Your message dated Thu, 10 May 2012 01:49:46 +0000
with message-id <[email protected]>
and subject line Bug#670256: fixed in libgssglue 0.4-1
has caused the Debian Bug report #670256,
regarding CVE-2011-2709: local root with newer nfs-client
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
670256: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=670256
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libgssglue1
Version: 0.3-4
Tags: security
Please apply the patch below to ignore the GSSAPI_MECH_CONF
environment variable in processes which are SUID/SGID or otherwise
privileged (such as mount.nfs). This patch has only been lightly
tested. I made some effort to make it compatible with
Debian/kfreebsd, but it hasn't been compiled there.
For some background information, see:
http://thread.gmane.org/gmane.comp.security.oss.general/5544
We should patch squeeze as well, but the issue does not appear to be
exploitable with a stock installation because mount.nfs does not link
against libtirpc yet. So fixing this via stable-proposed-updates is
preferred.
Index: git/src/g_initialize.c
===================================================================
--- git.orig/src/g_initialize.c 2012-04-24 12:30:19.522069647 +0200
+++ git/src/g_initialize.c 2012-04-24 12:34:27.526194012 +0200
@@ -34,6 +34,10 @@
#include <ctype.h>
#include <errno.h>
#include <syslog.h>
+#include <unistd.h>
+#ifdef linux
+#include <sys/prctl.h>
+#endif
#ifdef USE_SOLARIS_SHARED_LIBRARIES
#include <dlfcn.h>
@@ -182,6 +186,22 @@
return 0;
}
+/* Returns true if the process is SUID or SGID. */
+static int
+is_privileged(void)
+{
+ extern int __libc_enable_secure;
+ if (__libc_enable_secure) {
+ return 1;
+ }
+#ifdef linux
+ if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) != 1) {
+ return 1;
+ }
+#endif
+ return getuid() != geteuid() || getgid() != getegod();
+}
+
#ifdef USE_SOLARIS_SHARED_LIBRARIES
/*
* read the configuration file to find out what mechanisms to
@@ -195,7 +215,7 @@
void *dl;
gss_mechanism (*sym)(void), mech;
- if ((filename = getenv("GSSAPI_MECH_CONF")) == NULL)
+ if (is_privileged() || (filename = getenv("GSSAPI_MECH_CONF")) == NULL)
filename = MECH_CONF;
if ((conffile = fopen(filename, "r")) == NULL) {
@@ -271,7 +291,7 @@
void *dl;
gss_mechanism (*sym)(void), mech;
- if ((filename = getenv("GSSAPI_MECH_CONF")) == NULL)
+ if (is_privileged() || (filename = getenv("GSSAPI_MECH_CONF")) == NULL)
filename = MECH_CONF;
if ((conffile = fopen(filename, "r")) == NULL) {
--- End Message ---
--- Begin Message ---
Source: libgssglue
Source-Version: 0.4-1
We believe that the bug you reported is fixed in the latest version of
libgssglue, which is due to be installed in the Debian FTP archive:
libgssglue-dev_0.4-1_amd64.deb
to main/libg/libgssglue/libgssglue-dev_0.4-1_amd64.deb
libgssglue-dev_0.4-1_ia64.deb
to main/libg/libgssglue/libgssglue-dev_0.4-1_ia64.deb
libgssglue-dev_0.4-1_mipsel.deb
to main/libg/libgssglue/libgssglue-dev_0.4-1_mipsel.deb
libgssglue1_0.4-1_amd64.deb
to main/libg/libgssglue/libgssglue1_0.4-1_amd64.deb
libgssglue1_0.4-1_ia64.deb
to main/libg/libgssglue/libgssglue1_0.4-1_ia64.deb
libgssglue1_0.4-1_mipsel.deb
to main/libg/libgssglue/libgssglue1_0.4-1_mipsel.deb
libgssglue_0.4-1.debian.tar.bz2
to main/libg/libgssglue/libgssglue_0.4-1.debian.tar.bz2
libgssglue_0.4-1.dsc
to main/libg/libgssglue/libgssglue_0.4-1.dsc
libgssglue_0.4.orig.tar.bz2
to main/libg/libgssglue/libgssglue_0.4.orig.tar.bz2
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Anibal Monsalve Salazar <[email protected]> (supplier of updated libgssglue
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 10 May 2012 10:08:08 +1000
Source: libgssglue
Binary: libgssglue-dev libgssglue1
Architecture: source amd64 ia64 mipsel
Version: 0.4-1
Distribution: unstable
Urgency: high
Maintainer: Anibal Monsalve Salazar <[email protected]>
Changed-By: Anibal Monsalve Salazar <[email protected]>
Description:
libgssglue-dev - header files and docs for libgssglue
libgssglue1 - mechanism-switch gssapi library
Closes: 670256
Changes:
libgssglue (0.4-1) unstable; urgency=high
.
* New upstream version 0.4
Changes since libgssglue-0.3:
- Fix for CVE-2011-2709
Patch from Marcus Meissner
Note: Although https://bugzilla.novell.com/show_bug.cgi?id=694598
mentions mount.nfs, libgssglue is not used by mount.nfs.
Closes: #670256
* Fix out-of-date-standards-version
* DH compatibility level is 9
Checksums-Sha1:
e899992e00313ec69577108da06afb80c4f41f66 1821 libgssglue_0.4-1.dsc
7e8095fc58c6cace53eee2aa92e92332c599dea0 281429 libgssglue_0.4.orig.tar.bz2
deaa55df9d1907c3367205b67bca7895811ed542 7791 libgssglue_0.4-1.debian.tar.bz2
e0f839b108720b61ea8c1dfc9c536116e73ffbe6 34880 libgssglue-dev_0.4-1_amd64.deb
7ec784378ec12bed6fd41875f69d475c27b80c59 24888 libgssglue1_0.4-1_amd64.deb
da32125cd14f49c2b844aaefa32a77d2add848ea 45848 libgssglue-dev_0.4-1_ia64.deb
a9182c871c70ac4ed0d2ba366bffacf20f277d82 33414 libgssglue1_0.4-1_ia64.deb
2f1e42dfb438d9e814597b98d76e780ddf5dc162 34946 libgssglue-dev_0.4-1_mipsel.deb
132b2967a1c54b57400e99cea0681a72eaec4e8e 23524 libgssglue1_0.4-1_mipsel.deb
Checksums-Sha256:
431a575344dc5f58a9136fd3cb06d516b4a3d0c3357df629705653496e0815e1 1821
libgssglue_0.4-1.dsc
bb47b2de78409f461811d0db8595c66e6631a9879c3621a35e4434b104ee52f5 281429
libgssglue_0.4.orig.tar.bz2
c3314b0abb67b94680e5c1e8e9f787ea7a5509abfaf30daa8fd3b4614940f805 7791
libgssglue_0.4-1.debian.tar.bz2
5c987c6df4bba46f69f0d96fddf164d73b9a6a0c2b14e58d827c859e7fd42e8b 34880
libgssglue-dev_0.4-1_amd64.deb
153bf6775ab22322604a7795fc1308e7796b761dc007a5fbdf732f694e4413bd 24888
libgssglue1_0.4-1_amd64.deb
44f6fcc22ee0bdce1a20998d35cf0d62314f89564efc26aa3bfdf066c790a2e9 45848
libgssglue-dev_0.4-1_ia64.deb
2d4da9b914b7ab9ad55e86a7256d9a30486568b075227d550fbcaedd3a064cac 33414
libgssglue1_0.4-1_ia64.deb
9595f477a2e8d15a67597ae204dd01be0f10dac19a79617a0b7e89bd9fcff475 34946
libgssglue-dev_0.4-1_mipsel.deb
8612c54f92e894c2f6485f8965c12c0943b36dc40ab3524c1f2ab1aa7289001f 23524
libgssglue1_0.4-1_mipsel.deb
Files:
e7dde3f9bcd29f679aef8462e5a646e5 1821 libs optional libgssglue_0.4-1.dsc
5ce81940965fa68c7635c42dcafcddfe 281429 libs optional
libgssglue_0.4.orig.tar.bz2
7f303668c77a45e9142098d23a651030 7791 libs optional
libgssglue_0.4-1.debian.tar.bz2
702c88d7a0680e6a94d8508eed48fbbc 34880 libdevel optional
libgssglue-dev_0.4-1_amd64.deb
50f98b6767db98c366f2e52699c40cd8 24888 libs standard
libgssglue1_0.4-1_amd64.deb
10b183cf01383b3800bb656f2d33e76d 45848 libdevel optional
libgssglue-dev_0.4-1_ia64.deb
a08c0f6e5ab19e59a17477c17a55e838 33414 libs standard libgssglue1_0.4-1_ia64.deb
930190679788eb87b29fde1ad8a4b7b2 34946 libdevel optional
libgssglue-dev_0.4-1_mipsel.deb
68dbc44ece86ed551661de4a22a9e5ca 23524 libs standard
libgssglue1_0.4-1_mipsel.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAEBCAAGBQJPqxg0AAoJEHxWrP6UeJfYFiUP/A3WkO2UduWkWlwcvs+opl9W
DgC5nNHpCeXGBCa03Imz4yVlAyJdStIGwH5qXhQS+iwmwsm0ls9e1cBFaqCM41Uo
ytNYq/x57+w00Ki6i9g2EjLNQOXyL+X7QbPOT++zo9M7LRVjA8h4tH76ZHVQ502M
JknQVbDXHbUuDi/5omzeyJhhCqWlwSkhGvEziCOuVGkO30uZfKAtAzY419J1/H/m
sgGyXI0+t8uT/Z6MdD2+Kod1Kv+i8WM9MaEjIGRgSqtOWmKq3ZieUfJ2dK4MycCK
1X8HKxC3FuznZgRmtK+K/TU6j2jF5EBYntxKFPKhxpZy6LQJWfyf7OG46uFZOXff
Qey+Hc4YMFPhbTEwS52TRoIxCmKwRZVZiLFNzPM06Tf7uhgeaLCDsP/0m7rjq2Qd
jecx26MaRTi/Mz0fgmWQYs0xD110TGKFDYhtfvQazypaCZPIZGgffMPvGF6Tvdjn
KNrMaXGNI/cYLOcsNwZEMJyXv/AT86dpn33hEexTDBZ7iaVWet9yPb4AQNIf7Jlo
hlXLQnPcsKUfHMnjGOJoFLHv7mN+R8kX7SC9VCDFYiNw3QNK6vO65D+lPABkCjeb
8OFt6q9GkpB3cS8KLbYlm12wjsC9DsuCjbsC0H6qGC9BcvpWDxB9rvGKrb2uAicl
+MgV9Q2xLijv92dwgpCR
=Ap0q
-----END PGP SIGNATURE-----
--- End Message ---
