[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#963614: marked as done (stretch-pu: package nfs-utils/1:1.3.4-2.1+deb9u1)

Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id <b8d89cdfeeda7b6d1ef96a8706a20f9525c2151b.camel@adam-barratt.org.uk>
and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #963614,
regarding stretch-pu: package nfs-utils/1:1.3.4-2.1+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
963614: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=963614
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Hi Stable release managers,

This is similar to #963595 for buster.

nfs-utils in stretch is affected by CVE-2019-3689, cf. #940848 the fix
was now exposed for a while in unstable and I would like fix the issue
ass well in stretch. I have picked those changes and adjusted the
version in the postinst accordingly.

Additionally I added the change to the Vcs fields in debian/control
but I can revert that if you don't want me to do it.

Attached is the debdiff, is this okay to have included in the next
stretch point release?

Regards,
Salvatore

diff -Nru nfs-utils-1.3.4/debian/changelog nfs-utils-1.3.4/debian/changelog
--- nfs-utils-1.3.4/debian/changelog	2017-03-20 16:07:55.000000000 +0100
+++ nfs-utils-1.3.4/debian/changelog	2020-06-24 10:20:47.000000000 +0200
@@ -1,3 +1,13 @@
+nfs-utils (1:1.3.4-2.1+deb9u1) stretch; urgency=medium
+
+  * statd: take user-id from /var/lib/nfs/sm (CVE-2019-3689) (Closes: #940848)
+  * Don't make /var/lib/nfs owned by statd.
+    Only sm and sm.bak need to be accessible by statd or sm-notify after
+    they drop privileges.
+  * debian/control: Point Vcs URLs to kernel-team namespace repository
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Wed, 24 Jun 2020 10:20:47 +0200
+
 nfs-utils (1:1.3.4-2.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru nfs-utils-1.3.4/debian/control nfs-utils-1.3.4/debian/control
--- nfs-utils-1.3.4/debian/control	2016-12-15 14:30:00.000000000 +0100
+++ nfs-utils-1.3.4/debian/control	2020-06-24 10:20:24.000000000 +0200
@@ -6,8 +6,8 @@
 Build-Depends: debhelper (>= 7), libwrap0-dev, libevent-dev, libnfsidmap-dev (>= 0.24), libkrb5-dev, libblkid-dev, libkeyutils-dev, pkg-config, libldap2-dev, libcap-dev, libtirpc-dev (>= 0.2.4-2~), libdevmapper-dev, dh-autoreconf, libmount-dev, libsqlite3-dev, dh-systemd
 Standards-Version: 3.9.8
 Homepage: http://linux-nfs.org/
-Vcs-Git: git://anonscm.debian.org/collab-maint/nfs-utils.git
-Vcs-Browser: https://anonscm.debian.org/cgit/collab-maint/nfs-utils.git
+Vcs-Git: https://salsa.debian.org/kernel-team/nfs-utils.git
+Vcs-Browser: https://salsa.debian.org/kernel-team/nfs-utils
 
 Package: nfs-kernel-server
 Priority: optional
diff -Nru nfs-utils-1.3.4/debian/nfs-common.postinst nfs-utils-1.3.4/debian/nfs-common.postinst
--- nfs-utils-1.3.4/debian/nfs-common.postinst	2016-12-15 14:30:00.000000000 +0100
+++ nfs-utils-1.3.4/debian/nfs-common.postinst	2020-06-24 10:19:58.000000000 +0200
@@ -21,9 +21,14 @@
             fi
         fi
 
+        # Don't make /var/lib/nfs owned by statd. Only sm and sm.bak need to be
+        # accessible by statd or sm-notify after they drop privileges.
+        # https://bugs.debian.org/940848 (CVE-2019-3689)
+        if dpkg --compare-versions "$2" lt 1:1.3.4-2.1+deb9u1; then
+                chown root:root /var/lib/nfs
+        fi
         chown statd: /var/lib/nfs/sm \
-            /var/lib/nfs/sm.bak \
-            /var/lib/nfs
+            /var/lib/nfs/sm.bak
         if [ -f /var/lib/nfs/state ]; then
             chown statd /var/lib/nfs/state
         fi
diff -Nru nfs-utils-1.3.4/debian/patches/series nfs-utils-1.3.4/debian/patches/series
--- nfs-utils-1.3.4/debian/patches/series	2016-12-17 11:47:35.000000000 +0100
+++ nfs-utils-1.3.4/debian/patches/series	2020-06-24 10:18:19.000000000 +0200
@@ -10,3 +10,4 @@
 unbreak-gssd-rpc_pipefs-run.patch
 28-nfs-utils_env-location.patch
 29-start-statd-fd-9.patch
+statd-take-user-id-from-var-lib-nfs-sm.patch
diff -Nru nfs-utils-1.3.4/debian/patches/statd-take-user-id-from-var-lib-nfs-sm.patch nfs-utils-1.3.4/debian/patches/statd-take-user-id-from-var-lib-nfs-sm.patch
--- nfs-utils-1.3.4/debian/patches/statd-take-user-id-from-var-lib-nfs-sm.patch	1970-01-01 01:00:00.000000000 +0100
+++ nfs-utils-1.3.4/debian/patches/statd-take-user-id-from-var-lib-nfs-sm.patch	2020-06-24 10:17:56.000000000 +0200
@@ -0,0 +1,102 @@
+From: NeilBrown <neilb@suse.de>
+Date: Mon, 14 Oct 2019 14:12:49 -0400
+Subject: statd: take user-id from /var/lib/nfs/sm
+Origin: https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=fee2cc29e888f2ced6a76990923aef19d326dc0e
+Bug: https://bugzilla.linux-nfs.org/show_bug.cgi?id=338
+Bug-Debian: https://bugs.debian.org/940848
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-3689
+Bug: https://bugzilla.suse.com/show_bug.cgi?id=1150733
+
+Having /var/lib/nfs writeable by statd is not ideal
+as there are files in there that statd doesn't need
+to access.
+After dropping privs, statd and sm-notify only need to
+access files in the directories sm and sm.bak.
+So take the uid for these deamons from 'sm'.
+
+Signed-off-by: NeilBrown <neilb@suse.de>
+Signed-off-by: Steve Dickson <steved@redhat.com>
+---
+ support/nsm/file.c        | 16 +++++-----------
+ utils/statd/sm-notify.man | 10 +++++++++-
+ utils/statd/statd.man     | 10 +++++++++-
+ 3 files changed, 23 insertions(+), 13 deletions(-)
+
+diff --git a/support/nsm/file.c b/support/nsm/file.c
+index 0b66f123165e..f5b448015751 100644
+--- a/support/nsm/file.c
++++ b/support/nsm/file.c
+@@ -388,23 +388,17 @@ nsm_drop_privileges(const int pidfd)
+ 
+ 	(void)umask(S_IRWXO);
+ 
+-	/*
+-	 * XXX: If we can't stat dirname, or if dirname is owned by
+-	 *      root, we should use "statduser" instead, which is set up
+-	 *      by configure.ac.  Nothing in nfs-utils seems to use
+-	 *      "statduser," though.
+-	 */
+-	if (lstat(nsm_base_dirname, &st) == -1) {
+-		xlog(L_ERROR, "Failed to stat %s: %m", nsm_base_dirname);
+-		return false;
+-	}
+-
+ 	if (chdir(nsm_base_dirname) == -1) {
+ 		xlog(L_ERROR, "Failed to change working directory to %s: %m",
+ 				nsm_base_dirname);
+ 		return false;
+ 	}
+ 
++	if (lstat(NSM_MONITOR_DIR, &st) == -1) {
++		xlog(L_ERROR, "Failed to stat %s/%s: %m", nsm_base_dirname, NSM_MONITOR_DIR);
++		return false;
++	}
++
+ 	if (!prune_bounding_set())
+ 		return false;
+ 
+diff --git a/utils/statd/sm-notify.man b/utils/statd/sm-notify.man
+index cfe1e4b1dac8..addf5d3c028e 100644
+--- a/utils/statd/sm-notify.man
++++ b/utils/statd/sm-notify.man
+@@ -190,7 +190,15 @@ by default.
+ After starting,
+ .B sm-notify
+ attempts to set its effective UID and GID to the owner
+-and group of this directory.
++and group of the subdirectory
++.B sm
++of this directory.  After changing the effective ids,
++.B sm-notify
++only needs to access files in
++.B sm
++and
++.B sm.bak
++within the state-directory-path.
+ .TP
+ .BI -v " ipaddr " | " hostname
+ Specifies the network address from which to send reboot notifications,
+diff --git a/utils/statd/statd.man b/utils/statd/statd.man
+index 71d58461b5ea..6222701e38a8 100644
+--- a/utils/statd/statd.man
++++ b/utils/statd/statd.man
+@@ -259,7 +259,15 @@ by default.
+ After starting,
+ .B rpc.statd
+ attempts to set its effective UID and GID to the owner
+-and group of this directory.
++and group of the subdirectory
++.B sm
++of this directory.  After changing the effective ids,
++.B rpc.statd
++only needs to access files in
++.B sm
++and
++.B sm.bak
++within the state-directory-path.
+ .TP
+ .BR -v ", " -V ", " --version
+ Causes
+-- 
+2.25.1
+

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 9.13

Hi,

All of these requests relate to updates that were included in today's
stretch point release.

Regards,

Adam

--- End Message ---
Reply to: