Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
Hi Stable release managers, This is similar to #963595 for buster. nfs-utils in stretch is affected by CVE-2019-3689, cf. #940848 the fix was now exposed for a while in unstable and I would like fix the issue ass well in stretch. I have picked those changes and adjusted the version in the postinst accordingly. Additionally I added the change to the Vcs fields in debian/control but I can revert that if you don't want me to do it. Attached is the debdiff, is this okay to have included in the next stretch point release? Regards, Salvatore
diff -Nru nfs-utils-1.3.4/debian/changelog nfs-utils-1.3.4/debian/changelog --- nfs-utils-1.3.4/debian/changelog 2017-03-20 16:07:55.000000000 +0100 +++ nfs-utils-1.3.4/debian/changelog 2020-06-24 10:20:47.000000000 +0200 @@ -1,3 +1,13 @@ +nfs-utils (1:1.3.4-2.1+deb9u1) stretch; urgency=medium + + * statd: take user-id from /var/lib/nfs/sm (CVE-2019-3689) (Closes: #940848) + * Don't make /var/lib/nfs owned by statd. + Only sm and sm.bak need to be accessible by statd or sm-notify after + they drop privileges. + * debian/control: Point Vcs URLs to kernel-team namespace repository + + -- Salvatore Bonaccorso <car...@debian.org> Wed, 24 Jun 2020 10:20:47 +0200 + nfs-utils (1:1.3.4-2.1) unstable; urgency=medium * Non-maintainer upload. diff -Nru nfs-utils-1.3.4/debian/control nfs-utils-1.3.4/debian/control --- nfs-utils-1.3.4/debian/control 2016-12-15 14:30:00.000000000 +0100 +++ nfs-utils-1.3.4/debian/control 2020-06-24 10:20:24.000000000 +0200 @@ -6,8 +6,8 @@ Build-Depends: debhelper (>= 7), libwrap0-dev, libevent-dev, libnfsidmap-dev (>= 0.24), libkrb5-dev, libblkid-dev, libkeyutils-dev, pkg-config, libldap2-dev, libcap-dev, libtirpc-dev (>= 0.2.4-2~), libdevmapper-dev, dh-autoreconf, libmount-dev, libsqlite3-dev, dh-systemd Standards-Version: 3.9.8 Homepage: http://linux-nfs.org/ -Vcs-Git: git://anonscm.debian.org/collab-maint/nfs-utils.git -Vcs-Browser: https://anonscm.debian.org/cgit/collab-maint/nfs-utils.git +Vcs-Git: https://salsa.debian.org/kernel-team/nfs-utils.git +Vcs-Browser: https://salsa.debian.org/kernel-team/nfs-utils Package: nfs-kernel-server Priority: optional diff -Nru nfs-utils-1.3.4/debian/nfs-common.postinst nfs-utils-1.3.4/debian/nfs-common.postinst --- nfs-utils-1.3.4/debian/nfs-common.postinst 2016-12-15 14:30:00.000000000 +0100 +++ nfs-utils-1.3.4/debian/nfs-common.postinst 2020-06-24 10:19:58.000000000 +0200 @@ -21,9 +21,14 @@ fi fi + # Don't make /var/lib/nfs owned by statd. Only sm and sm.bak need to be + # accessible by statd or sm-notify after they drop privileges. + # https://bugs.debian.org/940848 (CVE-2019-3689) + if dpkg --compare-versions "$2" lt 1:1.3.4-2.1+deb9u1; then + chown root:root /var/lib/nfs + fi chown statd: /var/lib/nfs/sm \ - /var/lib/nfs/sm.bak \ - /var/lib/nfs + /var/lib/nfs/sm.bak if [ -f /var/lib/nfs/state ]; then chown statd /var/lib/nfs/state fi diff -Nru nfs-utils-1.3.4/debian/patches/series nfs-utils-1.3.4/debian/patches/series --- nfs-utils-1.3.4/debian/patches/series 2016-12-17 11:47:35.000000000 +0100 +++ nfs-utils-1.3.4/debian/patches/series 2020-06-24 10:18:19.000000000 +0200 @@ -10,3 +10,4 @@ unbreak-gssd-rpc_pipefs-run.patch 28-nfs-utils_env-location.patch 29-start-statd-fd-9.patch +statd-take-user-id-from-var-lib-nfs-sm.patch diff -Nru nfs-utils-1.3.4/debian/patches/statd-take-user-id-from-var-lib-nfs-sm.patch nfs-utils-1.3.4/debian/patches/statd-take-user-id-from-var-lib-nfs-sm.patch --- nfs-utils-1.3.4/debian/patches/statd-take-user-id-from-var-lib-nfs-sm.patch 1970-01-01 01:00:00.000000000 +0100 +++ nfs-utils-1.3.4/debian/patches/statd-take-user-id-from-var-lib-nfs-sm.patch 2020-06-24 10:17:56.000000000 +0200 @@ -0,0 +1,102 @@ +From: NeilBrown <ne...@suse.de> +Date: Mon, 14 Oct 2019 14:12:49 -0400 +Subject: statd: take user-id from /var/lib/nfs/sm +Origin: https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=fee2cc29e888f2ced6a76990923aef19d326dc0e +Bug: https://bugzilla.linux-nfs.org/show_bug.cgi?id=338 +Bug-Debian: https://bugs.debian.org/940848 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-3689 +Bug: https://bugzilla.suse.com/show_bug.cgi?id=1150733 + +Having /var/lib/nfs writeable by statd is not ideal +as there are files in there that statd doesn't need +to access. +After dropping privs, statd and sm-notify only need to +access files in the directories sm and sm.bak. +So take the uid for these deamons from 'sm'. + +Signed-off-by: NeilBrown <ne...@suse.de> +Signed-off-by: Steve Dickson <ste...@redhat.com> +--- + support/nsm/file.c | 16 +++++----------- + utils/statd/sm-notify.man | 10 +++++++++- + utils/statd/statd.man | 10 +++++++++- + 3 files changed, 23 insertions(+), 13 deletions(-) + +diff --git a/support/nsm/file.c b/support/nsm/file.c +index 0b66f123165e..f5b448015751 100644 +--- a/support/nsm/file.c ++++ b/support/nsm/file.c +@@ -388,23 +388,17 @@ nsm_drop_privileges(const int pidfd) + + (void)umask(S_IRWXO); + +- /* +- * XXX: If we can't stat dirname, or if dirname is owned by +- * root, we should use "statduser" instead, which is set up +- * by configure.ac. Nothing in nfs-utils seems to use +- * "statduser," though. +- */ +- if (lstat(nsm_base_dirname, &st) == -1) { +- xlog(L_ERROR, "Failed to stat %s: %m", nsm_base_dirname); +- return false; +- } +- + if (chdir(nsm_base_dirname) == -1) { + xlog(L_ERROR, "Failed to change working directory to %s: %m", + nsm_base_dirname); + return false; + } + ++ if (lstat(NSM_MONITOR_DIR, &st) == -1) { ++ xlog(L_ERROR, "Failed to stat %s/%s: %m", nsm_base_dirname, NSM_MONITOR_DIR); ++ return false; ++ } ++ + if (!prune_bounding_set()) + return false; + +diff --git a/utils/statd/sm-notify.man b/utils/statd/sm-notify.man +index cfe1e4b1dac8..addf5d3c028e 100644 +--- a/utils/statd/sm-notify.man ++++ b/utils/statd/sm-notify.man +@@ -190,7 +190,15 @@ by default. + After starting, + .B sm-notify + attempts to set its effective UID and GID to the owner +-and group of this directory. ++and group of the subdirectory ++.B sm ++of this directory. After changing the effective ids, ++.B sm-notify ++only needs to access files in ++.B sm ++and ++.B sm.bak ++within the state-directory-path. + .TP + .BI -v " ipaddr " | " hostname + Specifies the network address from which to send reboot notifications, +diff --git a/utils/statd/statd.man b/utils/statd/statd.man +index 71d58461b5ea..6222701e38a8 100644 +--- a/utils/statd/statd.man ++++ b/utils/statd/statd.man +@@ -259,7 +259,15 @@ by default. + After starting, + .B rpc.statd + attempts to set its effective UID and GID to the owner +-and group of this directory. ++and group of the subdirectory ++.B sm ++of this directory. After changing the effective ids, ++.B rpc.statd ++only needs to access files in ++.B sm ++and ++.B sm.bak ++within the state-directory-path. + .TP + .BR -v ", " -V ", " --version + Causes +-- +2.25.1 +
