John Buswell discovered a flaw in redhat-config-nfs that could lead to incorrect permissions on exported shares when exporting to multiple hosts. This could cause an option such as "all_squash" to not be applied to all of the listed hosts. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0750 to this issue. Additionally, a bug was found that prevented redhat-config-nfs from being run if hosts didn't have options set in /etc/exports. Info: https://rhn.redhat.com/errata/RHSA-2004-434.html http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=107997 ------- Additional Comments From marcdeslauriers 2004-09-22 13:56:24 ---- Need to check if rh9 and fc1 are vulnerable to this. ------- Additional Comments From marcdeslauriers 2004-09-22 17:44:26 ---- They are indeed vulnerable, must patch. ------- Additional Comments From marcdeslauriers 2004-09-22 18:33:46 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated packages to QA for rh9 and fc1. They fix CAN-2004-0750 and a few major functionality bugs. rh9 Changelog: * Thu Sep 23 2004 Marc Deslauriers <marcdeslauriers> 1.0.13-5.legacy - - rebuilt as Fedora Legacy security update to fix CAN-2004-0750 - - revert desktop file to rh9 format fc1 Changelog: * Thu Sep 23 2004 Marc Deslauriers <marcdeslauriers> 1.1.3-2.legacy - - close properties dialog when clicking OK button - - handle /etc/exports missing gracefully - - fix incorrect syntax for multiple hosts with a single mount point CAN-2004-0750 (patch by Shannon Mitchell) - - don't barf on optionless hosts - - readonly is default rh9: 0f7a70f06c62a187573e3894ae8fff214779ec92 redhat-config-nfs-1.0.13-5.legacy.noarch.rpm d87293932391ab05d23910f3a0babad3190d8485 redhat-config-nfs-1.0.13-5.legacy.src.rpm fc1: 6cfebc18e601bdf90b5d4eb90747affd5fd3808c redhat-config-nfs-1.1.3-2.legacy.noarch.rpm 1f0816df60b01039c6bcbafa3b331abf30d420ce redhat-config-nfs-1.1.3-2.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/9/redhat-config-nfs-1.0.13-5.legacy.noarch.rpm http://www.infostrategique.com/linuxrpms/legacy/9/redhat-config-nfs-1.0.13-5.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/1/redhat-config-nfs-1.1.3-2.legacy.noarch.rpm http://www.infostrategique.com/linuxrpms/legacy/1/redhat-config-nfs-1.1.3-2.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBUlIPLMAs/0C4zNoRApLmAKCSkfKgOfICo5NcF6SsLGfGIwiAnwCfX2kK 0dDtJxiRaya0kJUV7AODAa8= =9bcQ -----END PGP SIGNATURE----- ------- Additional Comments From rob.myers.edu 2004-09-23 04:31:12 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I did QA on the FC1 package: 1f0816df60b01039c6bcbafa3b331abf30d420ce redhat-config-nfs-1.1.3-2.legacy.src.rpm - - spec file looks good - - builds ok - - installs ok - - works ok - - source file identical to FC1 release - - i'm no python expert, but patches look ok i tried to follow the rules at http://www.fedoralegacy.org/wiki/index.php/QaTesting but its my first time so please let me know if i missed anything! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFBUt3TtU2XAt1OWnsRAlNjAKD4V3IGWcfqQCyE+wb8HpS7Yv8hOgCgq3kG 6pyS28aG63/esk1nk/n04WU= =23F4 -----END PGP SIGNATURE----- ------- Additional Comments From josh.kayse.edu 2004-10-08 03:11:00 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I did QA on the FC1 package: 1f0816df60b01039c6bcbafa3b331abf30d420ce redhat-config-nfs-1.1.3-2.legacy.src.rpm - - spec file looked good - - builds ok - - installs ok - - runs ok - - source file identical to previous FC1 release - - patch files look ok -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFBZpG4wnUFCSDmt7ERAooKAJ9Jbrvle9tAkSXjTibmM9ItNgXR9wCeODen EgYgGppUE+5LuW2/cprk1JU= =ogRz -----END PGP SIGNATURE----- ------- Additional Comments From byte.my 2004-10-18 02:59:30 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA on the FC1 package