Bug#653757: pu: package nfs-utils/1:1.2.2-4squeeze2
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu
Hi
This version fixes a security issue which the Security Team evaluated as not warranting a DSA. Attached the diff of the proposed upload.
Cheers
Luk
diff -Nru nfs-utils-1.2.2/debian/changelog nfs-utils-1.2.2/debian/changelog
--- nfs-utils-1.2.2/debian/changelog 2011-10-26 09:00:28.000000000 +0200
+++ nfs-utils-1.2.2/debian/changelog 2011-12-30 18:59:58.000000000 +0100
@@ -1,3 +1,9 @@
+nfs-utils (1:1.2.2-4squeeze2) stable; urgency=high
+
+ * Fix CVE-2011-1749: Avoid leaving a corrupt mtab file (Closes: #629420)
+
+ -- Luk Claes <luk@debian.org> Fri, 30 Dec 2011 18:58:07 +0100
+
nfs-utils (1:1.2.2-4squeeze1) stable; urgency=low
* Build with patch d6c1b35c6b40243bfd6fba2591c9f8f2653078c0 from upstream
diff -Nru nfs-utils-1.2.2/debian/patches/17-fix-CVE-2011-1749.patch nfs-utils-1.2.2/debian/patches/17-fix-CVE-2011-1749.patch
--- nfs-utils-1.2.2/debian/patches/17-fix-CVE-2011-1749.patch 1970-01-01 01:00:00.000000000 +0100
+++ nfs-utils-1.2.2/debian/patches/17-fix-CVE-2011-1749.patch 2011-12-30 18:57:28.000000000 +0100
@@ -0,0 +1,56 @@
+From: NeilBrown <neilb@suse.de>
+Date: Mon, 23 May 2011 12:19:57 +0000 (-0400)
+Subject: Remove risk of nfs_addmntent corrupting mtab
+X-Git-Tag: nfs-utils-1-2-4-rc9~11
+X-Git-Url: http://git.linux-nfs.org/?p=steved%2Fnfs-utils.git;a=commitdiff_plain;h=7a802337bfc92d0b30fe94dbd0fa231990a26161
+
+Remove risk of nfs_addmntent corrupting mtab
+
+nfs_addmntent is used to append directly to /etc/mtab.
+If the write partially fail, e.g. due to RLIMIT_FSIZE,
+truncate back to original size and return an error.
+
+See also https://bugzilla.redhat.com/show_bug.cgi?id=697975
+(CVE-2011-1749) CVE-2011-1749 nfs-utils: mount.nfs fails to anticipate RLIMIT_FSIZE
+
+Signed-off-by: NeilBrown <neilb@suse.de>
+Signed-off-by: Steve Dickson <steved@redhat.com>
+---
+
+diff --git a/support/nfs/nfs_mntent.c b/support/nfs/nfs_mntent.c
+index a5216fc..a2118a2 100644
+--- a/support/nfs/nfs_mntent.c
++++ b/support/nfs/nfs_mntent.c
+@@ -12,6 +12,7 @@
+ #include <string.h> /* for index */
+ #include <ctype.h> /* for isdigit */
+ #include <sys/stat.h> /* for umask */
++#include <unistd.h> /* for ftruncate */
+
+ #include "nfs_mntent.h"
+ #include "nls.h"
+@@ -127,9 +128,11 @@ int
+ nfs_addmntent (mntFILE *mfp, struct mntent *mnt) {
+ char *m1, *m2, *m3, *m4;
+ int res;
++ off_t length;
+
+ if (fseek (mfp->mntent_fp, 0, SEEK_END))
+ return 1; /* failure */
++ length = ftell(mfp->mntent_fp);
+
+ m1 = mangle(mnt->mnt_fsname);
+ m2 = mangle(mnt->mnt_dir);
+@@ -143,6 +146,12 @@ nfs_addmntent (mntFILE *mfp, struct mntent *mnt) {
+ free(m2);
+ free(m3);
+ free(m4);
++ if (res >= 0) {
++ res = fflush(mfp->mntent_fp);
++ if (res < 0)
++ /* Avoid leaving a corrupt mtab file */
++ ftruncate(fileno(mfp->mntent_fp), length);
++ }
+ return (res < 0) ? 1 : 0;
+ }
+
diff -Nru nfs-utils-1.2.2/debian/patches/series nfs-utils-1.2.2/debian/patches/series
--- nfs-utils-1.2.2/debian/patches/series 2011-10-26 08:50:31.000000000 +0200
+++ nfs-utils-1.2.2/debian/patches/series 2011-12-30 18:57:46.000000000 +0100
@@ -8,3 +8,4 @@
14-allow-address-without-name.patch
15-mountd-fix-path-comparison-for-v4-crossmnt.patch
16-negotiate-des-only.patch
+17-fix-CVE-2011-1749.patch
Reply to: