[Bugs] [Bug 1164218] glfs_set_volfile_server() method causes segmentation fault when bad arguments are passed.
    bugzilla at redhat.com 
    bugzilla at redhat.com
       
    Mon Nov 17 19:13:35 UTC 2014
    
    
  
https://bugzilla.redhat.com/show_bug.cgi?id=1164218
--- Comment #5 from Vincent Danen <vdanen at redhat.com> ---
(In reply to Sven Kieske from comment #2)
> I think this is a security issue and should get a CVE assigned by Red Hat.
At a quick glance, this doesn't seem to be user-triggerable is it? I think that
is what would define whether or not this is a security issue. If an
unprivileged user can in some way pass some input to cause this scenario to
happen (perhaps some user can add metadata to a glusterfs volume that causes
this?) then it would be considered a security issue.
While the impact is pretty bad, I'm not sure it's a security issue. For
instance, a bug in a kernel driver that causes the kernel to panic at random
times isn't a security issue even though it takes the entire system down. It
needs a way of crossing a trust boundary, so if an unprivileged user can cause
this then it is a problem, but if an administrator on the host can make
(whatever) changes to a glusterfs volume and can _also_ turn off virtual
machines then there is no gain to them as they can already DoS those virtual
machines to begin with. Does that make sense?
I'm not familiar enough with glusterfs to know for certain which is the case
here so if you can provide some input in that regard, then I can definitely let
you know whether this is a pretty bad operational bug, or in fact a security
issue.
Can anyone provide any input to the above that would perhaps clarify?
-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.
    
    
More information about the Bugs
mailing list