performed 1f0816df60b01039c6bcbafa3b331abf30d420ce redhat-config-nfs-1.1.3-2.legacy.src.rpm - - spec file looks okay except for warning: File listed twice: /usr/share/redhat-config-nfs/pixmaps warning: File listed twice: /usr/share/redhat-config-nfs/pixmaps/redhat-config-nfs.png - - it buils okay - - it installs okay - - runs fine - - source file is identical to previous in FC1 release - - patches and python looks okay Patch below "fixes" spec file warning. One last remainder error, its getting late to fix... warning: File listed twice: /usr/share/redhat-config-nfs/pixmaps/redhat-config-nfs.png diff -urN redhat-config-nfs.spec~ redhat-config-nfs.spec - --- redhat-config-nfs.spec~ 2004-09-23 14:24:15.000000000 +1000 +++ redhat-config-nfs.spec 2004-10-18 22:36:49.000000000 +1000 @@ -60,7 +60,6 @@ %doc doc/* %{_bindir}/redhat-config-nfs %dir %{_datadir}/redhat-config-nfs - -%dir %{_datadir}/redhat-config-nfs/pixmaps %{_datadir}/redhat-config-nfs/* %attr(0644,root,root) %{_datadir}/applications/redhat-config-nfs.desktop %attr(0644,root,root) %{_datadir}/%{name}/pixmaps/redhat-config-nfs.png -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFBc7xQiktHAE0k2bYRAnTWAJ49eu2VFjXf2z/cX44VTB6dUaqZVgCgg7Fv w/rMScMbhpT6fPNV+5ofYQo= =Hg9y -----END PGP SIGNATURE----- ------- Additional Comments From pekkas 2004-12-15 09:26:22 ---- Where can I find redhat-config-nfs-1.0.13.tar.bz2 to verify that it's integrity is OK? I suggest we just either: 1) stick to security fixes; 2) functionality fixes if they can be clearly backported with minimal patching; or 3) if creating a significant functionality increase go to a version the correctness of which is easily verifiable. ------- Additional Comments From marcdeslauriers 2004-12-15 12:43:33 ---- In response to comment #7: You can find the original tarball in the update Red Hat released for RHEL3: https://rhn.redhat.com/errata/RHSA-2004-434.html By the way, it IS a security fix. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0750 Sorry for not mentioning where the source came from. I didn't think it would be difficult to find. ------- Additional Comments From pekkas 2004-12-15 20:04:41 ---- I couldn't find it with google, sorry ;-) Yes, I wasn't refuting this didn't include a security fix, it just included a lot of other stuff as well. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA on the SRPM w/ rpm-build-compare.sh - sources match the ones provided in RHEL3 update - spec file changes are reasonable * python-tools buildrequires was removed, but that's OK because it's not needed. - desktop file patch verified - rebuilds OK. +PUBLISH (RH9) d87293932391ab05d23910f3a0babad3190d8485 redhat-config-nfs-1.0.13-5.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBwSUVGHbTkzxSL7QRAldAAKDEuzTxk1vXkXZriAzgDTFj8840OgCfR/6o tgMSzAQdPZIlHPSNMQkSr7M= =lgx7 -----END PGP SIGNATURE----- ------- Additional Comments From dom 2005-02-03 13:30:11 ---- packages pushed to updates-testing ------- Additional Comments From S.J.Thompson.ac.uk 2005-02-08 00:51:32 ---- RPM 0935165a66653b8c546713178b975e55119717fe redhat-config-nfs-1.0.13-5.legacy.noarch.rpm This packages don't appear to fix the security problem (at least under RH9). i.e. if I start the tool, create a new share which is "Read Only", exported to "host1 host2" and has the option "Treat all clients as anonymous users" set, I get the following in my /etc/exports file: /sample/directory host1 host2(ro,sync,all_squash) I would _expect_ to get: /sample/directory host1(ro,sync,all_squash) host2(ro,sync,all_squash) i.e. the options are only being applied to the _last_ host. Package does NOT appear to resolve security issue in Comment #1. (The bug where redhat-config-nfs won't run if there are no options is fixed though). ------- Additional Comments From