Hello community, here is the log from the commit of package nfs-utils for openSUSE:11.4 checked in at Fri Jul 1 23:07:02 CEST 2011.
-------- --- old-versions/11.4/all/nfs-utils/nfs-utils.changes 2011-02-17 00:58:58.000000000 +0100 +++ 11.4/nfs-utils/nfs-utils.changes 2011-06-23 08:55:22.000000000 +0200 @@ -1,0 +2,12 @@ +Thu Jun 23 06:46:34 UTC 2011 - [email protected] + +- rpc.mountd-segfault-fix; fix possible segfault caused + by "showmount -e" usage. (bnc#693189) +- addmntent.fix - error check writes to /etc/mtab and + cope accordingly. (bnc#689799) +- mount-catch-signals - don't abort on SIGXSFZ or other + signals while mtab is locked (bnc#689799) +- mountd-auth-fix - fix bug that could give away incorrect + access to NFS exported filesystems. (bnc#701702) + +------------------------------------------------------------------- Package does not exist at destination yet. Using Fallback old-versions/11.4/all/nfs-utils Destination is old-versions/11.4/UPDATES/all/nfs-utils calling whatdependson for 11.4-i586 New: ---- addmntent.fix mount-catch-signals mountd-auth-fix rpc.mountd-segfault-fix ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ nfs-utils.spec ++++++ --- /var/tmp/diff_new_pack.l1GJQw/_old 2011-07-01 23:06:32.000000000 +0200 +++ /var/tmp/diff_new_pack.l1GJQw/_new 2011-07-01 23:06:32.000000000 +0200 @@ -27,7 +27,7 @@ Url: http://nfs.sourceforge.net Summary: Support Utilities for Kernel nfsd Version: 1.2.3 -Release: 11.<RELEASE3> +Release: 11.<RELEASE16> Group: Productivity/Networking/NFS License: GPLv2+ BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -54,6 +54,10 @@ Patch3: nfs-utils-allow-port-number-sharing Patch4: nfs-utils-improve-v4-umount Patch5: nfs-utils-fix-remount +Patch6: addmntent.fix +Patch7: mount-catch-signals +Patch8: mountd-auth-fix +Patch9: rpc.mountd-segfault-fix Suggests: python-base %description @@ -137,6 +141,10 @@ %patch3 -p1 %patch4 -p1 %patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 cp %{S:6} . %build ++++++ addmntent.fix ++++++ >From a47739bf3b89432e112d1d2ed9bbdaf1e09d450a Mon Sep 17 00:00:00 2001 From: Neil Brown <[email protected]> Date: Tue, 17 May 2011 14:36:21 +1000 Subject: [PATCH] Remove risk of nfs_addmntent corrupting mtab nfs_addmntent is used to append directly to /etc/mtab. If the write partially fail, e.g. due to RLIMIT_FSIZE, truncate back to original size and return an error. See also https://bugzilla.redhat.com/show_bug.cgi?id=697975 (CVE-2011-1749) CVE-2011-1749 nfs-utils: mount.nfs fails to anticipate RLIMIT_FSIZE Signed-off-by: NeilBrown <[email protected]> --- support/nfs/nfs_mntent.c | 9 +++++++++ 1 file changed, 9 insertions(+) --- nfs-utils-1.2.1.orig/support/nfs/nfs_mntent.c +++ nfs-utils-1.2.1/support/nfs/nfs_mntent.c @@ -12,6 +12,7 @@ #include <string.h> /* for index */ #include <ctype.h> /* for isdigit */ #include <sys/stat.h> /* for umask */ +#include <unistd.h> /* for ftruncate */ #include "nfs_mntent.h" #include "nls.h" @@ -127,9 +128,11 @@ int nfs_addmntent (mntFILE *mfp, struct mntent *mnt) { char *m1, *m2, *m3, *m4; int res; + off_t length; if (fseek (mfp->mntent_fp, 0, SEEK_END)) return 1; /* failure */ + length = ftell(mfp->mntent_fp); m1 = mangle(mnt->mnt_fsname); m2 = mangle(mnt->mnt_dir); @@ -143,6 +146,12 @@ nfs_addmntent (mntFILE *mfp, struct mnte free(m2); free(m3); free(m4); + if (res >= 0) + res = fflush(mfp->mntent_fp); + if (res < 0) + /* Avoid leaving a corrupt mtab file */ + ftruncate(fileno(mfp->mntent_fp), length); + return (res < 0) ? 1 : 0; } ++++++ mount-catch-signals ++++++ Subject: [PATCH] mount: improve signal management when locking mtab. References: bnc#689799 As mount.nfs can run setuid it must be careful about how the user can interact with in. In particular it needs to ensure it does not respond badly to any signals that the user might be able to generate. This is particularly an issue while updating /etc/mtab (when that is not linked to /proc/mounts). If the user can generate a signal which kills mount.nfs while /etc/mtab is locked, then it will leave the file locked, and could possibly corrupt mtab (particularly if 'ulimit 1' was previously issued). Currently lock_mtab does set some handlers for signals, but not enough. It arranges for every signal up to (but not including) SIGCHLD to cause mount.nfs to unlock mdadm promptly exit ... even if the default behaviour would be to ignore the signal. SIGALRM is handled specially, and signals after SIGCHLD are left with their default behaviour. This includes for example SIGXFSZ which can be generated by the user running "ulimit 1". So: change this so that some signals are left unchanged, SIGALRM is handled as required, and all signals that the user can generate are explicitly ignored. The remainder still cause mount.nfs to print a message, unlock mtab, and exit. Signed-off-by: NeilBrown <[email protected]> --- utils/mount/fstab.c | 37 ++++++++++++++++++++++++++++++++----- 1 file changed, 32 insertions(+), 5 deletions(-) --- nfs-utils-1.2.1.orig/utils/mount/fstab.c +++ nfs-utils-1.2.1/utils/mount/fstab.c @@ -331,16 +331,43 @@ lock_mtab (void) { int sig = 0; struct sigaction sa; - sa.sa_handler = handler; sa.sa_flags = 0; sigfillset (&sa.sa_mask); - while (sigismember (&sa.sa_mask, ++sig) != -1 - && sig != SIGCHLD) { - if (sig == SIGALRM) + while (sigismember (&sa.sa_mask, ++sig) != -1) { + switch(sig) { + case SIGCHLD: + case SIGKILL: + case SIGCONT: + case SIGSTOP: + /* These cannot be caught, or should not, + * so don't even try. + */ + continue; + case SIGALRM: sa.sa_handler = setlkw_timeout; - else + break; + case SIGHUP: + case SIGINT: + case SIGQUIT: + case SIGWINCH: + case SIGTSTP: + case SIGTTIN: + case SIGTTOU: + case SIGPIPE: + case SIGXFSZ: + case SIGXCPU: + /* non-priv user can cause these to be + * generated, so ignore them. + */ + sa.sa_handler = SIG_IGN; + break; + default: + /* The rest should not be possible, so just + * print a message and unlock mtab. + */ sa.sa_handler = handler; + } sigaction (sig, &sa, (struct sigaction *) 0); } signals_have_been_setup = 1; ++++++ mountd-auth-fix ++++++ >From b50ad13298b3e9519a9bdecb8c146c9ecf39cef8 Mon Sep 17 00:00:00 2001 From: Jeff Layton <[email protected]> Date: Wed, 22 Jun 2011 14:51:38 -0400 Subject: [PATCH] nfs: fix host_reliable_addrinfo References: bnc#701702 According to Neil Brown: The point of the word 'reliable' is to check that the name we get really does belong to the host in question - ie that both the forward and reverse maps agree. But the new code doesn't do that check at all. Rather it simply maps the address to a name, then discards the address and maps the name back to a list of addresses and uses that list of addresses as "where the request came from" for permission checking. This bug is exploitable via the following scenario and could allow an attacker access to data that they shouldn't be able to access. Suppose you export a filesystem to some subnet or FQDN and also to a wildcard or netgroup, and I know the details of this (maybe showmount -e tells me) Suppose further that I can get IP packets to your server.. Then I create a reverse mapping for my ipaddress to a domain that I own, say "black.hat.org", and a forward mapping from that domain to my IP address, and one of your IP addresses. Then I try to mount your filesystem. The IP address gets correctly mapped to "black.hat.org" and then mapped to both my IP address and your IP address. Then you search through all of your exports and find that one of the addresses: yours - is allowed to access the filesystem. So you create an export based on the addrinfo you have which allows my IP address the same access as your IP address. Fix this by instead using the forward lookup of the hostname just to verify that the original address is in the list. Then do a numeric lookup using the address and stick the hostname in the ai_canonname. Reviewed-by: NeilBrown <[email protected]> Signed-off-by: Jeff Layton <[email protected]> Signed-off-by: Steve Dickson <[email protected]> --- support/export/hostname.c | 36 ++++++++++++++++++++++++++++++------ 1 file changed, 30 insertions(+), 6 deletions(-) --- nfs-utils-1.2.3.orig/support/export/hostname.c +++ nfs-utils-1.2.3/support/export/hostname.c @@ -262,17 +262,19 @@ host_canonname(const struct sockaddr *sa * @sap: pointer to socket address to look up * * Reverse and forward lookups are performed to ensure the address has - * proper forward and reverse mappings. + * matching forward and reverse mappings. * - * Returns address info structure with ai_canonname filled in, or NULL - * if no information is available for @sap. Caller must free the returned - * structure with freeaddrinfo(3). + * Returns addrinfo structure with just the provided address with + * ai_canonname filled in. If there is a problem with resolution or + * the resolved records don't match up properly then it returns NULL + * + * Caller must free the returned structure with freeaddrinfo(3). */ __attribute_malloc__ struct addrinfo * host_reliable_addrinfo(const struct sockaddr *sap) { - struct addrinfo *ai; + struct addrinfo *ai, *a; char *hostname; hostname = host_canonname(sap); @@ -280,9 +282,31 @@ host_reliable_addrinfo(const struct sock return NULL; ai = host_addrinfo(hostname); + if (!ai) + goto out_free_hostname; - free(hostname); + /* make sure there's a matching address in the list */ + for (a = ai; a; a = a->ai_next) + if (nfs_compare_sockaddr(a->ai_addr, sap)) + break; + + freeaddrinfo(ai); + if (!a) + goto out_free_hostname; + + /* get addrinfo with just the original address */ + ai = host_numeric_addrinfo(sap); + if (!ai) + goto out_free_hostname; + + /* and populate its ai_canonname field */ + free(ai->ai_canonname); + ai->ai_canonname = hostname; return ai; + +out_free_hostname: + free(hostname); + return NULL; } /** ++++++ rpc.mountd-segfault-fix ++++++ >From 730f6986f86873513fa021a450eb55ccd0f2fbff Mon Sep 17 00:00:00 2001 From: Steve Dickson <[email protected]> Date: Wed, 26 Jan 2011 07:49:19 -0500 Subject: [PATCH] Fixed segfault in rpc.mountd A unallocated piece of memory, instead of a NULL point, was being used to initialize a ->next point in the mount link list which caused a segfault after a few remote accesses via the showmount command. Signed-off-by: Steve Dickson <[email protected]> --- utils/mountd/rmtab.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/utils/mountd/rmtab.c b/utils/mountd/rmtab.c index d339296..527377f 100644 --- a/utils/mountd/rmtab.c +++ b/utils/mountd/rmtab.c @@ -205,6 +205,7 @@ mountlist_list(void) } if (stb.st_mtime != last_mtime) { mountlist_freeall(mlist); + mlist = NULL; last_mtime = stb.st_mtime; setrmtabent("r"); -- 1.7.3.4 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
