Bug 242696 - net-fs/nfs-utils >=1.0.9 <1.1.3 host_ctl access restriction bypass (CVE-2008-4552)
|
Bug#:
242696
(CVE-2008-4552)
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Linux
|
Status: RESOLVED
|
Severity: minor
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: craig@gentoo.org
|
|
Component: Vulnerabilities
|
|
|
URL:
https://bugzilla.redhat.com/show_bug.cgi?id=458676
|
|
Summary: net-fs/nfs-utils >=1.0.9 <1.1.3 host_ctl access restriction bypass (CVE-2008-4552)
|
|
Keywords:
|
|
Status Whiteboard: B4 [glsa]
|
|
Opened: 2008-10-19 03:11 0000
|
CVE-2008-4552 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4552):
nfs-utils 1.0.9, and possibly other versions before 1.1.3, invokes
the host_ctl function with the wrong order of arguments, which causes
TCP Wrappers to ignore netgroups and allows remote attackers to
bypass intended access restrictions.
Seems that 1.0.9 up to 1.1.2 is vulnerable, we should stabilize 1.1.4 and mask
the others, I guess.
net-fs, are there reasons why we have only 1.0.12-r1 and 1.1.0-r1 stable?
Is #235462 fixed in 1.1.4?
Mike, would you recommend on stabling 1.1.3 or 1.1.4 for this bug?
For 1.1.4, bug 243066 might need fixing first.
Arches, please test and mark stable:
=net-fs/nfs-utils-1.1.3
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
# emerge -1av =net-fs/nfs-utils-1.1.3
These are the packages that would be merged, in order:
Calculating dependencies \
!!! All ebuilds that could satisfy "sys-libs/e2fsprogs-libs" have been masked.
!!! One of the following masked packages is required to complete your request:
- sys-libs/e2fsprogs-libs-1.41.3 (masked by: ~x86 keyword)
- sys-libs/e2fsprogs-libs-1.41.2 (masked by: ~x86 keyword)
- sys-libs/e2fsprogs-libs-1.41.1 (masked by: ~x86 keyword)
- sys-libs/e2fsprogs-libs-1.41.0 (masked by: ~x86 keyword)
should we take e2fsprogs-libs-1.41.1 (>30 days in the tree)?
i think e2fsprogs-libs have been around long enough to stabilize ... that said,
current versions of nfs-utils have an unstated depend on e2fsprogs-libs, so we
could in theory just drop the depend in 1.1.3 since it wouldnt be a regression
for stable ...
(In reply to comment #3)
> 1.1.3 should be fine
I am not sure if this should be moved to a new bug, but 1.1.3 seems to break
nfsroot under Gentoo. /etc/init.d/root fails to remount root filesystem in
read-write mode.
The command is the following : mount / -n -o remount,rw
and the result is : mount.nfs: Invalid argument
Any idea if the parameters somehow changed for 1.1.3 and if the root script
needs an update?
sparc stable
sorry for the delay, had to wait for portage-2.1.6 for e2fsprogs-libs
Ready for vote, I vote YES.
