Hello community, here is the log from the commit of package SuSEfirewall2 for openSUSE:Factory checked in at 2017-10-28 14:17:04 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/SuSEfirewall2 (Old) and /work/SRC/openSUSE:Factory/.SuSEfirewall2.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "SuSEfirewall2" Sat Oct 28 14:17:04 2017 rev:86 rq:535172 version:3.6.369 Changes: -------- --- /work/SRC/openSUSE:Factory/SuSEfirewall2/SuSEfirewall2.changes 2017-07-30 11:26:37.675762321 +0200 +++ /work/SRC/openSUSE:Factory/.SuSEfirewall2.new/SuSEfirewall2.changes 2017-10-28 14:17:05.817616093 +0200 @@ -1,0 +2,9 @@ +Wed Oct 18 15:47:48 UTC 2017 - matthias.gerst...@suse.com + +- rpcinfo: recognize execution errors of the perl script and terminate accordingly +- rpcinfo: fixed security issue with too open implicit portmapper rules + (bnc#1064127): A source net restriction for _rpc_ services was not taken + into account for the implicitly added rules for port 111, making the portmap + service accessible to everyone in the affected zone. + +------------------------------------------------------------------- Old: ---- SuSEfirewall2-3.6.365.tar.bz2 New: ---- SuSEfirewall2-3.6.369.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ SuSEfirewall2.spec ++++++ --- /var/tmp/diff_new_pack.Zul6SG/_old 2017-10-28 14:17:08.357523211 +0200 +++ /var/tmp/diff_new_pack.Zul6SG/_new 2017-10-28 14:17:08.357523211 +0200 @@ -19,7 +19,7 @@ %define newname SUSEfirewall2 Name: SuSEfirewall2 -Version: 3.6.365 +Version: 3.6.369 Release: 0 Url: http://en.opensuse.org/SuSEfirewall2 PreReq: /bin/sed textutils fileutils grep filesystem ++++++ SuSEfirewall2-3.6.365.tar.bz2 -> SuSEfirewall2-3.6.369.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/SuSEfirewall2-3.6.365/.gitignore new/SuSEfirewall2-3.6.369/.gitignore --- old/SuSEfirewall2-3.6.365/.gitignore 2017-07-28 10:40:25.000000000 +0200 +++ new/SuSEfirewall2-3.6.369/.gitignore 2017-10-17 13:18:06.000000000 +0200 @@ -1 +1,2 @@ *.swp +package diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/SuSEfirewall2-3.6.365/SuSEfirewall2 new/SuSEfirewall2-3.6.369/SuSEfirewall2 --- old/SuSEfirewall2-3.6.365/SuSEfirewall2 2017-07-28 10:40:25.000000000 +0200 +++ new/SuSEfirewall2-3.6.369/SuSEfirewall2 2017-10-17 13:18:06.000000000 +0200 @@ -2265,27 +2265,15 @@ # parameter fragment # # parameters: -# $1: names of rpc services, e.g. ypbind mountd -# $2: whether portmapper ports shall be implicitly added (boolean) +# $1: names of rpc services, e.g. ypbind mountd or a comma separated tuple +# like 192.168.1.0/24,_rpc_,nfs rpcservicerules() { + # The -rpcinfo script by default implicitly adds extra rules for portmap # itself. This is because portmap needs to be reached in order for other # rpc services to work at all. - # In some contexts this generates superfluous portmap rules, however. In - # conjunction with the update-rpc functionality we might end up with a lot - # of redundant rules. Thus we can selectively disabled this implicit - # behaviour. - # It would be better to only explicitly add the portmap rules. But this - # required more refactoring, and also the current solution is buggy: The - # implicit portmap rules