Re: [m-c-s][PATCH 2/2] glusterfs: fix CVE-2018-10841

From: ChenQi <Qi.Chen@windriver.com>
To: <meta-virtualization@yoctoproject.org>
Subject: Re: [m-c-s][PATCH 2/2] glusterfs: fix CVE-2018-10841
Date: Thu, 13 Sep 2018 17:59:02 +0800	[thread overview]
Message-ID: <ce28d32c-f3c8-f1a2-f9f6-9f6c2b5a2c86@windriver.com> (raw)
In-Reply-To: <1536829087-2306-2-git-send-email-Qi.Chen@windriver.com>

Please ignore this patch.
It has a typo 'patc', which should be 'patch', and thus will cause 
do_fetch failure.
I forgot to test it.

I'll send out V2.

Best Regards,
Chen Qi

On 09/13/2018 04:58 PM, Chen Qi wrote:
> Backport patch to fix the following CVE.
>
> CVE: CVE-2018-10841
>
> Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
> ---
>   ...ccess-trusted-peer-group-via-remote-host-.patch | 43 ++++++++++++++++++++++
>   recipes-extended/glusterfs/glusterfs.inc           |  1 +
>   2 files changed, 44 insertions(+)
>   create mode 100644 recipes-extended/glusterfs/files/0003-glusterfs-access-trusted-peer-group-via-remote-host-.patch
>
> diff --git a/recipes-extended/glusterfs/files/0003-glusterfs-access-trusted-peer-group-via-remote-host-.patch b/recipes-extended/glusterfs/files/0003-glusterfs-access-trusted-peer-group-via-remote-host-.patch
> new file mode 100644
> index 0000000..dcbb435
> --- /dev/null
> +++ b/recipes-extended/glusterfs/files/0003-glusterfs-access-trusted-peer-group-via-remote-host-.patch
> @@ -0,0 +1,43 @@
> +From e79741414777c25e5c2a08e6c31619a0fbaad058 Mon Sep 17 00:00:00 2001
> +From: Mohit Agrawal <moagrawa@redhat.com>
> +Date: Wed, 20 Jun 2018 16:13:00 +0530
> +Subject: [PATCH 3/3] glusterfs: access trusted peer group via remote-host
> + command
> +
> +Problem: In SSL environment the user is able to access volume
> +         via remote-host command without adding node in a trusted pool
> +
> +Solution: Change the list of rpc program in glusterd.c at the
> +          time of initialization while SSL is enabled
> +
> +BUG: 1593232
> +Change-Id: I987e433b639e68ad17b77b6452df1e22dbe0f199
> +fixes: bz#1593232
> +Signed-off-by: Mohit Agrawal <moagrawa@redhat.com>
> +
> +Upstream-Status: Backport
> +Fix CVE-2018-10841
> +Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
> +---
> + xlators/mgmt/glusterd/src/glusterd.c | 5 -----
> + 1 file changed, 5 deletions(-)
> +
> +diff --git a/xlators/mgmt/glusterd/src/glusterd.c b/xlators/mgmt/glusterd/src/glusterd.c
> +index ef20689..5e0ed8d 100644
> +--- a/xlators/mgmt/glusterd/src/glusterd.c
> ++++ b/xlators/mgmt/glusterd/src/glusterd.c
> +@@ -1646,11 +1646,6 @@ init (xlator_t *this)
> +                         goto out;
> +                 }
> +                 /*
> +-                 * With strong authentication, we can afford to allow
> +-                 * privileged operations over TCP.
> +-                 */
> +-                gd_inet_programs[1] = &gd_svc_cli_prog;
> +-                /*
> +                  * This is the only place where we want secure_srvr to reflect
> +                  * the management-plane setting.
> +                  */
> +--
> +2.7.4
> +
> diff --git a/recipes-extended/glusterfs/glusterfs.inc b/recipes-extended/glusterfs/glusterfs.inc
> index 8bf5653..fa25bd8 100644
> --- a/recipes-extended/glusterfs/glusterfs.inc
> +++ b/recipes-extended/glusterfs/glusterfs.inc
> @@ -22,6 +22,7 @@ SRC_URI += "file://glusterd.init \
>               file://configure.ac-allow-PYTHON-values-to-be-passed-via-en.patch \
>               file://0001-shared-storage-Prevent-mounting-shared-storage-from-.patch \
>               file://0002-server-auth-add-option-for-strict-authentication.patch \
> +            file://0003-glusterfs-access-trusted-peer-group-via-remote-host-.patc \
>              "
>   
>   LICENSE = "(LGPLv3+ | GPLv2) & GPLv3+ & LGPLv3+ & GPLv2+ & LGPLv2+ & LGPLv2.1+ & Apache-2.0"