S.J.Thompson.ac.uk 2005-02-08 00:53:00 ---- Actually not Comment #1 but Description ------- Additional Comments From pekkas 2005-02-08 07:18:54 ---- Could you double-check which version of the tool you were running? The patch is applied in the RPM, the patch is functionally identical to upstream bugzilla (https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=107997) and identical to what was shipped in the RHEL3 update. If their patch was broken,... well.. that can happen, of course. I'll try to remember to test this myself. ------- Additional Comments From S.J.Thompson.ac.uk 2005-02-08 08:00:04 ---- % rpm -q redhat-config-nfs redhat-config-nfs-1.0.13-5.legacy I'll check on one of our boxes that is actually running RHEL3 and see if its fixed on that. ------- Additional Comments From marcdeslauriers 2005-02-08 13:30:18 ---- Can someone else try this...I just did and it worked ok for me... ------- Additional Comments From pekkas 2005-02-08 22:20:24 ---- Worked for me as well. Maybe you accidentally typed something else than space in the tab or something? I picked read-only, anonymous, and exported "/" to "host1 host", and the result was: # more /etc/exports / host1(ro,sync,all_squash) / host2(ro,sync,all_squash) Did you try removing /etc/exports before doing this? ------- Additional Comments From S.J.Thompson.ac.uk 2005-02-08 23:13:43 ---- OK if you remove /etc/exports then the issue is fixed. i.e. if you create a *new* exported share however if you edit an existing share and add another host then the problem still appears to exist. ------- Additional Comments From pekkas 2005-02-09 00:15:28 ---- Yes, I tested this as well. The patch is IMHO incomplete; it does not handle 'properties' at all. This is not fixed in the latest CVS version either. I don't know much of python, but I tried a few ways to fix this, but it wouldn't work properly. Maybe the correct fix will be to remove being able to edit the "hosts" line in 'edit' mode; otherwise the code will have to deduct which subset of the hosts you added (or removed), and add those to the list and apply the changes to the all. I suggest you reopen the Red Hat bug report, and we'll see how that develops. ------- Additional Comments From S.J.Thompson.ac.uk 2005-02-10 23:20:51 ---- I have confirmed that the problem exists in RHEL 3 still - didn't think it wouldn't as the FL patch is the same, but I had to check. I've attached a note to the RHEL bugzilla entry. Is it still worth pushing this updated package out as it partially resolves the security problem? ------- Bug moved to this database by dkl 2005-03-30 18:27 ------- This bug previously known as bug 2086 at https://bugzilla.fedora.us/ https://bugzilla.fedora.us/show_bug.cgi?id=2086 Originally filed under the Fedora Legacy product and Package request component. Unknown priority P2. Setting to default priority "normal". Unknown platform PC. Setting to default platform "All". Setting qa contact to the default for this product. This bug either had no qa contact or an invalid one.
For some reason, the tag for FC1 appears to be '-core1' not '-fc1'..
Adding "discuss" tag as we may need to discuss whether to ship incomplete fix (but the same as RHEL) or wait for a better one..
Created attachment 116722 [details] Patch for properties window This patch looks for multiple hosts in the properties field. If it finds them, it replaces the original entry with separate entries for each host. I don't think we want more than one host on a line because there's no guarantee they'll have the same properties if the file is edited outside redhat-config-nfs.
Thanks. Could folks test this w/ this patch to see if it workarounds the bug? I don't have access to X-enabled linux right now. If so, I can remove the discuss tag and we need to respin the packages..
