Bug 25608

Summary: nfs-utils security update (CVE-2019-3689) : /var/lib/nfs/ is owned by statd ; if this is compromised, root access is possible
Product: Mageia Reporter: Zombie Ryushu <zombie.ryushu>
Component: SecurityAssignee: Guillaume Rousse <guillomovitch>
Status: RESOLVED INVALID QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: luigiwalser
Version: 7   
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://linuxsecurity.com/advisories/deblts/debian-lts-dla-1965-1-nfs-utils-security-update-12-42-04
Whiteboard:
Source RPM: nfs-utils-2.3.4-3.mga7.src.rpm CVE:
Status comment:

Description Zombie Ryushu 2019-10-24 18:10:35 CEST 
Package        : nfs-utils
Version        : 1.2.8-9+deb8u1
CVE ID         : CVE-2019-3689
Debian Bug     : 940848


In the nfs-utils package, providing support files for Network File
System (NFS) including the rpc.statd daemon, the directory
/var/lib/nfs is owned by statd:nogroup.  This directory contains files
owned and managed by root.  If statd is compromised, it can therefore
trick processes running with root privileges into creating/overwriting
files anywhere on the system.

For Debian 8 "Jessie", this problem has been fixed in version
1.2.8-9+deb8u1.

We recommend that you upgrade your nfs-utils packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Zombie Ryushu 2019-10-24 18:56:21 CEST

Summary: Debian LTS: DLA-1965-1: nfs-utils security update => Debian LTS: DLA-1965-1: nfs-utils security update (CVE-2019-3689)

Comment 1 Lewis Smith 2019-10-24 22:00:10 CEST 
Thank you for drawing this to our attention.
Bug title is re Debian LTS: DLA-1965-1

Assigning to Guillaume for nfs-utils, CC DavidW for security.

Summary: Debian LTS: DLA-1965-1: nfs-utils security update (CVE-2019-3689) => nfs-utils security update (CVE-2019-3689) : /var/lib/nfs/ is owned by statd ; if this is compromised, root access is possible
Component: RPM Packages => Security
CC: (none) => luigiwalser
QA Contact: (none) => security
Source RPM: nfs-utils => nfs-utils-2.3.4-3.mga7.src.rpm

Lewis Smith 2019-10-24 22:01:24 CEST

Assignee: bugsquad => guillomovitch

Comment 2 David Walser 2019-10-27 17:03:25 CET 
Zombie, please provide a link to the advisory and don't copy and paste the text.

Lewis, I am the security group, so I already get the e-mails.  You don't need to CC me.
Comment 3 David Walser 2019-10-27 17:14:09 CET 
Advisory link from October 19:
https://www.debian.org/lts/security/2019/dla-1965

This is a Debian-specific issue.

Resolution: (none) => INVALID
Status: NEW => RESOLVED