Bug 64002 (CVE-2004-1014)

Summary:	VUL-0: CVE-2004-1014: rpc.statd DoS
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Marcus Meissner <meissner>
Component:	Incidents	Assignee:	Ludwig Nussel <lnussel>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Major
Priority:	P3 - Medium	CC:	lnussel, postadal, ro, security-team
Version:	unspecified
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	CVE-2004-1014: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Found By:	---	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---
Attachments:	patch patch ported to 1.0.1 nfs-utils.patch.maintained nfs-utils.patch.box

Description Ludwig Nussel 2004-12-07 21:51:54 UTC

We missed the following report from vendor-sec.
The issue is public meanwhile.

Date: Mon, 22 Nov 2004 10:21:42 -0500
From: Josh Bressers <bressers@redhat.com>
To: vendor-sec@lst.de
Subject: [vendor-sec] DoS in nfs-utils statd

Hello,

SGI has reported to us a DoS in statd.

statd doesn't properly ignore SIGPIPE, which means a misconfigured or
malicious peer could shut it down.  It also has several printf
formatting problems (like passing only one argument to a routine with
two or three format specifiers).

The printf formatting problems don't appear to be security related, but do
clarify the code a bit.

The current embargo date for this issue is 2004-12-01 1400UTC.

-- 
    JB

diff -prauN --exclude-from=excludes nfs-utils-sgi/nfs-utils-1.0.6/utils/statd/monitor.c nfs-utils-work/nfs-utils-1.0.6/utils/statd/monitor.c
--- nfs-utils-sgi/nfs-utils-1.0.6/utils/statd/monitor.c	Fri Sep 12 15:41:35 2003
+++ nfs-utils-work/nfs-utils-1.0.6/utils/statd/monitor.c	Sun Jun 20 23:41:01 2004
 #include <string.h>
 #include <unistd.h>
 #include <sys/stat.h>
+#include <errno.h>
 #include <arpa/inet.h>
 #include "misc.h"
 #include "statd.h"
 	sprintf(path, "%s/%s", SM_DIR, mon_name);
 	if ((fd = open(path, O_WRONLY|O_SYNC|O_CREAT, S_IRUSR|S_IWUSR)) < 0) {
 		/* Didn't fly.  We won't monitor. */
-		note(N_ERROR, "creat(%s) failed: %m", path);
+		note(N_ERROR, "creat(%s) failed: %s", path, strerror (errno));
 		nlist_free(NULL, clnt);
 		free(path);
 		goto failure;
diff -prauN --exclude-from=excludes nfs-utils-sgi/nfs-utils-1.0.6/utils/statd/simulate.c nfs-utils-work/nfs-utils-1.0.6/utils/statd/simulate.c
--- nfs-utils-sgi/nfs-utils-1.0.6/utils/statd/simulate.c	Fri Sep 12 15:41:38 2003
+++ nfs-utils-work/nfs-utils-1.0.6/utils/statd/simulate.c	Sun Jun 20 22:51:15 2004
 {
   static char *result;
 
-  dprintf (N_DEBUG, "Recieved state %d for mon_name %s (opaque \"%s\")",
+  dprintf (N_DEBUG, "Received state %d for mon_name %s (opaque \"%s\")",
 	   argp->state, argp->mon_name, argp->priv);
   svc_exit ();
   return ((void *)&result);
diff -prauN --exclude-from=excludes nfs-utils-sgi/nfs-utils-1.0.6/utils/statd/statd.c nfs-utils-work/nfs-utils-1.0.6/utils/statd/statd.c
--- nfs-utils-sgi/nfs-utils-1.0.6/utils/statd/statd.c	Fri Sep 12 16:24:29 2003
+++ nfs-utils-work/nfs-utils-1.0.6/utils/statd/statd.c	Sun Jun 20 22:39:11 2004
 	struct stat st;
 
 	if (stat(SM_DIR, &st) == -1 &&
-	    stat(DIR_BASE, &st) == -1)
+	    stat(DIR_BASE, &st) == -1) {
 		st.st_uid = 0;
+		st.st_gid = 0;
+	}
 
 	if (st.st_uid == 0) {
 		note(N_WARNING, "statd running as root. chown %s to choose different user\n",
 	signal (SIGTERM, killer);
 	/* WARNING: the following works on Linux and SysV, but not BSD! */
 	signal(SIGCHLD, SIG_IGN);
+	/*
+	 * Ignore SIGPIPE to avoid statd dying when peers close their
+	 * TCP connection while we're trying to reply to them. 
+	 */
+	signal(SIGPIPE, SIG_IGN);
 
