Your message dated Sat, 17 Jul 2010 20:48:05 +0000
with message-id <[email protected]>
and subject line Bug#583435: fixed in rpcbind 0.2.0-4.1
has caused the Debian Bug report #583435,
regarding CVE-2010-2061 rpcbind: Insecure handling of state files
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
583435: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583435
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: rpcbind
Version: 0.2.0-4
Severity: serious
Tags: security
Hi!
The rpcbind daemon, which runs as root, uses /tmp/portmap.xdr and
/tmp/rpcbind.xdr for doing warm starts as what seems to be a way to
preserve state between invokations. It parses (through libtirpc) and
removes them on start. It creates them before exiting.
So first off, *any* user can craft those two files before the daemon
has started for the first time, which the daemon will parse. This might
be ok, depending on the checks done on parse, I'd still be very wary of
letting a user be able to craft such files at will.
The second problem is that those files get created by the daemon on
shutdown, and they *do* follow symlinks. So a user can drop two symlinks
there while the daemon is running and overwrite any file on the file
system on shutdown.
The fix would consist of passing to configure something like
“--with-statedir=/var/cache/rpcbind”, and make sure the daemon creates
such directory if missing on exit in src/warmstart.c:write_struct(),
which it does not seem to be doing currently.
In addition it would be wise to notify upstream to change the default
statedir to something else than /tmp.
thanks,
guillem
--- End Message ---
--- Begin Message ---
Source: rpcbind
Source-Version: 0.2.0-4.1
We believe that the bug you reported is fixed in the latest version of
rpcbind, which is due to be installed in the Debian FTP archive:
rpcbind_0.2.0-4.1.debian.tar.bz2
to main/r/rpcbind/rpcbind_0.2.0-4.1.debian.tar.bz2
rpcbind_0.2.0-4.1.dsc
to main/r/rpcbind/rpcbind_0.2.0-4.1.dsc
rpcbind_0.2.0-4.1_i386.deb
to main/r/rpcbind/rpcbind_0.2.0-4.1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefan Fritsch <[email protected]> (supplier of updated rpcbind package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 17 Jul 2010 21:47:56 +0200
Source: rpcbind
Binary: rpcbind
Architecture: source i386
Version: 0.2.0-4.1
Distribution: unstable
Urgency: high
Maintainer: Anibal Monsalve Salazar <[email protected]>
Changed-By: Stefan Fritsch <[email protected]>
Description:
rpcbind - converts RPC program numbers into universal addresses
Closes: 583435
Changes:
rpcbind (0.2.0-4.1) unstable; urgency=high
.
* Non-maintainer upload by the security team.
* CVE-2010-2061: Store state files in /var/run/rpcbind instead of /tmp.
Closes: #583435
Checksums-Sha1:
3632c80e3ff10921fb83136650f6720afcc7ad37 1077 rpcbind_0.2.0-4.1.dsc
10f1e09f3e18275d2e2b2b08ef65b23ecbce7cc5 8612 rpcbind_0.2.0-4.1.debian.tar.bz2
34d263b3ba92fa1ab8f16733a6784c14fff92965 41204 rpcbind_0.2.0-4.1_i386.deb
Checksums-Sha256:
4d28bd0e9dbbf8ff76f2bd2902cfd2824f1578e988c4187cd284bc37f239de0f 1077
rpcbind_0.2.0-4.1.dsc
a95b1c375420a559c3feaf422b43e80b6d435dd12460e8063ae27ac1ed04fb21 8612
rpcbind_0.2.0-4.1.debian.tar.bz2
a3d0c41a951ce52bb31324e249105e3e4ae42cdec1f84b5ca401f8ae029bfc98 41204
rpcbind_0.2.0-4.1_i386.deb
Files:
1ae5c21e40cbcc92237df34f66b1776c 1077 net standard rpcbind_0.2.0-4.1.dsc
dc83366af01c63fcfe6495a50a16f13f 8612 net standard
rpcbind_0.2.0-4.1.debian.tar.bz2
8a543851a81fcb6c913e4e6587aa468a 41204 net standard rpcbind_0.2.0-4.1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFMQhDhbxelr8HyTqQRAh/xAJ4g8SDQ++z2olVYzAT8mzWaHsueXwCfaidv
V3khWtQ/z1mOOXBnOiydmxI=
=q3Ew
-----END PGP SIGNATURE-----
--- End Message ---
