Scientific Linux: CVE-2010-0727 Moderate: gfs-kmod Security Fix

Date: Wed, 19 May 2010 11:56:30 -0500
Reply-To: Troy Dawson 
Sender: Security Errata for Scientific Linux
 
From: Troy Dawson 
Subject: Security ERRATA Moderate: gfs-kmod on SL 5.0-5.4 i386/x86_64
Comments: To: "This email address is being protected from spambots. You need JavaScript enabled to view it."
 

Synopsis:	Moderate: gfs-kmod security, bug fix and enhancement update
Issue date:	2010-03-30
CVE Names:	CVE-2010-0727

This updated gfs-kmod is already in SL 5.5.

A flaw was found in the gfs_lock() implementation. The GFS locking code
could skip the lock operation for files that have the S_ISGID bit
(set-group-ID on execution) in their mode set. A local, unprivileged
user on a system that has a GFS file system mounted could use this flaw
to cause a kernel panic. (CVE-2010-0727)

These updated gfs-kmod packages are in sync with the latest kernel
(2.6.18-194.el5). The modules in earlier gfs-kmod packages failed to
load because they did not match the running kernel. It was possible to
force-load the modules. With this update, however, users no longer need to.

These updated gfs-kmod packages also fix the following bugs:

* when SELinux was in permissive mode, a race condition during file
creation could have caused one or more cluster nodes to be fenced and
lock the remaining nodes out of the GFS file system. This race condition
no longer occurs with this update. (BZ#471258)

* when ACLs (Access Control Lists) are enabled on a GFS file system, if
a transaction that has started to do a write request does not have
enough spare blocks for the operation it causes a kernel panic. This
update ensures that there are enough blocks for the write request before
starting the operation. (BZ#513885)

* requesting a "flock" on a file in GFS in either read-only or
read-write mode would sometimes cause a "Resource temporarily
unavailable" state error (error 11 for EWOULDBLOCK) to occur. In these
cases, a flock could not be obtained on the file in question. This has
been fixed with this update so that flocks can successfully be obtained
on GFS files without this error occurring. (BZ#515717)

* the GFS withdraw function is a data integrity feature of GFS file
systems in a cluster. If the GFS kernel module detects an inconsistency
in a GFS file system following an I/O operation, the file system becomes
unavailable to the cluster. The GFS withdraw function is less severe
than a kernel panic, which would cause another node to fence the node.
With this update, you can override the GFS withdraw function by mounting
the file system with the "-o errors=panic" option specified. When this
option is specified, any errors that would normally cause the system to
withdraw cause the system to panic instead. This stops the node's
cluster communications, which causes the node to be fenced. (BZ#517145)

Finally, these updated gfs-kmod packages provide the following enhancement:

* the GFS kernel modules have been updated to use the new generic freeze
and unfreeze ioctl interface that is also supported by the following
file systems: ext3, ext4, GFS2, JFS and ReiserFS. With this update, GFS
supports freeze/unfreeze through the VFS-level FIFREEZE/FITHAW ioctl
interface. (BZ#487610)

SL 5.x

 SRPMS:
gfs-kmod-0.1.34-12.el5.src.rpm
 i386:
kmod-gfs-0.1.34-12.el5.i686.rpm
kmod-gfs-PAE-0.1.34-12.el5.i686.rpm
kmod-gfs-xen-0.1.34-12.el5.i686.rpm
 x86_64:
kmod-gfs-0.1.34-12.el5.x86_64.rpm
kmod-gfs-xen-0.1.34-12.el5.x86_64.rpm

-Connie Sieh
-Troy Dawson