CVE-2018-1088

NameCVE-2018-1088
DescriptionA privilege escalation flaw was found in gluster 3.x snapshot scheduler. Any gluster client allowed to mount gluster volumes could also mount shared gluster storage volume and escalate privileges by scheduling malicious cronjob via symlink.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs896128

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
glusterfs (PTS)jessie3.5.2-2+deb8u3fixed
jessie (security)3.5.2-2+deb8u5fixed
stretch3.8.8-1vulnerable
buster5.5-3fixed
bullseye, sid7.0-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
glusterfssource(unstable)4.0.2-1896128
glusterfssourcejessie(not affected)
glusterfssourcewheezy(not affected)

Notes

[jessie] - glusterfs <not-affected> (vulnerable code not present)
[wheezy] - glusterfs <not-affected> (vulnerable code not present)
https://bugzilla.redhat.com/show_bug.cgi?id=1558721
https://review.gluster.org/#/c/19899/
https://review.gluster.org/#/c/19898/
When fixing the issue it's important to not apply the incomplete fix and open
CVE-2018-1112 causing that auth.allow allows all clients to mount volumes.
Cf. https://bugzilla.redhat.com/show_bug.cgi?id=1570891
Needs: https://review.gluster.org/#/c/19899/1..2

Search for package or bug name: Reporting problems