Ubuntu
nfs-utils package

libnfsidmap built without hardening flags

Bug #1980095 reported by Andreas Hasenack
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
nfs-utils (Ubuntu)
Fix Released
Undecided
Andreas Hasenack
Ubuntu ubuntu-22.06
Jammy
Won't Fix
Undecided
Andreas Hasenack

Bug Description

[Impact]

Hardening build flags are an integral part of Ubuntu security[1], and were accidentally dropped from nfs-utils when the merge for version 2.6.x happened during the jammy development cycle.

Check that link[1] for "Built with BIND_NOW".

[Test Plan]

The test plan is to inspect the build logs(old logs at [2]) and verify hardening was applied. In particular:
- verify that -Wl,-z,now is being used now, and it wasn't before (linker stage)

Another way to check is to run hardening-check, from the ubuntu-dev-tools package, on each binary object from the package, and verify that "Immediate binding" changed from "no" (previous package) to "yes":

$ for n in $(dpkg -L libnfsidmap1 | grep \\.so); do hardening-check $n > $(basename $n).txt; done
$ for n in $(dpkg -L nfs-common|grep bin/); do hardening-check $n > $(basename $n).txt; done
$ for n in $(dpkg -L nfs-kernel-server|grep bin/); do hardening-check $n > $(basename $n).txt; done

$ grep Immediate *.txt
blkmapd.txt: Immediate binding: yes
exportfs.txt: Immediate binding: yes
libnfsidmap.so.1.0.0.txt: Immediate binding: yes
libnfsidmap.so.1.txt: Immediate binding: yes
mount.nfs.txt: Immediate binding: yes
mount.nfs4.txt: Immediate binding: yes
nfsconf.txt: Immediate binding: yes
nfsdcld.txt: Immediate binding: yes
nfsdcltrack.txt: Immediate binding: yes
nfsidmap.txt: Immediate binding: yes
nfsstat.txt: Immediate binding: yes
nsswitch.so.txt: Immediate binding: yes
rpc.gssd.txt: Immediate binding: yes
rpc.idmapd.txt: Immediate binding: yes
rpc.mountd.txt: Immediate binding: yes
rpc.nfsd.txt: Immediate binding: yes
rpc.statd.txt: Immediate binding: yes
rpc.svcgssd.txt: Immediate binding: yes
rpcdebug.txt: Immediate binding: yes
showmount.txt: Immediate binding: yes
sm-notify.txt: Immediate binding: yes
static.so.txt: Immediate binding: yes
umich_ldap.so.txt: Immediate binding: yes
umount.nfs.txt: Immediate binding: yes
umount.nfs4.txt: Immediate binding: yes

[Where problems could occur]

This is rebuilding a package with new compiler flags, even though they were there before. Regressions for such cases are either very quickly caught, or only when a bigger user base tries the changes out. In the case of nfs, it seems worth the risk, since it's a privileged service that deals with network data.

[Other Info]
I cleared[3] this with #security, and they deemed this worth including in an existing nfs-utils SRU, which is what I'm doing for bug #1977745.

1. https://wiki.ubuntu.com/Security/Features#Userspace_Hardening
https://launchpad.net/ubuntu/+source/nfs-utils/1:2.6.1-1ubuntu1/+build/23229868
3. https://irclogs.ubuntu.com/2022/08/03/%23ubuntu-security.html#t14:39

[Original Description]

$ grep hardening ../lintian.log
I: libnfsidmap-regex: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so]
I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap.so.1.0.0]
I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/nsswitch.so]
I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/static.so]
I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/umich_ldap.so]
I: libnfsidmap-regex: hardening-no-fortify-functions [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so]

It was there before when we had src:libnfsidmap: https://git.launchpad.net/ubuntu/+source/libnfsidmap/tree/debian/rules#n10

But we lost it when src:nfs-utils incorporated the libnfsidmap code.

See original description

Related branches

~ahasenack/ubuntu/+source/nfs-utils:kinetic-nfsutils-merge
git-ubuntu bot: Approve
Christian Ehrhardt  (community): Approve
Canonical Server Reporter: Pending requested
Diff: 2013 lines (+1660/-8)
22 files modified
debian/README.Ubuntu (+30/-0)
debian/changelog (+1229/-0)
debian/control (+17/-6)
debian/libnfsidmap-regex.install (+1/-0)
debian/libnfsidmap1.docs (+1/-0)
debian/libnfsidmap1.install (+3/-1)
debian/nfs-common.dirs (+1/-0)
debian/nfs-common.docs (+1/-0)
debian/nfs-common.postrm (+1/-0)
debian/not-installed (+3/-0)
debian/patches/nfs-conf-manpage-missing-svcgssd-options.patch (+19/-0)
debian/patches/series (+5/-0)
debian/patches/svcgssd-display-principal-if-set.patch (+37/-0)
debian/patches/svcgssd-document-missing-options.patch (+44/-0)
debian/patches/svcgssd-fix-use-after-free.patch (+45/-0)
debian/patches/ubuntu-idmapd-manpage-update-regex-other-package.patch (+12/-0)
debian/rules (+7/-1)
debian/source.apport (+32/-0)
debian/tests/control (+11/-0)
debian/tests/kerberos-mount (+38/-0)
debian/tests/util (+89/-0)
debian/tests/v3-mount (+34/-0)
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (3.1 KiB)

