Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 242696 (CVE-2008-4552) - net-fs/nfs-utils >=1.0.9 <1.1.3 host_ctl access restriction bypass (CVE-2008-4552)
Summary: net-fs/nfs-utils >=1.0.9 <1.1.3 host_ctl access restriction bypass (CVE-2008-...
Alias: CVE-2008-4552
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [glsa]
Depends on:
Reported: 2008-10-19 03:11 UTC by Stefan Behte (RETIRED)
Modified: 2009-03-07 16:25 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2008-10-19 03:11:06 UTC
CVE-2008-4552 (
  nfs-utils 1.0.9, and possibly other versions before 1.1.3, invokes
  the host_ctl function with the wrong order of arguments, which causes
  TCP Wrappers to ignore netgroups and allows remote attackers to
  bypass intended access restrictions.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2008-10-19 03:34:21 UTC
Seems that 1.0.9 up to 1.1.2 is vulnerable, we should stabilize 1.1.4 and mask the others, I guess.
net-fs, are there reasons why we have only 1.0.12-r1 and 1.1.0-r1 stable?
Is #235462 fixed in 1.1.4?
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-10-22 19:30:32 UTC
Mike, would you recommend on stabling 1.1.3 or 1.1.4 for this bug?
For 1.1.4, bug 243066 might need fixing first.
Comment 3 SpanKY gentoo-dev 2008-10-26 08:32:13 UTC
1.1.3 should be fine
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-10-26 09:13:48 UTC
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 5 Markus Meier gentoo-dev 2008-10-26 18:33:06 UTC
# emerge -1av =net-fs/nfs-utils-1.1.3

These are the packages that would be merged, in order:

Calculating dependencies \
!!! All ebuilds that could satisfy "sys-libs/e2fsprogs-libs" have been masked.
!!! One of the following masked packages is required to complete your request:
- sys-libs/e2fsprogs-libs-1.41.3 (masked by: ~x86 keyword)
- sys-libs/e2fsprogs-libs-1.41.2 (masked by: ~x86 keyword)
- sys-libs/e2fsprogs-libs-1.41.1 (masked by: ~x86 keyword)
- sys-libs/e2fsprogs-libs-1.41.0 (masked by: ~x86 keyword)

should we take e2fsprogs-libs-1.41.1 (>30 days in the tree)?
Comment 6 SpanKY gentoo-dev 2008-10-26 20:10:51 UTC
i think e2fsprogs-libs have been around long enough to stabilize ... that said, current versions of nfs-utils have an unstated depend on e2fsprogs-libs, so we could in theory just drop the depend in 1.1.3 since it wouldnt be a regression for stable ...
Comment 7 Markus Meier gentoo-dev 2008-10-27 20:07:51 UTC
amd64/x86 stable
Comment 8 Markus Rothe (RETIRED) gentoo-dev 2008-10-30 17:36:34 UTC
ppc64 stable by ranger
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2008-10-30 18:41:34 UTC
Stable for HPPA.
Comment 10 Tobias Scherbaum (RETIRED) gentoo-dev 2008-11-02 10:10:32 UTC
ppc stable
Comment 11 Martin Bailey 2008-11-05 22:39:29 UTC
(In reply to comment #3)
> 1.1.3 should be fine

I am not sure if this should be moved to a new bug, but 1.1.3 seems to break nfsroot under Gentoo. /etc/init.d/root fails to remount root filesystem in read-write mode.
The command is the following : mount / -n -o remount,rw
and the result is : mount.nfs: Invalid argument
Any idea if the parameters somehow changed for 1.1.3 and if the root script needs an update?
Comment 12 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-05 23:25:46 UTC
Maybe related:
Comment 13 Raúl Porcel (RETIRED) gentoo-dev 2008-11-08 17:16:32 UTC
alpha/ia64 stable
Comment 14 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-30 16:33:55 UTC
sparc: *ping*
Comment 15 Friedrich Oslage (RETIRED) gentoo-dev 2008-12-30 20:15:38 UTC
sparc stable

sorry for the delay, had to wait for portage-2.1.6 for e2fsprogs-libs
Comment 16 Tobias Heinlein (RETIRED) gentoo-dev 2008-12-31 12:40:17 UTC
Ready for vote, I vote YES.
Comment 17 Stefan Behte (RETIRED) gentoo-dev Security 2009-01-11 18:56:26 UTC
Yes, too. Request filed.
Comment 18 Robert Buchholz (RETIRED) gentoo-dev 2009-03-07 16:25:30 UTC
GLSA 200903-06