Date:         Wed, 19 May 2010 11:56:30 -0500
Reply-To:     Troy Dawson 
Sender:       Security Errata for Scientific Linux
              
From:         Troy Dawson 
Subject:      Security ERRATA Moderate: gfs-kmod on SL 5.0-5.4 i386/x86_64
Comments: To: "scientific-linux-errata@fnal.gov"
          

Synopsis:	Moderate: gfs-kmod security, bug fix and enhancement update
Issue date:	2010-03-30
CVE Names:	CVE-2010-0727

This updated gfs-kmod is already in SL 5.5.

A flaw was found in the gfs_lock() implementation. The GFS locking code
could skip the lock operation for files that have the S_ISGID bit
(set-group-ID on execution) in their mode set. A local, unprivileged 
user on a system that has a GFS file system mounted could use this flaw 
to cause a kernel panic. (CVE-2010-0727)

These updated gfs-kmod packages are in sync with the latest kernel
(2.6.18-194.el5). The modules in earlier gfs-kmod packages failed to 
load because they did not match the running kernel. It was possible to
force-load the modules. With this update, however, users no longer need to.

These updated gfs-kmod packages also fix the following bugs:

* when SELinux was in permissive mode, a race condition during file
creation could have caused one or more cluster nodes to be fenced and 
lock the remaining nodes out of the GFS file system. This race condition 
no longer occurs with this update. (BZ#471258)

* when ACLs (Access Control Lists) are enabled on a GFS file system, if 
a transaction that has started to do a write request does not have 
enough spare blocks for the operation it causes a kernel panic. This 
update ensures that there are enough blocks for the write request before 
starting the operation. (BZ#513885)

* requesting a "flock" on a file in GFS in either read-only or 
read-write mode would sometimes cause a "Resource temporarily 
unavailable" state error (error 11 for EWOULDBLOCK) to occur. In these 
cases, a flock could not be obtained on the file in question. This has 
been fixed with this update so that flocks can successfully be obtained 
on GFS files without this error occurring. (BZ#515717)

* the GFS withdraw function is a data integrity feature of GFS file 
systems in a cluster. If the GFS kernel module detects an inconsistency 
in a GFS file system following an I/O operation, the file system becomes 
unavailable to the cluster. The GFS withdraw function is less severe 
than a kernel panic, which would cause another node to fence the node. 
With this update, you can override the GFS withdraw function by mounting 
the file system with the "-o errors=panic" option specified. When this 
option is specified, any errors that would normally cause the system to 
withdraw cause the system to panic instead. This stops the node's 
cluster communications, which causes the node to be fenced. (BZ#517145)

Finally, these updated gfs-kmod packages provide the following enhancement:

* the GFS kernel modules have been updated to use the new generic freeze
and unfreeze ioctl interface that is also supported by the following 
file systems: ext3, ext4, GFS2, JFS and ReiserFS. With this update, GFS 
supports freeze/unfreeze through the VFS-level FIFREEZE/FITHAW ioctl 
interface. (BZ#487610)

SL 5.x

     SRPMS:
gfs-kmod-0.1.34-12.el5.src.rpm
     i386:
kmod-gfs-0.1.34-12.el5.i686.rpm
kmod-gfs-PAE-0.1.34-12.el5.i686.rpm
kmod-gfs-xen-0.1.34-12.el5.i686.rpm
     x86_64:
kmod-gfs-0.1.34-12.el5.x86_64.rpm
kmod-gfs-xen-0.1.34-12.el5.x86_64.rpm

-Connie Sieh
-Troy Dawson

SciLinux: CVE-2010-0727 Moderate: gfs-kmod SL 5.0-5.4 i386/x86_64

Moderate: gfs-kmod security, bug fix and enhancement update

Summary

A flaw was found in the gfs_lock() implementation. The GFS locking codecould skip the lock operation for files that have the S_ISGID bit(set-group-ID on execution) in their mode set. A local, unprivilegeduser on a system that has a GFS file system mounted could use this flawto cause a kernel panic. (CVE-2010-0727)These updated gfs-kmod packages are in sync with the latest kernel(2.6.18-194.el5). The modules in earlier gfs-kmod packages failed toload because they did not match the running kernel. It was possible toforce-load the modules. With this update, however, users no longer need to.These updated gfs-kmod packages also fix the following bugs:* when SELinux was in permissive mode, a race condition during filecreation could have caused one or more cluster nodes to be fenced andlock the remaining nodes out of the GFS file system. This race conditionno longer occurs with this update. (BZ#471258)* when ACLs (Access Control Lists) are enabled on a GFS file system, ifa transaction that has started to do a write request does not haveenough spare blocks for the operation it causes a kernel panic. Thisupdate ensures that there are enough blocks for the write request beforestarting the operation. (BZ#513885)* requesting a "flock" on a file in GFS in either read-only orread-write mode would sometimes cause a "Resource temporarilyunavailable" state error (error 11 for EWOULDBLOCK) to occur. In thesecases, a flock could not be obtained on the file in question. This hasbeen fixed with this update so that flocks can successfully be obtainedon GFS files without this error occurring. (BZ#515717)* the GFS withdraw function is a data integrity feature of GFS filesystems in a cluster. If the GFS kernel module detects an inconsistencyin a GFS file system following an I/O operation, the file system becomesunavailable to the cluster. The GFS withdraw function is less severethan a kernel panic, which would cause another node to fence the node.With this update, you can override the GFS withdraw function by mountingthe file system with the "-o errors=panic" option specified. When thisoption is specified, any errors that would normally cause the system towithdraw cause the system to panic instead. This stops the node'scluster communications, which causes the node to be fenced. (BZ#517145)Finally, these updated gfs-kmod packages provide the following enhancement:* the GFS kernel modules have been updated to use the new generic freezeand unfreeze ioctl interface that is also supported by the followingfile systems: ext3, ext4, GFS2, JFS and ReiserFS. With this update, GFSsupports freeze/unfreeze through the VFS-level FIFREEZE/FITHAW ioctlinterface. (BZ#487610)SL 5.xSRPMS:gfs-kmod-0.1.34-12.el5.src.rpmi386:kmod-gfs-0.1.34-12.el5.i686.rpmkmod-gfs-PAE-0.1.34-12.el5.i686.rpmkmod-gfs-xen-0.1.34-12.el5.i686.rpmx86_64:kmod-gfs-0.1.34-12.el5.x86_64.rpmkmod-gfs-xen-0.1.34-12.el5.x86_64.rpm-Connie Sieh-Troy Dawson



Security Fixes

Severity
Issued Date: : 2010-03-30
CVE Names: CVE-2010-0727
This updated gfs-kmod is already in SL 5.5.

Related News