Gentoo Bug 242696 - net-fs/nfs-utils >=1.0.9 <1.1.3 host_ctl access restriction bypass (CVE-2008-4552)

Description:

Opened: 2008-10-19 03:11 0000

CVE-2008-4552 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4552):
  nfs-utils 1.0.9, and possibly other versions before 1.1.3, invokes
  the host_ctl function with the wrong order of arguments, which causes
  TCP Wrappers to ignore netgroups and allows remote attackers to
  bypass intended access restrictions.

------- Comment #1 From Craig (Security Padawan) 2008-10-19 03:34:21 0000 -------

Seems that 1.0.9 up to 1.1.2 is vulnerable, we should stabilize 1.1.4 and mask
the others, I guess.
net-fs, are there reasons why we have only 1.0.12-r1 and 1.1.0-r1 stable?
Is #235462 fixed in 1.1.4?

------- Comment #2 From Robert Buchholz 2008-10-22 19:30:32 0000 -------

Mike, would you recommend on stabling 1.1.3 or 1.1.4 for this bug?
For 1.1.4, bug 243066 might need fixing first.

------- Comment #3 From SpanKY 2008-10-26 08:32:13 0000 -------

1.1.3 should be fine

------- Comment #4 From Robert Buchholz 2008-10-26 09:13:48 0000 -------

Arches, please test and mark stable:
=net-fs/nfs-utils-1.1.3
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"

------- Comment #5 From Markus Meier 2008-10-26 18:33:06 0000 -------

# emerge -1av =net-fs/nfs-utils-1.1.3

These are the packages that would be merged, in order:

Calculating dependencies \
!!! All ebuilds that could satisfy "sys-libs/e2fsprogs-libs" have been masked.
!!! One of the following masked packages is required to complete your request:
- sys-libs/e2fsprogs-libs-1.41.3 (masked by: ~x86 keyword)
- sys-libs/e2fsprogs-libs-1.41.2 (masked by: ~x86 keyword)
- sys-libs/e2fsprogs-libs-1.41.1 (masked by: ~x86 keyword)
- sys-libs/e2fsprogs-libs-1.41.0 (masked by: ~x86 keyword)


should we take e2fsprogs-libs-1.41.1 (>30 days in the tree)?

------- Comment #6 From SpanKY 2008-10-26 20:10:51 0000 -------

i think e2fsprogs-libs have been around long enough to stabilize ... that said,
current versions of nfs-utils have an unstated depend on e2fsprogs-libs, so we
could in theory just drop the depend in 1.1.3 since it wouldnt be a regression
for stable ...

------- Comment #7 From Markus Meier 2008-10-27 20:07:51 0000 -------

amd64/x86 stable

------- Comment #8 From Markus Rothe 2008-10-30 17:36:34 0000 -------

ppc64 stable by ranger

------- Comment #9 From Jeroen Roovers 2008-10-30 18:41:34 0000 -------

Stable for HPPA.

------- Comment #10 From Tobias Scherbaum 2008-11-02 10:10:32 0000 -------

ppc stable

------- Comment #11 From Martin Bailey 2008-11-05 22:39:29 0000 -------

(In reply to comment #3)
> 1.1.3 should be fine

I am not sure if this should be moved to a new bug, but 1.1.3 seems to break
nfsroot under Gentoo. /etc/init.d/root fails to remount root filesystem in
read-write mode.
The command is the following : mount / -n -o remount,rw
and the result is : mount.nfs: Invalid argument
Any idea if the parameters somehow changed for 1.1.3 and if the root script
needs an update?

------- Comment #12 From Craig (Security Padawan) 2008-11-05 23:25:46 0000 -------

Maybe related: http://bugs.gentoo.org/show_bug.cgi?id=198601

------- Comment #13 From Raúl Porcel 2008-11-08 17:16:32 0000 -------

alpha/ia64 stable

------- Comment #14 From Craig (Security Padawan) 2008-11-30 16:33:55 0000 -------

sparc: *ping*

------- Comment #15 From Friedrich Oslage 2008-12-30 20:15:38 0000 -------

sparc stable

sorry for the delay, had to wait for portage-2.1.6 for e2fsprogs-libs

------- Comment #16 From Tobias Heinlein 2008-12-31 12:40:17 0000 -------

Ready for vote, I vote YES.

------- Comment #17 From Craig (Security Padawan) 2009-01-11 18:56:26 0000 -------

Yes, too. Request filed.

------- Comment #18 From Robert Buchholz 2009-03-07 16:25:30 0000 -------

GLSA 200903-06

Bug 242696 depends on:			Show dependency tree
Bug 242696 blocks:			Show dependency tree

Bugzilla Bug 242696

net-fs/nfs-utils >=1.0.9 <1.1.3 host_ctl access restriction bypass (CVE-2008-4552)

Last modified: 2009-03-07 16:25:30 0000