Bug#781030: marked as done (unblock: glusterfs/3.5.2-2)

Mon, 23 Mar 2015 08:46:42 -0700 

Your message dated Mon, 23 Mar 2015 16:43:07 +0100
with message-id <[email protected]>
and subject line Re: Bug#781030: unblock: glusterfs/3.5.2-2
has caused the Debian Bug report #781030,
regarding unblock: glusterfs/3.5.2-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
781030: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781030
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock

Please unblock package glusterfs

It fixes CVE-2014-3619 and closes #781018

diff -Naur '--exclude=.svn' 3.5.2-1/debian/changelog 3.5.2-2/debian/changelog
--- 3.5.2-1/debian/changelog    2014-08-01 13:17:51.262203834 +0200
+++ 3.5.2-2/debian/changelog    2015-03-23 15:47:19.949358143 +0100
@@ -1,3 +1,11 @@
+glusterfs (3.5.2-2) unstable; urgency=high
+
+  * Add patch 01-CVE-2014-3619 to fix a fragment header infinite loop DoS in
+    glusterfs as described in CVE-2014-3619.
+    Closes: #781018
+
+ -- Patrick Matthäi <[email protected]>  Mon, 23 Mar 2015 15:35:25 +0100
+
 glusterfs (3.5.2-1) unstable; urgency=medium

   * New upstream release.
diff -Naur '--exclude=.svn' 3.5.2-1/debian/patches/01-CVE-2014-3619.diff 
3.5.2-2/debian/patches/01-CVE-2014-3619.diff
--- 3.5.2-1/debian/patches/01-CVE-2014-3619.diff        1970-01-01 
01:00:00.000000000 +0100
+++ 3.5.2-2/debian/patches/01-CVE-2014-3619.diff        2015-03-23 
15:47:19.953358498 +0100
@@ -0,0 +1,55 @@
+# Upstream patch to fix CVE-2014-3619 (fragment header infinite loop DoS)
+# URL: https://bugzilla.redhat.com/show_bug.cgi?id=1138145
+# Patch: http://review.gluster.org/#/c/8662/4
+
+diff -Naur glusterfs-3.5.2.orig/rpc/rpc-transport/socket/src/socket.c 
glusterfs-3.5.2/rpc/rpc-transport/socket/src/socket.c
+--- glusterfs-3.5.2.orig/rpc/rpc-transport/socket/src/socket.c 2014-07-31 
13:05:35.000000000 +0200
++++ glusterfs-3.5.2/rpc/rpc-transport/socket/src/socket.c      2015-03-23 
15:28:00.765389702 +0100
+@@ -375,10 +375,11 @@
+               /* first call after passing SP_STATE_READING_FRAGHDR */
+               in->ra_max = min (RPC_FRAGSIZE (in->fraghdr), GF_SOCKET_RA_MAX);
+               /* Note that the in->iobuf is the primary iobuf into which
+-                 headers are read into. By using this itself as our
++                 headers are read into, and in->frag.fragcurrent points to
++                 some position in the buffer. By using this itself as our
+                  read-ahead cache, we can avoid memory copies in iov_load
+               */
+-              in->ra_buf = iobuf_ptr (in->iobuf);
++              in->ra_buf = in->frag.fragcurrent;
+       }
+
+       /* fill read-ahead */
+@@ -1986,9 +1987,22 @@
+                                 goto out;
+                         }
+
++                        if (in->iobuf == NULL) {
++                            /* first fragment */
++                            frag->fragcurrent = iobuf_ptr (iobuf);
++                        } else {
++                            /* second or further fragment */
++                            memcpy(iobuf_ptr (iobuf), iobuf_ptr (in->iobuf),
++                               in->total_bytes_read - 
RPC_FRAGSIZE(in->fraghdr));
++                            iobuf_unref (in->iobuf);
++                            frag->fragcurrent = (char *) iobuf_ptr (iobuf) +
++                                in->total_bytes_read - 
RPC_FRAGSIZE(in->fraghdr);
++                            frag->pending_vector->iov_base = 
frag->fragcurrent;
++                            in->pending_vector = frag->pending_vector;
++                        }
++
+                         in->iobuf = iobuf;
+                         in->iobuf_size = 0;
+-                        frag->fragcurrent = iobuf_ptr (iobuf);
+                         in->record_state = SP_STATE_READING_FRAG;
+                         /* fall through */
+
+@@ -2003,6 +2017,9 @@
+                         frag->bytes_read = 0;
+
+                         if (!RPC_LASTFRAG (in->fraghdr)) {
++                                in->pending_vector = in->vector;
++                                in->pending_vector->iov_base = &in->fraghdr;
++                                in->pending_vector->iov_len = 
sizeof(in->fraghdr);
+                                 in->record_state = SP_STATE_READING_FRAGHDR;
+                                 break;
+                         }
diff -Naur '--exclude=.svn' 3.5.2-1/debian/patches/series 
3.5.2-2/debian/patches/series
--- 3.5.2-1/debian/patches/series       1970-01-01 01:00:00.000000000 +0100
+++ 3.5.2-2/debian/patches/series       2015-03-23 15:47:19.953358498 +0100
@@ -0,0 +1 @@
+01-CVE-2014-3619.diff


unblock glusterfs/3.5.2-2

-- System Information:
Debian Release: 7.8
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

--- End Message ---
--- Begin Message --- 
On 2015-03-23 15:48, Patrick Matthäi wrote:
> Package: release.debian.org
> Severity: normal
> User: [email protected]
> Usertags: unblock
> 
> Please unblock package glusterfs
> 
> It fixes CVE-2014-3619 and closes #781018
> 
> [...]
> 
> unblock glusterfs/3.5.2-2
> 
> [...]

Unblocked, thanks.

~Niels

--- End Message ---

Reply via email to