This bug was fixed in the package nfs-utils - 1:2.6.1-2ubuntu1

---------------
nfs-utils (1:2.6.1-2ubuntu1) kinetic; urgency=medium

  * Merge with Debian unstable (LP: #1974233). Remaining changes:
    - d/control: don't provide libnfsidmap2 in libnfsidmap1. This
      package contains not only plugins, but an actual shared library,
      with a different soname.
    - Don't install the regex module, as it's built by
      src:libnfsidmap-regex which is in Universe (MIR: #1960824)
      + d/control: don't conflict/break/etc with libnfsidmap-regex
      + d/libnfsidmap1.install: don't install regex.so
      + d/not-installed: mark files we knowingly don't include in the
        packaging
      + d/p/remove-regex-from-docs.patch: remove the regex section from
        the idmapd.conf(5) manpage, as we are not building that plugin in
        this package
    - Update README file:
      + d/README.Ubuntu: new /etc/nfs.conf config structure
      + d/libnfsidmap1.docs, d/nfs-common.docs: install README.Ubuntu
    - d/nfs-common.postrm: also purge /etc/nfs.conf.d/local.conf
    - d/nfs-common.dirs: we also own /etc/nfs.conf.d
    - New apport hook (LP #1961058):
      + d/source.apport: apport hook for nfs-utils
      + d/control: build-depend dh-apport
      + d/rules: build with apport, and install the hook in the
        nfs-common package which is installed on both client and servers
    - Add more DEP8 tests (LP #1960828):
      + d/t/{control,kerberos-mount,util}: test NFSv4 krb5p mounts
      + d/t/{control, v3-moun}t: specific NFSv3 mount test
  * Dropped:
    - d/nfsconvert.py: add short "u" option for mountd's no-udp
      [Included in 1:2.6.1-2]
    - d/NEWS: explain some of the major changes in 2.6.x
      [Obsoleted by Debian's update to the per-package NEWS files]
    - d/nfs-*.bug-script: update to also include /etc/nfs.conf and
      /etc/nfs.conf.d/*.conf
      [Included in 1:2.6.1-2]
  * Added changes:
    - New binary package libnfsidmap-regex (LP: #1974067):
      + d/control: new package
      + d/libnfsidmap-regex.install: install the plugin file
      + d/not-installed: remove the plugin from the not-installed list
      + d/p/remove-regex-from-docs.patch: deleted
      + d/p/ubuntu-idmapd-manpage-update-regex-other-package.patch:
        note that the regex plugin is in another package
    - rpc.svcgssd fixes and improvements (LP: #1977745):
      + d/p/svcgssd-fix-use-after-free.patch: fix use-after-free which was
        preventing svcgssd options set in /etc/nfs.conf from being used
      + d/p/svcgssd-display-principal-if-set.patch: improve logging,
        showing the expected principal name if it was set in the config
      + d/p/svcgssd-document-missing-options.patch: add missing options to
        the svcgssd manpage
      + d/p/nfs-conf-manpage-missing-svcgssd-options.patch: also
        document the missing svcgssd options to the nfs.conf(5) manpage
    - d/README.Ubuntu: updated with the content of the previous d/NEWS
      file
    - d/rules: re-add hardening option lost from the src:libnfsidmap to
      src:nfs-utils transition (LP: #1980095)

 -- Andreas Hasenack <email address hidden> Tue, 28 Jun 2022 10:59...

Read more...

Changed in nfs-utils (Ubuntu):
status: In Progress → Fix Released
Andreas Hasenack (ahasenack)
description: updated
Andreas Hasenack (ahasenack)
description: updated
description: updated
Changed in nfs-utils (Ubuntu Jammy):
status: New → In Progress
assignee: nobody → Andreas Hasenack (ahasenack)
Andreas Hasenack (ahasenack)
description: updated
description: updated
description: updated
description: updated
Andreas Hasenack (ahasenack)
description: updated
Revision history for this message
Steve Langasek (vorlon) wrote :

hardening-no-bindnow is not super critical for a library such as this; the risk of a security vulnerability as a result of symbols being overridden from the outside, for a library with constrained applications such as libnfsidmap, is not great. I would like to see a test case here that addresses the greater issue of hardening-no-fortify-functions.

Changed in nfs-utils (Ubuntu Jammy):
status: In Progress → Incomplete
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I asked in #ubuntu-security if they would like me to include this fix in the SRU I was already preparing for nfs-utils (I wouldn't do an SRU of its own just for this bug here). They said they would like it to be included, yes:

https://irclogs.ubuntu.com/2022/08/03/%23ubuntu-security.html

@sbeattie, could you come up with a test case here, or some other argument, please?

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Please reject nfs-utils from jammy unapproved, I'll wontfix this bug and do a new upload with just the fix for #1977745

Changed in nfs-utils (Ubuntu Jammy):
status: Incomplete → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.