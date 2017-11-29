-----BEGIN PGP SIGNED MESSAGE-----

Red Hat Security Advisory



Synopsis: Moderate: tcmu-runner security update

Advisory ID: RHSA-2017:3277-01

Product: Red Hat Gluster Storage

Advisory URL: https://access.redhat.com/errata/RHSA-2017:3277

Issue date: 2017-11-29

CVE Names: CVE-2017-1000198 CVE-2017-1000199 CVE-2017-1000200

CVE-2017-1000201

1. Summary:



An update for tcmu-runner is now available for Red Hat Gluster Storage

3.3.1 for Red Hat Enterprise Linux 7.



Red Hat Product Security has rated this update as having a security impact

of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

gives a detailed severity rating, is available for each vulnerability from

the CVE link(s) in the References section.



2. Relevant releases/architectures:



Red Hat Gluster Storage Server 3.3 on RHEL-7 - x86_64



3. Description:



The tcmu-runner packages provide a service that handles the complexity of

the LIO kernel target's userspace passthrough interface (TCMU). It presents

a C plugin API for extension modules that handle SCSI requests in ways not

possible or suitable to be handled by LIO's in-kernel backstores.



Security Fix(es):



* A flaw was found in the implementation of CheckConfig method in

handler_glfs.so of the tcmu-runner daemon. A local, non-root user with

access to the D-Bus system bus could send a specially crafted string to

CheckConfig method resulting in various kinds of segmentation fault.

(CVE-2017-1000198)



* A NULL pointer dereference flaw was found in the UnregisterHandler method

implemented in the tcmu-runner daemon. A local, non-root user with access

to the D-Bus system bus could call the UnregisterHandler method with the

name of a handler loaded internally in tcmu-runner via dlopen() to trigger

DoS. (CVE-2017-1000200)



* A NULL pointer dereference flaw was found in the UnregisterHandler method

implemented in the tcmu-runner daemon. A local, non-root user with access

to the D-Bus system bus could call UnregisterHandler method with

non-existing tcmu handler as paramater to trigger DoS. (CVE-2017-1000201)



* A file information leak flaw was found in implementation of the

CheckConfig method in handler_qcow.so of the tcmu-runner daemon. A local,

non-root user with access to the D-Bus system bus could use this flaw to

leak arbitrary file names which might not be retrievable by non-root user.

(CVE-2017-1000199)



4. Solution:



For details on how to apply this update, which includes the changes

described in this advisory, refer to:



https://access.redhat.com/articles/11258



5. Bugs fixed (https://bugzilla.redhat.com/):



1472332 - tcmu-runner: Various security and functionality related bugfixes

(multiple DoS, memory leaks)

1487246 - CVE-2017-1000198 tcmu-runner: glfs handler allows local DoS via

crafted CheckConfig strings

1487247 - CVE-2017-1000201 tcmu-runner: UnregisterHandler dbus method in

tcmu-runner daemon for non-existing handler causes DoS

1487251 - CVE-2017-1000200 tcmu-runner: UnregisterHandler D-Bus method in

tcmu-runner daemon for internal handler causes DoS

1487252 - CVE-2017-1000199 tcmu-runner: qcow handler opens up an information

leak via the CheckConfig D-Bus method



6. Package List:



Red Hat Gluster Storage Server 3.3 on RHEL-7:



Source:

tcmu-runner-1.2.0-16.el7rhgs.src.rpm



x86_64:

libtcmu-1.2.0-16.el7rhgs.x86_64.rpm

libtcmu-devel-1.2.0-16.el7rhgs.x86_64.rpm

tcmu-runner-1.2.0-16.el7rhgs.x86_64.rpm

tcmu-runner-debuginfo-1.2.0-16.el7rhgs.x86_64.rpm



These packages are GPG signed by Red Hat for security. Our key and

details on how to verify the signature are available from

https://access.redhat.com/security/team/key/



7. References:



https://access.redhat.com/security/cve/CVE-2017-1000198

https://access.redhat.com/security/cve/CVE-2017-1000199

https://access.redhat.com/security/cve/CVE-2017-1000200

https://access.redhat.com/security/cve/CVE-2017-1000201

https://access.redhat.com/security/updates/classification/#moderate



8. Contact:



The Red Hat security contact is <secalert@redhat.com>. More contact

details at https://access.redhat.com/security/team/contact/