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ++VERIFY for RHL 9 RHL 9 Packages: redhat-config-nfs-1.0.13-5.legacy.noarch.rpm SHA1 checksum matches. Signatures verify okay. I first tested the original RH9 version and saw indeed it didn't work if /etc/exports didn't exist, and that it did indeed generate the wrong entries when given an empty /etc/exports file. I then upgraded to the FL update, and re-ran the tests. This time, it did work without an pre-existing /etc/exports file, and did generate the expected results for multiple host entries. I did not test the case of editing an existing rule, only of creating new rules in an empty or missing /etc/exports file. If there is a problem with the existing rules, I vote to publish anyway and just put a note in the release advisory about that issue. This fixes two major problems, and it is worth pushing even if there is still a third problem, as long as we document any such third problem. Vote for release for RHL 9. ++VERIFY -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFC1oVb4jZRbknHoPIRAk59AKCweMW1L16mDCSc/smWknw/+dscUQCfY+xe 3DKjLRwQdsNtKU290c9bHNY= =Hi65 -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've tested John's patch and it appears to be working OK. The problem still persists in the latest upstream package; could someone try reporting it to the authors? In any case, I don't think this should stop us from finally proceeding. I've created new packages which include this patch: http://www.netcore.fi/pekkas/linux/redhat-config-nfs-1.0.13-6.legacy.src.rpm (RHL9) http://www.netcore.fi/pekkas/linux/redhat-config-nfs-1.1.3-3.legacy.src.rpm (FC1) http://www.netcore.fi/pekkas/linux/system-config-nfs-1.2.3-3.legacy.src.rpm (FC2) ecb9560fc13e87d28c12594575364fa63174baee redhat-config-nfs-1.0.13-6.legacy.src.rpm a2440633bdb2ba9fda137bc256928e9745c77a5d redhat-config-nfs-1.1.3-3.legacy.src.rpm 91ad6111c9f16818988ef24129303efe6731a099 system-config-nfs-1.2.3-3.legacy.src.rpm * Wed Jul 27 2005 Pekka Savola <pekkas> 1.1.3-3.legacy - - Patch from John Dalbec to completely fix CAN-2004-0750 (#152787) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFC5y31GHbTkzxSL7QRAi5DAKDNn7QlBfhRMIZoDf+iqNFoF+T8WgCghSuP xTwcHVGReKaxuK4bRLEkkK0= =SPG5 -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA for FC1 package: a2440633bdb2ba9fda137bc256928e9745c77a5d redhat-config-nfs-1.1.3-3.legacy.src.rpm * All previous patches and tarball the same to redhat-config-nfs-1.1.3-2.legacy.src.rpm. * All signatures are good * Patch looks okay. Though I don't know Python really well, this new patch to function on_edit_button_clicked looks very similar to what the multiple-hosts.patch file did to function on_add_button_clicked. * Built just fine. * Installs fine. * It runs. PUBLISH++ FC1 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFDOSWjxou1V/j9XZwRAnXjAJ937XORX9F/aXAIcBONPExCYBeJ3ACghJQR v+F+1RUrlsl8OhhqxNNJOdY= =19nx -----END PGP SIGNATURE-----
Thanks. Still needs publishes for the other distros.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA for FC2 package, submitted in comment #6. 91ad6111c9f16818988ef24129303efe6731a099 system-config-nfs-1.2.3-3.legacy.src.rpm Contents of the .src.rpm: 698 Jul 27 01:43 nfs-fc2-CAN-2004-0750-complete.patch 87853 Apr 8 2004 system-config-nfs-1.2.3.tar.bz2 7652 Jul 27 01:43 system-config-nfs.spec I compared the patched sources of FC1's redhat-config-nfs-1.1.3-3.legacy.src. rpm to the unpatched sources from FC2's system-config-nfs-1.2.3-3.legacy. src.rpm. I could find no evidence that any part of the patches for CAN-2004-0750 ever made it into FC2's source tarball, dated 8-Apr-2004, listed above. However, it appears that the FC2 .src.rpm assumes that all the other patches *did* make it into that tarball, with the only patch needed being John Dalbec's addition- al patch. I don't think that's the only patch needed. Grepping all Fedora errata emails from 2004 and 2005 for the string "CAN-2004-0750" yielded no matches. FC2's original system-config-nfs package appears to never have had any part of CAN-2004-0750 