Bug#963595: buster-pu: package nfs-utils/1:1.3.4-2.5+deb10u1

2020-07-01 Thread Salvatore Bonaccorso 
Hi Adam,

On Wed, Jul 01, 2020 at 09:07:19PM +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Wed, 2020-06-24 at 10:14 +0200, Salvatore Bonaccorso wrote:
> > nfs-utils in buster is affected by CVE-2019-3689, cf. #940848 the fix
> > was now exposed for a while in unstable and I would like fix the
> > issue ass well in buster. I have picked those changes and adjusted
> > the version in the postinst accordingly.
> > 
> 
> Please go ahead.

Thanks for the review and acking it, have just uploaded.

Regards,
Salvatore

Bug#963595: buster-pu: package nfs-utils/1:1.3.4-2.5+deb10u1

2020-07-01 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Wed, 2020-06-24 at 10:14 +0200, Salvatore Bonaccorso wrote:
> nfs-utils in buster is affected by CVE-2019-3689, cf. #940848 the fix
> was now exposed for a while in unstable and I would like fix the
> issue ass well in buster. I have picked those changes and adjusted
> the version in the postinst accordingly.
> 

Please go ahead.

Regards,

Adam

Bug#963595: buster-pu: package nfs-utils/1:1.3.4-2.5+deb10u1

2020-06-24 Thread Salvatore Bonaccorso 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

Hi SRM,

nfs-utils in buster is affected by CVE-2019-3689, cf. #940848 the fix
was now exposed for a while in unstable and I would like fix the issue
ass well in buster. I have picked those changes and adjusted the
version in the postinst accordingly.

Additionally I added the change to the Vcs fields in debian/control
but I can revert that if you don't want me to do it.

Attached is the debdiff, is this okay to have included in the next
buster point release?

Regards,
Salvatore

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-9-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
diff -Nru nfs-utils-1.3.4/debian/changelog nfs-utils-1.3.4/debian/changelog
--- nfs-utils-1.3.4/debian/changelog2019-04-06 18:30:39.0 +0200
+++ nfs-utils-1.3.4/debian/changelog2020-06-24 09:54:47.0 +0200
@@ -1,3 +1,13 @@
+nfs-utils (1:1.3.4-2.5+deb10u1) buster; urgency=medium
+
+  * statd: take user-id from /var/lib/nfs/sm (CVE-2019-3689) (Closes: #940848)
+  * Don't make /var/lib/nfs owned by statd.
+Only sm and sm.bak need to be accessible by statd or sm-notify after
+they drop privileges.
+  * debian/control: Point Vcs URLs to kernel-team namespace repository
+
+ -- Salvatore Bonaccorso   Wed, 24 Jun 2020 09:54:47 +0200
+
 nfs-utils (1:1.3.4-2.5) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru nfs-utils-1.3.4/debian/control nfs-utils-1.3.4/debian/control
--- nfs-utils-1.3.4/debian/control  2019-04-06 18:30:39.0 +0200
+++ nfs-utils-1.3.4/debian/control  2020-06-24 09:54:47.0 +0200
@@ -6,8 +6,8 @@
 Build-Depends: debhelper (>= 9.20160709), libwrap0-dev, libevent-dev, 
libnfsidmap-dev (>= 0.24), libkrb5-dev, libblkid-dev, libkeyutils-dev, 
pkg-config, libldap2-dev, libcap-dev, libtirpc-dev (>= 1.0.2), 
libdevmapper-dev, dh-autoreconf, libmount-dev, libsqlite3-dev
 Standards-Version: 4.2.1
 Homepage: http://linux-nfs.org/
-Vcs-Git: https://salsa.debian.org/debian/nfs-utils.git
-Vcs-Browser: https://salsa.debian.org/debian/nfs-utils
+Vcs-Git: https://salsa.debian.org/kernel-team/nfs-utils.git
+Vcs-Browser: https://salsa.debian.org/kernel-team/nfs-utils
 
 Package: nfs-kernel-server
 Architecture: any
diff -Nru nfs-utils-1.3.4/debian/nfs-common.postinst 
nfs-utils-1.3.4/debian/nfs-common.postinst
--- nfs-utils-1.3.4/debian/nfs-common.postinst  2019-04-06 18:30:39.0 
+0200
+++ nfs-utils-1.3.4/debian/nfs-common.postinst  2020-06-24 09:54:47.0 
+0200
@@ -21,9 +21,14 @@
 fi
 fi
 
+# Don't make /var/lib/nfs owned by statd. Only sm and sm.bak need to be
+# accessible by statd or sm-notify after they drop privileges.
+# https://bugs.debian.org/940848 (CVE-2019-3689)
+if dpkg --compare-versions "$2" lt 1:1.3.4-2.5+deb10u1; then
+chown root:root /var/lib/nfs
+fi
 chown statd: /var/lib/nfs/sm \
-/var/lib/nfs/sm.bak \
-/var/lib/nfs
+/var/lib/nfs/sm.bak
 if [ -f /var/lib/nfs/state ]; then
 chown statd /var/lib/nfs/state
 fi
diff -Nru nfs-utils-1.3.4/debian/patches/series 
nfs-utils-1.3.4/debian/patches/series
--- nfs-utils-1.3.4/debian/patches/series   2019-04-06 18:30:39.0 
+0200
+++ nfs-utils-1.3.4/debian/patches/series   2020-06-24 09:54:47.0 
+0200
@@ -15,3 +15,4 @@
 fix-glibc2.28-ftbfs.patch
 0010-gssd-replace-non-thread-safe-strtok-with-strsep.patch
 0011-gssd-Duplicate-the-upcall-string-for-error-messages.patch
+statd-take-user-id-from-var-lib-nfs-sm.patch
diff -Nru 
nfs-utils-1.3.4/debian/patches/statd-take-user-id-from-var-lib-nfs-sm.patch 
nfs-utils-1.3.4/debian/patches/statd-take-user-id-from-var-lib-nfs-sm.patch
--- nfs-utils-1.3.4/debian/patches/statd-take-user-id-from-var-lib-nfs-sm.patch 
1970-01-01 01:00:00.0 +0100
+++ nfs-utils-1.3.4/debian/patches/statd-take-user-id-from-var-lib-nfs-sm.patch 
2020-06-24 09:54:47.0 +0200
@@ -0,0 +1,102 @@
+From: NeilBrown 
+Date: Mon, 14 Oct 2019 14:12:49 -0400
+Subject: statd: take user-id from /var/lib/nfs/sm
+Origin: 
https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=fee2cc29e888f2ced6a76990923aef19d326dc0e
+Bug: https://bugzilla.linux-nfs.org/show_bug.cgi?id=338
+Bug-Debian: https://bugs.debian.org/940848
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-3689
+Bug: https://bugzilla.suse.com/show_bug.cgi?id=1150733
+
+Having /var/lib/nfs writeable by statd is not ideal
+as there are files in there that statd doesn't need
+to access.
+After dropping privs, statd and sm-notify only need to
+access files in the directories sm