Bug 64002 (CVE-2004-1014) - VUL-0: CVE-2004-1014: rpc.statd DoS
Summary: VUL-0: CVE-2004-1014: rpc.statd DoS
Status: RESOLVED FIXED
Alias: CVE-2004-1014
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: All Linux
: P3 - Medium : Major
Target Milestone: ---
Assignee: Ludwig Nussel
QA Contact: Security Team bot
URL:
Whiteboard: CVE-2004-1014: CVSS v2 Base Score: 5....
Keywords:
Depends on:
Blocks:
 
Reported: 2004-12-07 21:51 UTC by Marcus Meissner
Modified: 2021-10-14 14:58 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
patch (3.04 KB, patch)
2004-12-07 21:53 UTC, Ludwig Nussel 		Details | Diff
patch ported to 1.0.1 (2.75 KB, text/x-diff)
2004-12-08 19:04 UTC, Ruediger Oertel 		Details
nfs-utils.patch.maintained (473 bytes, text/plain)
2004-12-08 19:33 UTC, Ludwig Nussel 		Details
nfs-utils.patch.box (544 bytes, text/plain)
2004-12-08 19:33 UTC, Ludwig Nussel 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ludwig Nussel 2004-12-07 21:51:54 UTC 
We missed the following report from vendor-sec.
The issue is public meanwhile.

Date: Mon, 22 Nov 2004 10:21:42 -0500
From: Josh Bressers <bressers@redhat.com>
To: vendor-sec@lst.de
Subject: [vendor-sec] DoS in nfs-utils statd

Hello,

SGI has reported to us a DoS in statd.

statd doesn't properly ignore SIGPIPE, which means a misconfigured or
malicious peer could shut it down.  It also has several printf
formatting problems (like passing only one argument to a routine with
two or three format specifiers).

The printf formatting problems don't appear to be security related, but do
clarify the code a bit.

The current embargo date for this issue is 2004-12-01 1400UTC.

-- 
    JB

diff -prauN --exclude-from=excludes nfs-utils-sgi/nfs-utils-1.0.6/utils/statd/monitor.c nfs-utils-work/nfs-utils-1.0.6/utils/statd/monitor.c
--- nfs-utils-sgi/nfs-utils-1.0.6/utils/statd/monitor.c	Fri Sep 12 15:41:35 2003
+++ nfs-utils-work/nfs-utils-1.0.6/utils/statd/monitor.c	Sun Jun 20 23:41:01 2004
 #include <string.h>
 #include <unistd.h>
 #include <sys/stat.h>
+#include <errno.h>
 #include <arpa/inet.h>
 #include "misc.h"
 #include "statd.h"
 	sprintf(path, "%s/%s", SM_DIR, mon_name);
 	if ((fd = open(path, O_WRONLY|O_SYNC|O_CREAT, S_IRUSR|S_IWUSR)) < 0) {
 		/* Didn't fly.  We won't monitor. */
-		note(N_ERROR, "creat(%s) failed: %m", path);
+		note(N_ERROR, "creat(%s) failed: %s", path, strerror (errno));
 		nlist_free(NULL, clnt);
 		free(path);
 		goto failure;
diff -prauN --exclude-from=excludes nfs-utils-sgi/nfs-utils-1.0.6/utils/statd/simulate.c nfs-utils-work/nfs-utils-1.0.6/utils/statd/simulate.c
--- nfs-utils-sgi/nfs-utils-1.0.6/utils/statd/simulate.c	Fri Sep 12 15:41:38 2003
+++ nfs-utils-work/nfs-utils-1.0.6/utils/statd/simulate.c	Sun Jun 20 22:51:15 2004
 {
   static char *result;
 
-  dprintf (N_DEBUG, "Recieved state %d for mon_name %s (opaque \"%s\")",
+  dprintf (N_DEBUG, "Received state %d for mon_name %s (opaque \"%s\")",
 	   argp->state, argp->mon_name, argp->priv);
   svc_exit ();
   return ((void *)&result);
diff -prauN --exclude-from=excludes nfs-utils-sgi/nfs-utils-1.0.6/utils/statd/statd.c nfs-utils-work/nfs-utils-1.0.6/utils/statd/statd.c
--- nfs-utils-sgi/nfs-utils-1.0.6/utils/statd/statd.c	Fri Sep 12 16:24:29 2003
+++ nfs-utils-work/nfs-utils-1.0.6/utils/statd/statd.c	Sun Jun 20 22:39:11 2004
 	struct stat st;
 
 	if (stat(SM_DIR, &st) == -1 &&
-	    stat(DIR_BASE, &st) == -1)
+	    stat(DIR_BASE, &st) == -1) {
 		st.st_uid = 0;
+		st.st_gid = 0;
+	}
 
 	if (st.st_uid == 0) {
 		note(N_WARNING, "statd running as root. chown %s to choose different user\n",
 	signal (SIGTERM, killer);
 	/* WARNING: the following works on Linux and SysV, but not BSD! */
 	signal(SIGCHLD, SIG_IGN);
+	/*
+	 * Ignore SIGPIPE to avoid statd dying when peers close their
+	 * TCP connection while we're trying to reply to them. 
+	 */
+	signal(SIGPIPE, SIG_IGN);
 
 	/* initialize out_port */
 	statd_get_socket(out_port);
diff -prauN --exclude-from=excludes nfs-utils-sgi/nfs-utils-1.0.6/utils/statd/svc_run.c nfs-utils-work/nfs-utils-1.0.6/utils/statd/svc_run.c
--- nfs-utils-sgi/nfs-utils-1.0.6/utils/statd/svc_run.c	Fri Sep 12 15:41:40 2003
+++ nfs-utils-work/nfs-utils-1.0.6/utils/statd/svc_run.c	Sun Jun 20 22:40:28 2004
 			if (errno == EINTR || errno == ECONNREFUSED
 			 || errno == ENETUNREACH || errno == EHOSTUNREACH)
 				continue;
-			note(N_ERROR, "my_svc_run() - select: %m");
+			note(N_ERROR, "my_svc_run() - select: %s",
+				strerror (errno));
 			return;
 
 		case 0:
Comment 1 Ludwig Nussel 2004-12-07 21:53:43 UTC 
Created attachment 26816 [details]
patch
Comment 2 Ruediger Oertel 2004-12-08 06:19:23 UTC 
no, the report was not missed. 
rpc.statd from nfs-utils was never packaged (at least not since SuSE 7.x) 
we use rpc.statd from the quota package.
Comment 3 Olaf Kirch 2004-12-08 16:45:59 UTC 
<!-- SBZ_reopen -->Reopened by okir@suse.de at Wed Dec  8 09:45:59 2004, took initial reporter lnussel@suse.de to cc
Comment 4 Olaf Kirch 2004-12-08 16:46:00 UTC 
Are you sure? There is only one rpc.statd. I think you're referring to 
rpc.rquotad, where indeed two versions exist (but the one from nfs-utils 
is essentially unmaintained)
Comment 5 Marcus Meissner 2004-12-08 16:53:53 UTC 
btw, rpc.rstatd does not come from nfs-utils on our distros, but 
from the rstatd RPM. 
 
The code there looks different.
Comment 6 Marcus Meissner 2004-12-08 17:13:17 UTC 
there is no change in SIGCHLD handling in rstatd, so  
I suspect we are affected too. 
 
 
 
-> reassign to maintainer
Comment 7 Olaf Kirch 2004-12-08 17:31:34 UTC 
statd != rstatd
Comment 8 Marcus Meissner 2004-12-08 17:35:41 UTC 
my bad
Comment 9 Marcus Meissner 2004-12-08 17:44:45 UTC 
not shipping -> close
Comment 10 Marcus Meissner 2004-12-08 17:48:56 UTC 
<!-- SBZ_reopen -->Reopened by meissner@suse.de at Wed Dec  8 10:48:56 2004
Comment 11 Marcus Meissner 2004-12-08 17:48:56 UTC 
more coffee. its in older products and is in nfs-utils, so we are affecgted
Comment 12 Ruediger Oertel 2004-12-08 18:51:40 UTC 
damn you're right... it's really in SLES8 ...
Comment 13 Ruediger Oertel 2004-12-08 19:03:11 UTC 
patch for nfs-utils-1.0.1 
(one hunk missing, n/a for version 1.0.1)
Comment 14 Ruediger Oertel 2004-12-08 19:04:23 UTC 
Created attachment 26856 [details]
patch ported to 1.0.1
Comment 15 Ludwig Nussel 2004-12-08 19:11:46 UTC 
CAN-2004-1014
Comment 16 Ruediger Oertel 2004-12-08 19:19:25 UTC 
ok, done for 8.1,8.2,9.0 
(added a few more %m replacements in rmtcall.c) 
9.1 and newer do not have statd any more. 
 
are you going to create patchinfos ?
Comment 17 Ludwig Nussel 2004-12-08 19:22:15 UTC 
yes. Please add the CAN number to the changelog if the package is not checked 
in yet
Comment 18 Ludwig Nussel 2004-12-08 19:33:24 UTC 
Created attachment 26858 [details]
nfs-utils.patch.maintained
Comment 19 Ludwig Nussel 2004-12-08 19:33:38 UTC 
Created attachment 26859 [details]
nfs-utils.patch.box
Comment 20 Ludwig Nussel 2004-12-10 23:37:26 UTC 
packages approved
Comment 21 Thomas Biege 2009-10-13 20:02:47 UTC 
CVE-2004-1014: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)