Bug 440114 (CVE-2008-1376)

Summary: CVE-2008-1376 nfs-utils: missing tcp_wrappers support
Product: [Other] Security Response Reporter: Josh Bressers <bressers>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: coughlan, fleite, michele.marcionelli, mjc, rryder, security-response-team, skakar, steved, tao
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-23 16:47:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 440119, 440120, 467312    
Bug Blocks:    

Description Josh Bressers 2008-04-01 19:05:57 UTC 
nfs-utils as built in Red Hat Enterprise Linux 5 is not built with TCP wrappers
support.

This means that anyone trying to protect their NFS service via TCP wrappers will
not be protected as they would expect.

Our documentation specifies that TCP wrappers should work:
http://www.redhat.com/docs/manuals/enterprise/RHEL-5-manual/Deployment_Guide-en-US/s1-nfs-how.html
Comment 7 Josh Bressers 2008-07-31 15:04:35 UTC 
Lifting embargo
Comment 8 Michele Marcionelli 2008-08-05 07:21:41 UTC 
It seems that netgroups are not working; if I put in my hosts.allow file

mountd: hostname
- or -
mountd: ip-address

then I can mount, but if I have a netgroup, I can't... for instance

mountd: @selected_hosts

Can you confirm this behaviour?
Thx!!
Comment 9 Josh Bressers 2008-08-06 11:47:29 UTC 
Please note that this bug should only be used for comments regarding the security flaw.  If you believe you are having other problems, please open a new bug.
Comment 10 Michele Marcionelli 2008-08-07 08:27:15 UTC 
But I think that my comment #8 is a security problem, since netgroups with mountd are not working.

By the way: I found a quite old (2005) bugzilla report for the same problem (but for RHEL 4) -> https://bugzilla.redhat.com/show_bug.cgi?id=168383
Comment 12 Josh Bressers 2008-08-11 14:58:08 UTC 
I've opened bug 458676 to track the broken netgroup bug.
Comment 13 Steve Dickson 2008-12-02 12:00:03 UTC 

*** This bug has been marked as a duplicate of bug 440120 ***
Comment 14 Tomas Hoger 2009-04-08 13:54:53 UTC 
Similar problem was introduced on Red Hat Enterprise Linux 4 in 4.7 nfs-utils-1.0.6-87.EL4.  This is planned to be addressed in the upcoming 4.8 errata.

nfs-utils packages in Red Hat Enterprise Linux 2.1 and 3 were never built with tcp_wrappers support and there's no plan to introduce tcp_wrappers support in those versions, as Red Hat Enterprise Linux 2.1 and 3 are now in the Production 3 Life Cycle Phase:
  http://www.redhat.com/security/updates/errata/
Comment 17 errata-xmlrpc 2009-05-18 20:06:20 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2009:0955 https://rhn.redhat.com/errata/RHSA-2009-0955.html
Comment 18 Vincent Danen 2010-12-23 16:47:18 UTC 
This was also addressed via:

Red Hat Enterprise Linux version 5 (RHSA-2008:0486)