Description of problem: struct dqblk { u_int32_t dqb_bhardlimit; /* absolute limit on disk blks alloc */ u_int32_t dqb_bsoftlimit; /* preferred limit on disk blks */ u_int32_t dqb_curblocks; /* current block count */ u_int32_t dqb_ihardlimit; /* maximum # allocated inodes */ u_int32_t dqb_isoftlimit; /* preferred inode limit */ u_int32_t dqb_curinodes; /* current # allocated inodes */ time_t dqb_btime; /* time limit for excessive disk use */ time_t dqb_itime; /* time limit for excessive files */ }; struct rquota { int rq_bsize; bool_t rq_active; u_int rq_bhardlimit; u_int rq_bsoftlimit; u_int rq_curblocks; u_int rq_fhardlimit; u_int rq_fsoftlimit; u_int rq_curfiles; u_int rq_btimeleft; u_int rq_ftimeleft; }; rquota_server.c line 171 has the following memcpy: memcpy((caddr_t *)&result.getquota_rslt_u.gqr_rquota.rq_bhardlimit, (caddr_t *)&dq_dqb, sizeof(struct dqblk)); the goal of the memcpy is to copy the 8 fields from struct dqblk to the last 8 fields of the struct quota. That is, 6 ints and 2 time_t's get copied to 8 ints. On 32 bit machines, that's ok (but ugly) since a time_t is also a 32 bit value; on 64 bit machines time_t is 64 bit though, thus buffer overflowing the stack. My analysis of this issue says it may be able for a remote NFS user to exploit this, but it won't be easy. In order to exploit this issue, the attacker has to control the time they poll rquotad to a very precise interval, which could lead to a 16 byte overflow on a 64 bit system. The ability execute anything of value in those 16 bytes is questionable, since ideally the attacker doesn't have unrestricted access to the server. In theory the attacker will be able to control 64 total bytes of data. This issue should also affect FC3
Lifting embargo, ping on this issue?
[Bulk move of FC2 bugs to Fedora Legacy. See <http://www.redhat.com/archives/fedora-announce-list/2005-April/msg00020.html>.]
This appears to be fixed in FC3 -- I think it's nfs-utils-1.0.6-rquotad-overflow.patch and this changelog entry: * Sat Nov 20 2004 Steve Dickson <SteveD> - Replaced a memcopy with explicit assignments in getquotainfo() of rquotad to fix potential overflow that can occur on 64bit machines. (bz 138068) Not sure if the bugzilla number there is a typo and meant to refer to this one, since bug #138068 is restricted. Anyway, the nfs-utils update in FC2 updates/testing does *not* appear to address this. (It jumps straight past all of the updates FC3 got between May 18 and Dec 02 -- some of the changes there might not be good for FC2, but some of them, like this one, appear to be worth fixing.)
bz 138068 is not a typo... I'm not sure why its restricted but definitely a valid bz number... The nfs-utils-1.0.6-46 is the correct rpm version. Please ensure you are using that version or higher version
FC3 updates has nfs-utils-1.0.6-52 -- would it be appropriate to jump to that for FC2 too? Thanks for your help.
This issue probably affects other FL releases also.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've created updated packages to fix this issue. http://www.cs.ucsb.edu/~jeff/legacy/nfs-utils/ rh73: ef642e4180ce73bed914ee79ef605d8770e661f6 nfs-utils-0.3.3-6.73.2.legacy.src.rpm rh9: e5d89b25526783659b54fd0dd85b4a89d51a57c3 nfs-utils-1.0.1-3.9.2.legacy.src.rpm fc1: af024e6fcd8c853798b9880aa0b960c06a34e5f9 nfs-utils-1.0.6-1.2.legacy.src.rpm fc2: af76cee72b6f9ce6d0fb062471ecc376f41ba2ee nfs-utils-1.0.6-22.1.legacy.src.rpm The rh73 patch comes from RHEL2, the rest use the RHEL3 patch. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFDeS6EKe7MLJjUbNMRAvg6AJ9VCMbHZ/TD7Vj+gEe/qRp8QxQFNgCgmDrL 5R+BpKktazH+cuLU3ga/BE0= =V8cR -----END PGP SIGNATURE-----
Does this also fix the following? CVE-2004-1014 statd in nfs-utils 1.257 and earlier does not ignore the SIGPIPE signal, which allows remote attackers to cause a denial of service (server process crash) via a TCP connection that is prematurely terminated. http://www.redhat.com/support/errata/RHSA-2005-014.html
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The rh73, rh9, and fc1 packages are already patched for CVE-2004-1014 see bug #152871. The fc2 package was not patched, so I have created a new package for fc2: http://www.cs.ucsb.edu/~jeff/legacy/nfs-utils/nfs-utils-1.0.6-22.2.legacy.src.rpm ae2c6b29fb9442153f7825d755d0d11cd0e25de9 nfs-utils-1.0.6-22.2.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFDexNRKe7MLJjUbNMRAgQ3AJ4y1TSIi7nYFCL1PlAeC6KDqk9zQQCfdagO JdTNNHAcmKIYd+s1XrfxRdg= =d36G -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA w/ rpm-build-compare.sh: - source integrity good - spec file changes minimal - patches have identical SHA1sums with those from RHEL +PUBLISH RHL73, RHL9, FC1, FC2 ef642e4180ce73bed914ee79ef605d8770e661f6 nfs-utils-0.3.3-6.73.2.legacy.src.rpm e5d89b25526783659b54fd0dd85b4a89d51a57c3 nfs-utils-1.0.1-3.9.2.legacy.src.rpm af024e6fcd8c853798b9880aa0b960c06a34e5f9 nfs-utils-1.0.6-1.2.legacy.src.rpm ae2c6b29fb9442153f7825d755d0d11cd0e25de9 nfs-utils-1.0.6-22.2.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFDezm4GHbTkzxSL7QRAvpKAJkBZWWJwkNuWNZArCBGIDn+wJ+/HQCff2U5 T6QAblYdAfpOgOJk7h+ZuA8= =3/SY -----END PGP SIGNATURE-----
isn't this a 64-bit only issue? Why are we fixing this?
Are we not going to be supporting 64-bit for any of the FC's?
Packages were released to updates-testing.
New policy: automatic accept after two weeks if no negative feedback.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I performed QA on the following packages: rh73: fc563f70e9f2b5eeafb51b9444469689185ef504 nfs-utils-0.3.3-6.73.2.legacy.i386.rpm rh9: 45c4f3a310d3090271f0d0798cae1e3148ab8299 nfs-utils-1.0.1-3.9.2.legacy.i386.rpm fc1: 1c96ae93420683ad79b675b205ecb5d6ddb61ef4 nfs-utils-1.0.6-1.2.legacy.i386.rpm fc2: 2063735e17273d7967c8fa1f3649ab86921c910e nfs-utils-1.0.6-22.2.legacy.i386.rpm I mounted an ext3 partition and set a 100000 block hard quota. I then mounted the partition from a fc4 machine over NFS. I was unable to go past the hard quota, and I was able to view the quota remotly using "quota <username>". +VERIFY rh73,rh9,fc1,fc2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.1 (GNU/Linux) iD8DBQFD/jTspxMPKJzn2lIRAh5EAJ9ZCDyzJ4evZLfJ+1JJj1V+W8aI+wCdHCh2 Q73UFsOgVXnQXnZStW6ZshU= =VaeK -----END PGP SIGNATURE-----
Thanks!
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Packages tested: 1c96ae93420683ad79b675b205ecb5d6ddb61ef4 nfs-utils-1.0.6-1.2.legacy.i386.rpm - SHA1 checksum and GPG signature verified. - Package installed cleanly. - Minimal testing of utility binaries showed they run cleanly, although the FC1 box I run exports no NFS mounts. +VERIFY FC1 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFD/0/V+gerLs4ltQ4RAmyWAJ9o9b001NqwlJp6c8Yd8GMwG3qHFQCg2TdN UvHEfTpZXYKzuGo7L8j3/2o= =JDis -----END PGP SIGNATURE-----
Updates were released.