patch applied. We're going to need to include (perhaps forward-port?) the other patch files, included in FC1's redhat-config-nfs: 385 Sep 22 2004 redhat-config-nfs-1.0.13-dialogclose.patch 1006 Sep 22 2004 redhat-config-nfs-1.0.13-exportsmissing.patch 1424 Sep 22 2004 redhat-config-nfs-1.0.13-multiple-hosts.patch 4268 Sep 22 2004 redhat-config-nfs-1.0.13-optionless.patch Until then, PUBLISH FC2-- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFDPTaoxou1V/j9XZwRAmdLAKCqN8wNeuO07P5T/JohUakEd0fu9ACfZE/8 xNt34oOKUC1t5FCct1gkcmk= =czfx -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OK, here's a new RPM which includes the same patches Marc included in FC1. Available at: http://www.netcore.fi/pekkas/linux/system-config-nfs-1.2.3-4.legacy.src.rpm 62c0839b4d6751403f72e51ca33de28961b83f0b system-config-nfs-1.2.3-4.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFDPhU9GHbTkzxSL7QRAiUwAJ4gFcn+8PObB+9ccRL72j5Vbqat9gCguOHy 4mzijBEHVXIxehHRWCtPT9g= =hL8J -----END PGP SIGNATURE-----
Created attachment 119518 [details] Suggested system-config-nfs-1.2.3-exportsmissing.patch -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The .src.rpm looks good, except there was a piece missing from the exportsmissing patch. Attached is the patch with the piece put back in. 0544f2e65c3493737d0e6471e14fdbd41119cb07 system-config-nfs-1.2.3-exportsmissing.patch Let me know what you think? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFDP7iXxou1V/j9XZwRAvXZAKDDzKwxCaebrXcRRhxqZBEQKLxZQQCg6zON JuxEXF/tLmoRsQpb7HOF6Ow= =1MXD -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here's a new RPM which includes an updated "system-config-nfs-1.2.3- exportsmissing.patch" file. Available at: http://fedoralegacy.org/contrib/system-config-nfs/system-config-nfs-1.2.3-5.legacy.src.rpm 8f4d6cba6ba6c98509062d94d7234808ba63e00a system-config-nfs-1.2.3-5.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFDP8ZExou1V/j9XZwRAl+kAJ4tu+8jttT+heeC8U0XfMJiJVt7zACgqJNb nm1jfsmyZQLyq13MpWzvoh8= =MJOq -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The patch addition was OK (it was indeed missing), there weren't other changes in the package. +PUBLISH FC2 8f4d6cba6ba6c98509062d94d7234808ba63e00a system-config-nfs-1.2.3-5.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFDQLrtGHbTkzxSL7QRAjrgAJ9k2PZQ70cg+zy7U7iqF0kJzNPyfgCeN8gm Cpzsdf8GKuxNa0JgnoNvHQ4= =gTZY -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA for RH9 package: ecb9560fc13e87d28c12594575364fa63174baee redhat-config-nfs-1.0.13-6.legacy.src.rpm * All previous patches and tarball the same to redhat-config-nfs-1.0.13-5.legacy.src.rpm. * All signatures are good * New Patch looks good. * All patches apply cleanly. PUBLISH++ RH9 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFDR91oxou1V/j9XZwRAiRYAKDN6miHKnSNbCTXIX2PQRkElfZjKQCglwqR OP2N64aHJwS8MnzeN2zLSKo= =eRVU -----END PGP SIGNATURE-----
Packages were pushed to updates-testing
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA for RHL9. Signatures OK, installs OK. Generates good exports files, also modification is OK. rpm-build-compare.sh on the binaries looks sane. +VERIFY RHL9 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFDexMQGHbTkzxSL7QRAuQDAJ9Vsf0cMuD847gemwFfGcOnlPiESwCglln4 QfapvcTThEdDkcZ8qpChy58= =PWsn -----END PGP SIGNATURE----- Timeout in 4 weeks.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA for FC1. 376cd7a13d85877976d606a2a8dc57e5a9de1766 redhat-config-nfs-1.1.3-3.legacy.noarch.rpm at http://download.fedoralegacy.org/fedora/1/updates-testing/i386/redhat-config-nfs-1.1.3-3.legacy.noarch.rpm * sha1sums okay * signatures okay * installs fine * runs fine * rpm-build-compare.sh on one I built and this one looks good. FC1 VERIFY++ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFDfDGLxou1V/j9XZwRAi24AJ0XfEcnw0gHRuQpkwVZmYKMfm5oAwCg9BsX 34bp8eMUi4BvgUOL+u9cwSE= =O9Oa -----END PGP SIGNATURE-----
$ cat <comment #17> | \ awk '/e1766/ { x = $0; getline; print x " " $0 ; getline; } {print;}' | \ gpg --verify to verify my last post.
Timeout over.
Packages were released.