I spent some time on this issue without a CVE assigned:
CVE-2015-XXXX [fuse check return value of setuid]
- glusterfs <unfixed>
NOTE: CVE Request:
http://www.openwall.com/lists/oss-security/2015/08/18/6
NOTE: http://review.gluster.org/#/c/10780/
NOTE:
https://github.com/gluster/glusterfs/commit/b5ceb1a9de9af563b0f91e2a3138fa5a95cad9f6I don't believe this is a security issue at all: - The two unchecked setuid() calls are setuid(geteuid()). This isn't dropping privileges. If the effective uid is 0 then this sets real and saved uids to 0 as well. Otherwise it does nothing. - It can't fail due to process limits, because if it changes the real uid then we must have all effective uid of 0 and the process limit is ignored. - Since Linux 3.1 setuid() never fails because of the process limit. Thus wheezy and jessie should be unaffected, even if there's some flaw in the first two points. - This code appears to be used in fusermount-glusterfs, but that isn't included in the packages for squeeze or wheezy. Ben. -- Ben Hutchings Experience is what causes a person to make new mistakes instead of old ones.
signature.asc
Description: This is a digitally signed message part