 	/* initialize out_port */
 	statd_get_socket(out_port);
diff -prauN --exclude-from=excludes nfs-utils-sgi/nfs-utils-1.0.6/utils/statd/svc_run.c nfs-utils-work/nfs-utils-1.0.6/utils/statd/svc_run.c
--- nfs-utils-sgi/nfs-utils-1.0.6/utils/statd/svc_run.c	Fri Sep 12 15:41:40 2003
+++ nfs-utils-work/nfs-utils-1.0.6/utils/statd/svc_run.c	Sun Jun 20 22:40:28 2004
 			if (errno == EINTR || errno == ECONNREFUSED
 			 || errno == ENETUNREACH || errno == EHOSTUNREACH)
 				continue;
-			note(N_ERROR, "my_svc_run() - select: %m");
+			note(N_ERROR, "my_svc_run() - select: %s",
+				strerror (errno));
 			return;
 
 		case 0:

Comment 1 Ludwig Nussel 2004-12-07 21:53:43 UTC

Created attachment 26816 [details]
patch

Comment 2 Ruediger Oertel 2004-12-08 06:19:23 UTC

no, the report was not missed. 
rpc.statd from nfs-utils was never packaged (at least not since SuSE 7.x) 
we use rpc.statd from the quota package.

Comment 3 Olaf Kirch 2004-12-08 16:45:59 UTC

<!-- SBZ_reopen -->Reopened by okir@suse.de at Wed Dec  8 09:45:59 2004, took initial reporter lnussel@suse.de to cc

Comment 4 Olaf Kirch 2004-12-08 16:46:00 UTC

Are you sure? There is only one rpc.statd. I think you're referring to 
rpc.rquotad, where indeed two versions exist (but the one from nfs-utils 
is essentially unmaintained)

Comment 5 Marcus Meissner 2004-12-08 16:53:53 UTC

btw, rpc.rstatd does not come from nfs-utils on our distros, but 
from the rstatd RPM. 
 
The code there looks different.

Comment 6 Marcus Meissner 2004-12-08 17:13:17 UTC

there is no change in SIGCHLD handling in rstatd, so  
I suspect we are affected too. 
 
 
 
-> reassign to maintainer

Comment 7 Olaf Kirch 2004-12-08 17:31:34 UTC

statd != rstatd

Comment 8 Marcus Meissner 2004-12-08 17:35:41 UTC

my bad

Comment 9 Marcus Meissner 2004-12-08 17:44:45 UTC

not shipping -> close

Comment 10 Marcus Meissner 2004-12-08 17:48:56 UTC

<!-- SBZ_reopen -->Reopened by meissner@suse.de at Wed Dec  8 10:48:56 2004

Comment 11 Marcus Meissner 2004-12-08 17:48:56 UTC

more coffee. its in older products and is in nfs-utils, so we are affecgted

Comment 12 Ruediger Oertel 2004-12-08 18:51:40 UTC

damn you're right... it's really in SLES8 ...

Comment 13 Ruediger Oertel 2004-12-08 19:03:11 UTC

patch for nfs-utils-1.0.1 
(one hunk missing, n/a for version 1.0.1)

Comment 14 Ruediger Oertel 2004-12-08 19:04:23 UTC

Created attachment 26856 [details]
patch ported to 1.0.1

Comment 15 Ludwig Nussel 2004-12-08 19:11:46 UTC

CAN-2004-1014

Comment 16 Ruediger Oertel 2004-12-08 19:19:25 UTC

ok, done for 8.1,8.2,9.0 
(added a few more %m replacements in rmtcall.c) 
9.1 and newer do not have statd any more. 
 
are you going to create patchinfos ?

Comment 17 Ludwig Nussel 2004-12-08 19:22:15 UTC

yes. Please add the CAN number to the changelog if the package is not checked 
in yet

Comment 18 Ludwig Nussel 2004-12-08 19:33:24 UTC

Created attachment 26858 [details]
nfs-utils.patch.maintained

Comment 19 Ludwig Nussel 2004-12-08 19:33:38 UTC

Created attachment 26859 [details]
nfs-utils.patch.box

Comment 20 Ludwig Nussel 2004-12-10 23:37:26 UTC

packages approved

Comment 21 Thomas Biege 2009-10-13 20:02:47 UTC

CVE-2004-1014: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)