don't take source subnet restrictions into - # account. - if [ $# -eq 2 ] && ! $2; then - export NOPORTMAP=1 - fi - - perl "$SCRIPTSDIR/SuSEfirewall2-rpcinfo" "$@" 2>/dev/null - unset NOPORTMAP + perl "$SCRIPTSDIR/SuSEfirewall2-rpcinfo" "$1" } # parameters: @@ -2309,7 +2297,7 @@ chain=input_$zone var="FW_SERVICES_${action}_`cibiz $zone`" eval services="\"\$$var\"" - + local rpc_insert get_rpc_insert_pars $update_rpc $chain @@ -2332,10 +2320,13 @@ [ -n "$selected" -a "$selected" != $port ] && continue local comment comment_pars "rpc.$port" + set -o pipefail rpcservicerules $service | while read ARG; do $LDC $IPTABLES $rpc_insert $comment ${LOG}"-`rulelog $chain`-$action " -m conntrack --ctstate NEW $ARG $IPTABLES $rpc_insert $comment -j "$target" $ARG done + [ $? -eq 0 ] || die "Failed to setup rpc service rules for $service" + set +o pipefail elif $update_rpc; then # don't add any other rules in update rpc mode continue @@ -2416,6 +2407,7 @@ [ -n "$selected" -a "$selected" != "$port" ] && continue local comment comment_pars "rpc.$port" + set -o pipefail rpcservicerules $service | while read ARG; do if [ -n "$ipt_recent_set" ]; then $LDC $IPTABLES $rpc_insert $comment ${LOG}"-`rulelog $chain`-DROPr " $ARG -m conntrack --ctstate NEW $ipt_recent_rcheck @@ -2426,6 +2418,8 @@ [ -n "$ipt_recent_set" ] && $IPTABLES $rpc_insert $comment -j ACCEPT $ARG -m conntrack --ctstate NEW $ipt_recent_set $IPTABLES $rpc_insert $comment -j ACCEPT $ARG done + [ $? -eq 0 ] || die "Failed to setup rpc service rules for $service" + set +o pipefail elif $update_rpc; then # don't add any other rules in update rpc mode continue @@ -2476,11 +2470,14 @@ # skip not matching services for incremental updates [ -n "$selected" -a "$selected" != "$service" -a "$service" != "portmapper" ] && continue comment_pars "rpc.$service" - rpcservicerules $service false | while read ARG; do + set -o pipefail + rpcservicerules $service | while read ARG; do $LAC $IPTABLES $rpc_insert $comment ${LOG}"-`rulelog $chain`-ACC-RPC " -m conntrack --ctstate NEW $ARG $LAA $IPTABLES $rpc_insert $comment ${LOG}"-`rulelog $chain`-ACC-RPC " $ARG $IPTABLES $rpc_insert $comment -j "$ACCEPT" $ARG done + [ $? -eq 0 ] || die "failed to setup rpc service rules for $service" + set +o pipefail done done } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/SuSEfirewall2-3.6.365/SuSEfirewall2-rpcinfo new/SuSEfirewall2-3.6.369/SuSEfirewall2-rpcinfo --- old/SuSEfirewall2-3.6.365/SuSEfirewall2-rpcinfo 2017-07-28 10:40:25.000000000 +0200 +++ new/SuSEfirewall2-3.6.369/SuSEfirewall2-rpcinfo 2017-10-17 13:18:06.000000000 +0200 @@ -53,14 +53,21 @@ my @a = split(/,/,$service); if( $#a == 0) { - push @{$services{$service}}, {}; + push @{$services{$service}}, {}; } elsif ($#a >= 2 && $a[1] eq '_rpc_') { - my %h = (); - $h{'net'} = $a[0] if($a[0] && length($a[0])); - $h{'sport'} = $a[3] if($a[3] && length($a[3])); - push @{$services{$a[2]}}, \%h; + my %h = (); + $h{'net'} = $a[0] if($a[0] && length($a[0])); + $h{'sport'} = $a[3] if($a[3] && length($a[3])); + push @{$services{$a[2]}}, \%h; + # always also add portmapper with the given restrictions so clients + # can query for the service ports in question + # + # use a copy of the hashmap lest we share data between services with + # strange results + my %copy = %h; + push @{$services{'portmapper'}}, \%copy; } } @@ -71,21 +78,21 @@ for my $file (qw(/usr/share/SuSEfirewall2/rpcusers /etc/sysconfig/SuSEfirewall2.d/rpcusers)) { next unless open(F, '<', $file); while (<F>) { - chomp; - s/#.