMMIT: https://review.gluster.org/21103 committed in release-4.1 by "jiffin tony Thottan" <jthottan> with a commit message- server-protocol: don't allow '../' path in 'name' This will prevent any arbitrary file creation through glusterfs by modifying the client bits. Also check for the similar flaw inside posix too, so we prevent any changes in layers in-between. Fixes: bz#1625095 Signed-off-by: Amar Tumballi <amarts> Change-Id: Id9fe0ef6e86459e8ed85ab947d977f058c5ae06e This bug is getting closed because a release has been made available that should address the reported issue. In case the problem is still not fixed with glusterfs-4.1.4, please open a new bug report. glusterfs-4.1.4 has been announced on the Gluster mailinglists [1], packages for several distributions should become available in the near future. Keep an eye on the Gluster Users mailinglist [2] and the update infrastructure for your distribution. [1] https://lists.gluster.org/pipermail/announce/2018-September/000112.html [2] https://www.gluster.org/pipermail/gluster-users/ This bug is getting closed because a release has been made available that should address the reported issue. In case the problem is still not fixed with glusterfs-5.0, please open a new bug report. glusterfs-5.0 has been announced on the Gluster mailinglists [1], packages for several distributions should become available in the near future. Keep an eye on the Gluster Users mailinglist [2] and the update infrastructure for your distribution. [1] https://lists.gluster.org/pipermail/announce/2018-October/000115.html [2] https://www.gluster.org/pipermail/gluster-users/ |