Bug#940848: nfs-utils:CVE-2019-3689: root-owned files stored in insecure /var/lib/nfs

To: 940848@bugs.debian.org
Subject: Bug#940848: nfs-utils:CVE-2019-3689: root-owned files stored in insecure /var/lib/nfs
From: Sylvain Beucler <beuc@beuc.net>
Date: Mon, 14 Oct 2019 10:03:23 +0200
Message-id: <[🔎] 4b55023e-283c-f1f3-5584-77d36df37983@beuc.net>
Reply-to: Sylvain Beucler <beuc@beuc.net>, 940848@bugs.debian.org
In-reply-to: <[🔎] d3d64908-3a4b-36bc-f7e5-17bb3947c952@beuc.net>
References: <156900987685.28528.4626244954931953936.reportbug@eldamar.local> <ed3ae0fe-0d48-e52e-c5fb-7558de3d5214@beuc.net> <156900987685.28528.4626244954931953936.reportbug@eldamar.local> <[🔎] d3d64908-3a4b-36bc-f7e5-17bb3947c952@beuc.net> <156900987685.28528.4626244954931953936.reportbug@eldamar.local>

Hi,

Incidentally I contacted SuSE security who agreed that fs.protected_symlinks is not a valid mitigation
(they will update MITRE).

I also improved the piuparts check:
#!/bin/sh -ex
if [ -e /var/lib/nfs ]; then
    ls -ld /var/lib/nfs
    ls -ld /var/lib/nfs/sm
    if [ "$(dpkg -l | grep ' nfs-common ' | awk '{print $3}')" != '1:1.3.4-2.6' ]; then
        exit 0
    fi
    if [ "$(stat -c '%U:%G' /var/lib/nfs)" != 'root:root' ]; then
        exit 1
    fi
    if [ "$(stat -c '%U:%G' /var/lib/nfs/sm)" != 'statd:nogroup' ]; then
        exit 1
    fi
fi

Cheers!
Sylvain

Reply to:

References:
- Bug#940848: nfs-utils:CVE-2019-3689: root-owned files stored in insecure /var/lib/nfs
  - From: Sylvain Beucler <beuc@beuc.net>

Prev by Date: Bug#942301: linux-image-amd64: dep linux-image-5.2.0-0.bpo.3-amd64 not available in buster-backports
Next by Date: linux-signed-arm64_5.2.17+1~bpo10+1_source.changes ACCEPTED into buster-backports, buster-backports
Previous by thread: Bug#940848: nfs-utils:CVE-2019-3689: root-owned files stored in insecure /var/lib/nfs
Next by thread: Processed: control
Index(es):
- Date
- Thread