On Wed, 2013-06-26 at 13:46 -0400, Alexandre Rebert wrote: > Hi, > > We found a crash in nfsidmap contained in the nfs-common package. You are > being > contacted because your are listed as one of the maintainer of nfs-common. > > We are planning to submit the bug to the Debian bug tracking system in two > weeks. We wanted to give you a heads-up, so that you some time to assess the > seriousness of the bug before it is publicly disclosed. [...]
It's a bit late for that, as you sent mail to a public mailing list. nfsidmap is intended to be invoked by request-key, which itself is invoked by the kernel using an upcall. The arguments are generated according to the configuration in /etc/request-key.d/id_resolver.conf where the default is '/usr/sbin/nfsidmap -t 600 %k %d'. %k expands to the key ID, an integer generated by the kernel's 'keys' subsystem. %d expands to a description of the key, a string generated by the kernel's NFS client. This is partly controlled by the remote server, but the client always uses one of four prefixes: 'uid:', 'gid:', 'user:' or 'group:'. There does not seem to be any way to make the kernel invoke nfsidmap with an invalid option as used in the test case, and I don't see any reason for a user to invoke it directly with untrusted input. So I don't think there is any security issue here. Ben. -- Ben Hutchings Knowledge is power. France is bacon.
signature.asc
Description: This is a digitally signed message part