*//; - next if /^ *$/; - my $uid; - my ($service, $user) = split(/\s+/, $_, 2); - unless (defined $service && defined $user) { - print STDERR "$file:$. syntax error\n"; - next; - } - $uid = getpwnam($user); - unless (defined $uid) { - print STDERR "$file:$. invalid user name: $user\n"; - next; - } - $rpcusers{$service} = $uid; + chomp; + s/#.*//; + next if /^ *$/; + my $uid; + my ($service, $user) = split(/\s+/, $_, 2); + unless (defined $service && defined $user) { + print STDERR "$file:$. syntax error\n"; + next; + } + $uid = getpwnam($user); + unless (defined $uid) { + print STDERR "$file:$. invalid user name: $user\n"; + next; + } + $rpcusers{$service} = $uid; } } @@ -103,11 +110,11 @@ next unless (exists $services{$line[4]}); if($line[2] eq 'udp') { - $udpports{$line[3]} = $line[4]; + $udpports{$line[3]} = $line[4]; } elsif($line[2] eq 'tcp') { - $tcpports{$line[3]} = $line[4]; + $tcpports{$line[3]} = $line[4]; } } close RPCINFO; @@ -124,33 +131,27 @@ my $ret = 0; while(<FILE>) { - chomp; - my @line = split; - my ($addr, $port) = split(/:/, $line[1], 2); - $port = pack('H*', $port); # "007B" => "\x00\x7B" - $port = unpack('n', $port); # "\x00\x7B" => 0x007B - my $service = $href->{$port} || undef; - next unless $service; - - my $uid = $line[7]; - if ($uid && !($rpcusers{$service} && $uid == $rpcusers{$service})) { - print STDERR "$service/$proto doesn't run as root, ignored.\n"; - next; - } - - ++$ret; - foreach my $h (@{$services{$service}}) - { - push @{$h->{$proto}}, $port; - } + chomp; + my @line = split; + my ($addr, $port) = split(/:/, $line[1], 2); + $port = pack('H*', $port); # "007B" => "\x00\x7B" + $port = unpack('n', $port); # "\x00\x7B" => 0x007B + my $service = $href->{$port} || undef; + next unless $service; + + my $uid = $line[7]; + if ($uid && !($rpcusers{$service} && $uid == $rpcusers{$service})) { + print STDERR "$service/$proto doesn't run as root, ignored.\n"; + next; + } + + ++$ret; + foreach my $h (@{$services{$service}}) + { + push @{$h->{$proto}}, $port; + } } close FILE; - - # always also add portmapper - if($ret && !defined $ENV{"NOPORTMAP"} && !exists $services{'portmapper'}) - { - push @{$services{'portmapper'}}, { tcp => [111], udp => [111] }; - } } getportsfor('udp', \%udpports); @@ -162,18 +163,18 @@ { foreach my $h (@$l) { - foreach my $proto (('udp', 'tcp')) - { - if(exists($h->{$proto})) - { - foreach my $port (@{$h->{$proto}}) - { - print "-p $proto --dport $port"; - print " --sport ".$h->{'sport'} if exists $h->{'sport'}; - print " -s ".$h->{'net'} if exists $h->{'net'}; - print "\n"; - } - } - } + foreach my $proto (('udp', 'tcp')) + { + if(exists($h->{$proto})) + { + foreach my $port (@{$h->{$proto}}) + { + print "-p $proto --dport $port"; + print " --sport ".$h->{'sport'} if exists $h->{'sport'}; + print " -s ".$h->{'net'} if exists $h->{'net'}; + print "\n"; + } + } + } } }