diff options
author | Chen Qi <Qi.Chen@windriver.com> | 2018-09-26 10:36:27 +0800 |
---|---|---|
committer | Bruce Ashfield <bruce.ashfield@windriver.com> | 2018-09-30 21:34:09 -0400 |
commit | 39e99a2096711591da2ee3379841108173c92d35 (patch) | |
tree | 9af7d8be795fe9e268770ef4f992b7ee0f99ad89 | |
parent | 50e525538a193c5eb09da61fd78a7d77291ec0c2 (diff) | |
download | meta-cloud-services-39e99a2096711591da2ee3379841108173c92d35.tar.gz |
glusterfs: backport patch to fix a few CVEs
Backport a patch to fix the following CVEs.
CVE: CVE-2018-10926
CVE: CVE-2018-10927
CVE: CVE-2018-10928
CVE: CVE-2018-10929
CVE: CVE-2018-10930
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
-rw-r--r-- | recipes-extended/glusterfs/files/0003-server-protocol-don-t-allow-.-path-in-name.patch | 73 | ||||
-rw-r--r-- | recipes-extended/glusterfs/glusterfs.inc | 1 |
2 files changed, 74 insertions, 0 deletions
diff --git a/recipes-extended/glusterfs/files/0003-server-protocol-don-t-allow-.-path-in-name.patch b/recipes-extended/glusterfs/files/0003-server-protocol-don-t-allow-.-path-in-name.patch new file mode 100644 index 0000000..e6ef9e3 --- /dev/null +++ b/recipes-extended/glusterfs/files/0003-server-protocol-don-t-allow-.-path-in-name.patch | |||
@@ -0,0 +1,73 @@ | |||
1 | From b89658672d137ef56bd0694457b9125bf7d45ba4 Mon Sep 17 00:00:00 2001 | ||
2 | From: Amar Tumballi <amarts@redhat.com> | ||
3 | Date: Thu, 9 Aug 2018 13:00:01 +0530 | ||
4 | Subject: [PATCH 3/7] server-protocol: don't allow '../' path in 'name' | ||
5 | |||
6 | This will prevent any arbitrary file creation through glusterfs | ||
7 | by modifying the client bits. | ||
8 | |||
9 | Also check for the similar flaw inside posix too, so we prevent any | ||
10 | changes in layers in-between. | ||
11 | |||
12 | Fixes: bz#1625095 | ||
13 | |||
14 | Signed-off-by: Amar Tumballi <amarts@redhat.com> | ||
15 | Change-Id: Id9fe0ef6e86459e8ed85ab947d977f058c5ae06e | ||
16 | |||
17 | Upstream-Status: Backport | ||
18 | |||
19 | Fix CVE-2018-10926 | ||
20 | Fix CVE-2018-10927 | ||
21 | Fix CVE-2018-10928 | ||
22 | Fix CVE-2018-10929 | ||
23 | Fix CVE-2018-10930 | ||
24 | |||
25 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
26 | --- | ||
27 | xlators/protocol/server/src/server-resolve.c | 12 ++++++++++++ | ||
28 | xlators/storage/posix/src/posix-handle.h | 6 ++++++ | ||
29 | 2 files changed, 18 insertions(+) | ||
30 | |||
31 | diff --git a/xlators/protocol/server/src/server-resolve.c b/xlators/protocol/server/src/server-resolve.c | ||
32 | index d0126aa..aa35685 100644 | ||
33 | --- a/xlators/protocol/server/src/server-resolve.c | ||
34 | +++ b/xlators/protocol/server/src/server-resolve.c | ||
35 | @@ -294,6 +294,18 @@ resolve_entry_simple (call_frame_t *frame) | ||
36 | /* expected @parent was found from the inode cache */ | ||
37 | gf_uuid_copy (state->loc_now->pargfid, resolve->pargfid); | ||
38 | state->loc_now->parent = inode_ref (parent); | ||
39 | + | ||
40 | + if (strstr (resolve->bname, "../")) { | ||
41 | + /* Resolving outside the parent's tree is not allowed */ | ||
42 | + gf_msg (this->name, GF_LOG_ERROR, EPERM, | ||
43 | + PS_MSG_GFID_RESOLVE_FAILED, | ||
44 | + "%s: path sent by client not allowed", | ||
45 | + resolve->bname); | ||
46 | + resolve->op_ret = -1; | ||
47 | + resolve->op_errno = EPERM; | ||
48 | + ret = 1; | ||
49 | + goto out; | ||
50 | + } | ||
51 | state->loc_now->name = resolve->bname; | ||
52 | |||
53 | inode = inode_grep (state->itable, parent, resolve->bname); | ||
54 | diff --git a/xlators/storage/posix/src/posix-handle.h b/xlators/storage/posix/src/posix-handle.h | ||
55 | index 9af6a7a..6e7a8d2 100644 | ||
56 | --- a/xlators/storage/posix/src/posix-handle.h | ||
57 | +++ b/xlators/storage/posix/src/posix-handle.h | ||
58 | @@ -217,6 +217,12 @@ | ||
59 | break; \ | ||
60 | } \ | ||
61 | \ | ||
62 | + if (strstr (loc->name, "../")) { \ | ||
63 | + gf_msg (this->name, GF_LOG_ERROR, 0, P_MSG_ENTRY_HANDLE_CREATE, \ | ||
64 | + "'../' in name not allowed: (%s)", loc->name); \ | ||
65 | + op_ret = -1; \ | ||
66 | + break; \ | ||
67 | + } \ | ||
68 | if (LOC_HAS_ABSPATH (loc)) { \ | ||
69 | MAKE_REAL_PATH (entp, this, loc->path); \ | ||
70 | __parp = strdupa (entp); \ | ||
71 | -- | ||
72 | 2.7.4 | ||
73 | |||
diff --git a/recipes-extended/glusterfs/glusterfs.inc b/recipes-extended/glusterfs/glusterfs.inc index e332872..9a92c30 100644 --- a/recipes-extended/glusterfs/glusterfs.inc +++ b/recipes-extended/glusterfs/glusterfs.inc | |||
@@ -25,6 +25,7 @@ SRC_URI += "file://glusterd.init \ | |||
25 | file://0003-glusterfs-access-trusted-peer-group-via-remote-host-.patch \ | 25 | file://0003-glusterfs-access-trusted-peer-group-via-remote-host-.patch \ |
26 | file://0001-dict-handle-negative-key-value-length-while-unserial.patch \ | 26 | file://0001-dict-handle-negative-key-value-length-while-unserial.patch \ |
27 | file://0002-posix-disable-open-read-write-on-special-files.patch \ | 27 | file://0002-posix-disable-open-read-write-on-special-files.patch \ |
28 | file://0003-server-protocol-don-t-allow-.-path-in-name.patch \ | ||
28 | " | 29 | " |
29 | 30 | ||
30 | LICENSE = "(LGPLv3+ | GPLv2) & GPLv3+ & LGPLv3+ & GPLv2+ & LGPLv2+ & LGPLv2.1+ & Apache-2.0" | 31 | LICENSE = "(LGPLv3+ | GPLv2) & GPLv3+ & LGPLv3+ & GPLv2+ & LGPLv2+ & LGPLv2.1+ & Apache-2.0" |