Bug#963614: stretch-pu: package nfs-utils/1:1.3.4-2.1+deb9u1
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Hi Stable release managers,
This is similar to #963595 for buster.
nfs-utils in stretch is affected by CVE-2019-3689, cf. #940848 the fix
was now exposed for a while in unstable and I would like fix the issue
ass well in stretch. I have picked those changes and adjusted the
version in the postinst accordingly.
Additionally I added the change to the Vcs fields in debian/control
but I can revert that if you don't want me to do it.
Attached is the debdiff, is this okay to have included in the next
stretch point release?
Regards,
Salvatore
diff -Nru nfs-utils-1.3.4/debian/changelog nfs-utils-1.3.4/debian/changelog
--- nfs-utils-1.3.4/debian/changelog 2017-03-20 16:07:55.000000000 +0100
+++ nfs-utils-1.3.4/debian/changelog 2020-06-24 10:20:47.000000000 +0200
@@ -1,3 +1,13 @@
+nfs-utils (1:1.3.4-2.1+deb9u1) stretch; urgency=medium
+
+ * statd: take user-id from /var/lib/nfs/sm (CVE-2019-3689) (Closes: #940848)
+ * Don't make /var/lib/nfs owned by statd.
+ Only sm and sm.bak need to be accessible by statd or sm-notify after
+ they drop privileges.
+ * debian/control: Point Vcs URLs to kernel-team namespace repository
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Wed, 24 Jun 2020 10:20:47 +0200
+
nfs-utils (1:1.3.4-2.1) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru nfs-utils-1.3.4/debian/control nfs-utils-1.3.4/debian/control
--- nfs-utils-1.3.4/debian/control 2016-12-15 14:30:00.000000000 +0100
+++ nfs-utils-1.3.4/debian/control 2020-06-24 10:20:24.000000000 +0200
@@ -6,8 +6,8 @@
Build-Depends: debhelper (>= 7), libwrap0-dev, libevent-dev, libnfsidmap-dev (>= 0.24), libkrb5-dev, libblkid-dev, libkeyutils-dev, pkg-config, libldap2-dev, libcap-dev, libtirpc-dev (>= 0.2.4-2~), libdevmapper-dev, dh-autoreconf, libmount-dev, libsqlite3-dev, dh-systemd
Standards-Version: 3.9.8
Homepage: http://linux-nfs.org/
-Vcs-Git: git://anonscm.debian.org/collab-maint/nfs-utils.git
-Vcs-Browser: https://anonscm.debian.org/cgit/collab-maint/nfs-utils.git
+Vcs-Git: https://salsa.debian.org/kernel-team/nfs-utils.git
+Vcs-Browser: https://salsa.debian.org/kernel-team/nfs-utils
Package: nfs-kernel-server
Priority: optional
diff -Nru nfs-utils-1.3.4/debian/nfs-common.postinst nfs-utils-1.3.4/debian/nfs-common.postinst
--- nfs-utils-1.3.4/debian/nfs-common.postinst 2016-12-15 14:30:00.000000000 +0100
+++ nfs-utils-1.3.4/debian/nfs-common.postinst 2020-06-24 10:19:58.000000000 +0200
@@ -21,9 +21,14 @@
fi
fi
+ # Don't make /var/lib/nfs owned by statd. Only sm and sm.bak need to be
+ # accessible by statd or sm-notify after they drop privileges.
