Bug 3939

Summary: nfs-utils possibly missing security update for CVE-2011-1749
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: anssi.hannula, sysadmin-bugs, tmb
Version: 1Keywords: Security, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: nfs-utils-1.2.3-2.mga1.src.rpm CVE:
Status comment:

Description David Walser 2011-12-30 03:28:26 CET 
Mandriva issued this advisory on December 12:
http://lists.mandriva.com/security-announce/2011-12/msg00008.php

Their update applied to nfs-utils 1.2.2 from MDV 2010.2.

Mageia 1 has nfs-utils 1.2.3, so I'm not sure whether it is affected by this vulnerability.  There is no information on the CVE page.
Comment 1 Anssi Hannula 2011-12-30 05:30:43 CET 
Suggested advisory:
========================
Updated nfs-utils packages fix a security vulnerability:

It was found that the mount.nfs tool did not handle certain errors
correctly when updating the mtab (mounted file systems table) file. A local
attacker could use this flaw to corrupt the mtab file. (CVE-2011-1749)

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1749
https://rhn.redhat.com/errata/RHSA-2011-1534.html
http://www.mandriva.com/en/support/security/advisories/?name=MDVSA-2011:186
https://bugzilla.redhat.com/show_bug.cgi?id=697975
========================

Updated packages in core/updates_testing:
=====================
nfs-utils-1.2.3-2.1.mga1
nfs-utils-clients-1.2.3-2.1.mga1

from nfs-utils-1.2.3-2.1.mga1 src.rpm.
=====================

No testcase.

Keywords: (none) => Security
Status: NEW => ASSIGNED
CC: (none) => anssi.hannula
Hardware: i586 => All
Assignee: bugsquad => qa-bugs

Comment 2 David Walser 2011-12-31 19:51:25 CET 
Tested successfully on i586.

Tested nfs-utils by sharing a directory over NFS and mounting on another machine.
Tested nfs-utils-clients by mounting a directory shared by another machine over NFS.

One strange thing is after starting nfs-server it takes a couple of minutes before a remote client machine can list the contents of an NFS mounted directory from the server, but this is also true with the mga1/core/release version, so it is not a regression.
Comment 3 claire robinson 2012-01-13 14:53:15 CET 
x86_64

Looking at the logs, DrakNFS (which shows as diskdrake in the log) uses mount -t nfs rather than mount.nfs. As the CVE refers to mount.nfs testing with this directly instead.

Shared a directory on a separate machine with draknfs and restarted the nfs-server. Watching syslog I noticed..

Jan 13 12:54:02 localhost kernel: NFSD: starting 90-second grace period

..Which is probably the reason for the delay David noticed.



The following 2 packages are going to be installed:

- nfs-utils-1.2.3-2.1.mga1.x86_64
- nfs-utils-clients-1.2.3-2.1.mga1.x86_64

# umount /mnt/test
# mount.nfs 192.168.1.60:/home/claire/test /mnt/test -w -v -o rsize=8192,wsize=8192,nosuid,soft

mount.nfs: timeout set for Fri Jan 13 13:13:53 2012
mount.nfs: trying text-based options 'rsize=8192,wsize=8192,soft,vers=4,addr=192.168.1.60,clientaddr=192.168.1.110'
192.168.1.60:/home/claire/test on /mnt/test type nfs (rsize=8192,wsize=8192,nosuid,soft)

I took the command from the output of diskdrake but using mount.nfs instead

$ touch /mnt/test/touched2
$ ll /mnt/test
total 8
-rw-rw-r-- 1 4294967294 4294967294    2 Jan 13 12:21 test1
drwxrwxr-x 2 4294967294 4294967294 4096 Jan 13 13:03 test2/
-rw-rw-r-- 1 4294967294 4294967294    0 Jan 13 12:23 touched
-rw-rw-r-- 1 4294967294 4294967294    0 Jan 13 13:19 touched2

$ touch /mnt/test/test2/touched2
$ ll /mnt/test/test2
total 0
-rw-rw-r-- 1 4294967294 4294967294 0 Jan 13 13:03 touched
-rw-rw-r-- 1 4294967294 4294967294 0 Jan 13 13:20 touched2

Tested nfs-server using the same procedure from the other end.

This shows ownership as nobody/nogroup so not sure why it would show as 4294967294 the other way.

Other than that, no issues noticed.
Comment 4 claire robinson 2012-01-13 15:22:22 CET 
The above issue is not a regression and doesn't seem to affect it in use so I think it's safe to validate the security fix.

advisory:
========================
Updated nfs-utils packages fix a security vulnerability:

It was found that the mount.nfs tool did not handle certain errors
correctly when updating the mtab (mounted file systems table) file. A local
attacker could use this flaw to corrupt the mtab file. (CVE-2011-1749)

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1749
https://rhn.redhat.com/errata/RHSA-2011-1534.html
http://www.mandriva.com/en/support/security/advisories/?name=MDVSA-2011:186
https://bugzilla.redhat.com/show_bug.cgi?id=697975
========================

SRPM: nfs-utils-1.2.3-2.1.mga1.src.rpm



Could sysadmin please push from core/updates_testing to core/updates

Thankyou

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 5 Thomas Backlund 2012-01-14 15:14:33 CET 
update pushed

Status: ASSIGNED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED