oss-sec mailing list archives
CVE Request for glusterfs: fuse check return value of setuid
From: Siddharth Sharma <siddharth () redhat com>
Date: Tue, 18 Aug 2015 05:38:10 -0400 (EDT)
Problem description from the bug: https://bugzilla.redhat.com/show_bug.cgi?id=1254488 setuid() sets the effective user ID of the calling process. If the effective UID of the caller is root, the real UID and saved set-user-ID are also set. On success, zero is returned. On error, -1 is returned, and errno is set appropriately. Note: there are cases where setuid() can fail even when the caller is UID 0; it is a grave security error to omit checking for a failure return from setuid(). if an environment limits the number of processes a user can have, setuid() might fail if the target uid already is at the limit. Can we have CVE assigned to this ? Upstream Ref: http://review.gluster.org/#/c/10780/ https://github.com/gluster/glusterfs/commit/b5ceb1a9de9af563b0f91e2a3138fa5a95cad9f6 ----------------------------------------------------------------- Siddharth Sharma / Red Hat Product Security / Key ID : 0xD9F6489A Fingerprint : 0x6F04C684 A49C E4CE 8148 E841 CD6F 8E55 D9F6 489A
Current thread:
- CVE Request for glusterfs: fuse check return value of setuid Siddharth Sharma (Aug 18)
- Re: CVE Request for glusterfs: fuse check return value of setuid Florian Weimer (Aug 18)
- Re: CVE Request for glusterfs: fuse check return value of setuid Siddharth Sharma (Aug 25)
- Re: CVE Request for glusterfs: fuse check return value of setuid Siddharth Sharma (Sep 02)
- Re: CVE Request for glusterfs: fuse check return value of setuid cve-assign (Sep 04)
- Re: Re: CVE Request for glusterfs: fuse check return value of setuid Seth Arnold (Sep 04)
- Re: CVE Request for glusterfs: fuse check return value of setuid cve-assign (Sep 04)
- Re: Re: CVE Request for glusterfs: fuse check return value of setuid Seth Arnold (Sep 04)
- Re: CVE Request for glusterfs: fuse check return value of setuid Florian Weimer (Aug 18)