+ # https://bugs.debian.org/940848 (CVE-2019-3689)
+ if dpkg --compare-versions "$2" lt 1:1.3.4-2.1+deb9u1; then
+ chown root:root /var/lib/nfs
+ fi
chown statd: /var/lib/nfs/sm \
- /var/lib/nfs/sm.bak \
- /var/lib/nfs
+ /var/lib/nfs/sm.bak
if [ -f /var/lib/nfs/state ]; then
chown statd /var/lib/nfs/state
fi
diff -Nru nfs-utils-1.3.4/debian/patches/series nfs-utils-1.3.4/debian/patches/series
--- nfs-utils-1.3.4/debian/patches/series 2016-12-17 11:47:35.000000000 +0100
+++ nfs-utils-1.3.4/debian/patches/series 2020-06-24 10:18:19.000000000 +0200
@@ -10,3 +10,4 @@
unbreak-gssd-rpc_pipefs-run.patch
28-nfs-utils_env-location.patch
29-start-statd-fd-9.patch
+statd-take-user-id-from-var-lib-nfs-sm.patch
diff -Nru nfs-utils-1.3.4/debian/patches/statd-take-user-id-from-var-lib-nfs-sm.patch nfs-utils-1.3.4/debian/patches/statd-take-user-id-from-var-lib-nfs-sm.patch
--- nfs-utils-1.3.4/debian/patches/statd-take-user-id-from-var-lib-nfs-sm.patch 1970-01-01 01:00:00.000000000 +0100
+++ nfs-utils-1.3.4/debian/patches/statd-take-user-id-from-var-lib-nfs-sm.patch 2020-06-24 10:17:56.000000000 +0200
@@ -0,0 +1,102 @@
+From: NeilBrown <neilb@suse.de>
+Date: Mon, 14 Oct 2019 14:12:49 -0400
+Subject: statd: take user-id from /var/lib/nfs/sm
+Origin: https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=fee2cc29e888f2ced6a76990923aef19d326dc0e
+Bug: https://bugzilla.linux-nfs.org/show_bug.cgi?id=338
+Bug-Debian: https://bugs.debian.org/940848
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-3689
+Bug: https://bugzilla.suse.com/show_bug.cgi?id=1150733
+
+Having /var/lib/nfs writeable by statd is not ideal
+as there are files in there that statd doesn't need
+to access.
+After dropping privs, statd and sm-notify only need to
+access files in the directories sm and sm.bak.
+So take the uid for these deamons from 'sm'.
+
+Signed-off-by: NeilBrown <neilb@suse.de>
+Signed-off-by: Steve Dickson <steved@redhat.com>
+---
+ support/nsm/file.c | 16 +++++-----------
+ utils/statd/sm-notify.man | 10 +++++++++-
+ utils/statd/statd.man | 10 +++++++++-
+ 3 files changed, 23 insertions(+), 13 deletions(-)
+
+diff --git a/support/nsm/file.c b/support/nsm/file.c
+index 0b66f123165e..f5b448015751 100644
+--- a/support/nsm/file.c
++++ b/support/nsm/file.c
+@@ -388,23 +388,17 @@ nsm_drop_privileges(const int pidfd)
+
+ (void)umask(S_IRWXO);
+
+- /*
+- * XXX: If we can't stat dirname, or if dirname is owned by
+- * root, we should use "statduser" instead, which is set up
+- * by configure.ac. Nothing in nfs-utils seems to use
+- * "statduser," though.
+- */
+- if (lstat(nsm_base_dirname, &st) == -1) {
+- xlog(L_ERROR, "Failed to stat %s: %m", nsm_base_dirname);
+- return false;
+- }
+-
+ if (chdir(nsm_base_dirname) == -1) {
+ xlog(L_ERROR, "Failed to change working directory to %s: %m",
+ nsm_base_dirname);
+ return false;
+ }
+
++ if (lstat(NSM_MONITOR_DIR, &st) == -1) {
++ xlog(L_ERROR, "Failed to stat %s/%s: %m", nsm_base_dirname, NSM_MONITOR_DIR);
++ return false;
++ }
++
+ if (!prune_bounding_set())
+ return false;
+
+diff --git a/utils/statd/sm-notify.man b/utils/statd/sm-notify.man
+index cfe1e4b1dac8..addf5d3c028e 100644
+--- a/utils/statd/sm-notify.man
++++ b/utils/statd/sm-notify.man
+@@ -190,7 +190,15 @@ by default.
+ After starting,
+ .B sm-notify
+ attempts to set its effective UID and GID to the owner
+-and group of this directory.
++and group of the subdirectory
++.B sm
++of this directory. After changing the effective ids,
++.B sm-notify
++only needs to access files in
++.B sm
++and
++.B sm.bak
++within the state-directory-path.
+ .TP
+ .BI -v " ipaddr " | " hostname
+ Specifies the network address from which to send reboot notifications,
+diff --git a/utils/statd/statd.man b/utils/statd/statd.man
+index 71d58461b5ea..6222701e38a8 100644
+--- a/utils/statd/statd.man
++++ b/utils/statd/statd.man
+@@ -259,7 +259,15 @@ by default.
+ After starting,
+ .B rpc.statd
+ attempts to set its effective UID and GID to the owner
+-and group of this directory.
++and group of the subdirectory
++.B sm
++of this directory. After changing the effective ids,
++.B rpc.statd
++only needs to access files in
++.B sm
++and
++.B sm.bak
++within the state-directory-path.
+ .TP
+ .BR -v ", " -V ", " --version
+ Causes
+--
+2.25.1
+
Reply to: