--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package nfs-utils/1:1.3.4-2.5+deb10u1
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Wed, 24 Jun 2020 10:14:58 +0200
- Message-id: <159298649890.6459.14989590043850198277.reportbug@lorien.valinor.li>
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Hi SRM,
nfs-utils in buster is affected by CVE-2019-3689, cf. #940848 the fix
was now exposed for a while in unstable and I would like fix the issue
ass well in buster. I have picked those changes and adjusted the
version in the postinst accordingly.
Additionally I added the change to the Vcs fields in debian/control
but I can revert that if you don't want me to do it.
Attached is the debdiff, is this okay to have included in the next
buster point release?
Regards,
Salvatore
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-9-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
diff -Nru nfs-utils-1.3.4/debian/changelog nfs-utils-1.3.4/debian/changelog
--- nfs-utils-1.3.4/debian/changelog 2019-04-06 18:30:39.000000000 +0200
+++ nfs-utils-1.3.4/debian/changelog 2020-06-24 09:54:47.000000000 +0200
@@ -1,3 +1,13 @@
+nfs-utils (1:1.3.4-2.5+deb10u1) buster; urgency=medium
+
+ * statd: take user-id from /var/lib/nfs/sm (CVE-2019-3689) (Closes: #940848)
+ * Don't make /var/lib/nfs owned by statd.
+ Only sm and sm.bak need to be accessible by statd or sm-notify after
+ they drop privileges.
+ * debian/control: Point Vcs URLs to kernel-team namespace repository
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Wed, 24 Jun 2020 09:54:47 +0200
+
nfs-utils (1:1.3.4-2.5) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru nfs-utils-1.3.4/debian/control nfs-utils-1.3.4/debian/control
--- nfs-utils-1.3.4/debian/control 2019-04-06 18:30:39.000000000 +0200
+++ nfs-utils-1.3.4/debian/control 2020-06-24 09:54:47.000000000 +0200
@@ -6,8 +6,8 @@
Build-Depends: debhelper (>= 9.20160709), libwrap0-dev, libevent-dev, libnfsidmap-dev (>= 0.24), libkrb5-dev, libblkid-dev, libkeyutils-dev, pkg-config, libldap2-dev, libcap-dev, libtirpc-dev (>= 1.0.2), libdevmapper-dev, dh-autoreconf, libmount-dev, libsqlite3-dev
Standards-Version: 4.2.1
Homepage: http://linux-nfs.org/
-Vcs-Git: https://salsa.debian.org/debian/nfs-utils.git
-Vcs-Browser: https://salsa.debian.org/debian/nfs-utils
+Vcs-Git: https://salsa.debian.org/kernel-team/nfs-utils.git
+Vcs-Browser: https://salsa.debian.org/kernel-team/nfs-utils
Package: nfs-kernel-server
Architecture: any
diff -Nru nfs-utils-1.3.4/debian/nfs-common.postinst nfs-utils-1.3.4/debian/nfs-common.postinst
--- nfs-utils-1.3.4/debian/nfs-common.postinst 2019-04-06 18:30:39.000000000 +0200
+++ nfs-utils-1.3.4/debian/nfs-common.postinst 2020-06-24 09:54:47.000000000 +0200
@@ -21,9 +21,14 @@
fi
fi
+ # Don't make /var/lib/nfs owned by statd. Only sm and sm.bak need to be
+ # accessible by statd or sm-notify after they drop privileges.
+ # https://bugs.debian.org/940848 (CVE-2019-3689)
+ if dpkg --compare-versions "$2" lt 1:1.3.4-2.5+deb10u1; then
+ chown root:root /var/lib/nfs
+ fi
chown statd: /var/lib/nfs/sm \
- /var/lib/nfs/sm.bak \
- /var/lib/nfs
+ /var/lib/nfs/sm.bak
if [ -f /var/lib/nfs/state ]; then
chown statd /var/lib/nfs/state
fi
diff -Nru nfs-utils-1.3.4/debian/patches/series nfs-utils-1.3.4/debian/patches/series
--- nfs-utils-1.3.4/debian/patches/series 2019-04-06 18:30:39.000000000 +0200
+++ nfs-utils-1.3.4/debian/patches/series 2020-06-24 09:54:47.000000000 +0200
@@ -15,3 +15,4 @@
fix-glibc2.28-ftbfs.patch
0010-gssd-replace-non-thread-safe-strtok-with-strsep.patch
0011-gssd-Duplicate-the-upcall-string-for-error-messages.patch
+statd-take-user-id-from-var-lib-nfs-sm.patch
diff -Nru nfs-utils-1.3.4/debian/patches/statd-take-user-id-from-var-lib-nfs-sm.patch nfs-utils-1.3.4/debian/patches/statd-take-user-id-from-var-lib-nfs-sm.patch
--- nfs-utils-1.3.4/debian/patches/statd-take-user-id-from-var-lib-nfs-sm.patch 1970-01-01 01:00:00.000000000 +0100
+++ nfs-utils-1.3.4/debian/patches/statd-take-user-id-from-var-lib-nfs-sm.patch 2020-06-24 09:54:47.000000000 +0200
@@ -0,0 +1,102 @@
+From: NeilBrown <neilb@suse.de>
+Date: Mon, 14 Oct 2019 14:12:49 -0400
+Subject: statd: take user-id from /var/lib/nfs/sm
+Origin: https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=fee2cc29e888f2ced6a76990923aef19d326dc0e
+Bug: https://bugzilla.linux-nfs.org/show_bug.cgi?id=338
+Bug-Debian: https://bugs.debian.org/940848
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-3689
+Bug: https://bugzilla.suse.com/show_bug.cgi?id=1150733
+
+Having /var/lib/nfs writeable by statd is not ideal
+as there are files in there that statd doesn't need
+to access.
+After dropping privs, statd and sm-notify only need to
+access files in the directories sm and sm.bak.
+So take the uid for these deamons from 'sm'.
+
+Signed-off-by: NeilBrown <neilb@suse.de>
+Signed-off-by: Steve Dickson <steved@redhat.com>
+---
+ support/nsm/file.c | 16 +++++-----------
+ utils/statd/sm-notify.man | 10 +++++++++-
+ utils/statd/statd.man | 10 +++++++++-
+ 3 files changed, 23 insertions(+), 13 deletions(-)
+
+diff --git a/support/nsm/file.c b/support/nsm/file.c
+index 0b66f123165e..f5b448015751 100644
+--- a/support/nsm/file.c
++++ b/support/nsm/file.c
+@@ -388,23 +388,17 @@ nsm_drop_privileges(const int pidfd)
+
+ (void)umask(S_IRWXO);
+
+- /*
+- * XXX: If we can't stat dirname, or if dirname is owned by
+- * root, we should use "statduser" instead, which is set up
+- * by configure.ac. Nothing in nfs-utils seems to use
+- * "statduser," though.
+- */
+- if (lstat(nsm_base_dirname, &st) == -1) {
+- xlog(L_ERROR, "Failed to stat %s: %m", nsm_base_dirname);
+- return false;
+- }
+-
+ if (chdir(nsm_base_dirname) == -1) {
+ xlog(L_ERROR, "Failed to change working directory to %s: %m",
+ nsm_base_dirname);
+ return false;
+ }
+
++ if (lstat(NSM_MONITOR_DIR, &st) == -1) {
++ xlog(L_ERROR, "Failed to stat %s/%s: %m", nsm_base_dirname, NSM_MONITOR_DIR);
++ return false;
++ }
++
+ if (!prune_bounding_set())
+ return false;
+
+diff --git a/utils/statd/sm-notify.man b/utils/statd/sm-notify.man
+index cfe1e4b1dac8..addf5d3c028e 100644
+--- a/utils/statd/sm-notify.man
++++ b/utils/statd/sm-notify.man
+@@ -190,7 +190,15 @@ by default.
+ After starting,
+ .B sm-notify
+ attempts to set its effective UID and GID to the owner
+-and group of this directory.
++and group of the subdirectory
++.B sm
++of this directory. After changing the effective ids,
++.B sm-notify
++only needs to access files in
++.B sm
++and
++.B sm.bak
++within the state-directory-path.
+ .TP
+ .BI -v " ipaddr " | " hostname
+ Specifies the network address from which to send reboot notifications,
+diff --git a/utils/statd/statd.man b/utils/statd/statd.man
+index 71d58461b5ea..6222701e38a8 100644
+--- a/utils/statd/statd.man
++++ b/utils/statd/statd.man
+@@ -259,7 +259,15 @@ by default.
+ After starting,
+ .B rpc.statd
+ attempts to set its effective UID and GID to the owner
+-and group of this directory.
++and group of the subdirectory
++.B sm
++of this directory. After changing the effective ids,
++.B rpc.statd
++only needs to access files in
++.B sm
++and
++.B sm.bak
++within the state-directory-path.
+ .TP
+ .BR -v ", " -V ", " --version
+ Causes
+--
+2.25.1
+
--- End Message ---