Ubuntu
nfs-utils package

Merge ~ahasenack/ubuntu/+source/nfs-utils:jammy-nfs-utils-svcgssd-principal-1977745 into ubuntu/+source/nfs-utils:ubuntu/jammy-devel

  1. Git
  2. lp:~ahasenack/ubuntu/+source/nfs-utils
  3. jammy-nfs-utils-svcgssd-principal-1977745
  4. Merge into ubuntu/jammy-devel
Proposed by Andreas Hasenack
Status: Merged
Approved by: git-ubuntu bot
Approved revision: not available
Merged at revision: 45dc155a732074100137cf75bc0e56a7c880a7ba
Proposed branch: ~ahasenack/ubuntu/+source/nfs-utils:jammy-nfs-utils-svcgssd-principal-1977745
Merge into: ubuntu/+source/nfs-utils:ubuntu/jammy-devel
Diff against target: 203 lines (+163/-0)
6 files modified
debian/changelog (+14/-0)
debian/patches/nfs-conf-manpage-missing-svcgssd-options.patch (+19/-0)
debian/patches/series (+4/-0)
debian/patches/svcgssd-display-principal-if-set.patch (+37/-0)
debian/patches/svcgssd-document-missing-options.patch (+44/-0)
debian/patches/svcgssd-fix-use-after-free.patch (+45/-0)
Reviewer Review Type Date Requested Status
git-ubuntu bot Approve
Bryce Harrington (community) Approve
Canonical Server Reporter Pending
Review via email: mp+427771@code.launchpad.net

Description of the change

Bringing in one set of fixes from kinetic to jammy. I was planning on bundling these with other fixes we have in kinetic, but I didn't get feedback yet on those, so I'll leave them cooking in kinetic for a while longer and proceed with this SRU, which is more straighforward.

The linked bug has the necessary test cases.

PPA: https://launchpad.net/~ahasenack/+archive/ubuntu/nfs-utils-svcgssd-principal-1977745/

I just kicked the DEP8 tests, will post back in a while after there are results.

To post a comment you must log in.
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Putting this back to "work in progress" because, after talking to the security team, I'll take this update opportunity and also fix https://bugs.launchpad.net/ubuntu/+source/nfs-utils/+bug/1980095

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Back in business with the extra hardening fix.

Revision history for this message
Bryce Harrington (bryce) wrote :

The DEP8 tests from yesterday all passed. I've re-triggered to pick up today's changes but think maybe the ppa hasn't been updated?

Results: (from http://autopkgtest.ubuntu.com/results/autopkgtest-jammy-ahasenack-nfs-utils-svcgssd-principal-1977745/?format=plain)
  nfs-utils @ amd64:
    03.08.22 18:31:23 Log 🗒️ ✅ Triggers: nfs-utils/1:2.6.1-1ubuntu1.1~ppa2
  nfs-utils @ arm64:
    03.08.22 18:36:34 Log 🗒️ ✅ Triggers: nfs-utils/1:2.6.1-1ubuntu1.1~ppa2
  nfs-utils @ armhf:
    03.08.22 18:21:08 Log 🗒️ ✅ Triggers: nfs-utils/1:2.6.1-1ubuntu1.1~ppa2
  nfs-utils @ ppc64el:
    03.08.22 18:36:01 Log 🗒️ ✅ Triggers: nfs-utils/1:2.6.1-1ubuntu1.1~ppa2
  nfs-utils @ s390x:
    03.08.22 18:27:38 Log 🗒️ ✅ Triggers: nfs-utils/1:2.6.1-1ubuntu1.1~ppa2
Running: (none)
Waiting: (none)

In any case changes all LGTM. Verified they match what landed in Kinetic.

Also reviewed the SRU text for both bugs, I didn't run through the test cases but they look very thorough and well documented.

review: Approve
Revision history for this message
git-ubuntu bot (git-ubuntu-bot) wrote :

Approvers: ahasenack, bryce
Uploaders: ahasenack, bryce
MP auto-approved

review: Approve
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I see the ppa2 version of the package in the DEP8 logs, so it seems fine now, and the date is from today:

Results: (from http://autopkgtest.ubuntu.com/results/autopkgtest-jammy-ahasenack-nfs-utils-svcgssd-principal-1977745/?format=plain)
  nfs-utils @ amd64:
    04.08.22 03:28:56 Log 🗒️ ✅ Triggers: nfs-utils/1:2.6.1-1ubuntu1.1~ppa2
  nfs-utils @ arm64:
    04.08.22 03:28:23 Log 🗒️ ✅ Triggers: nfs-utils/1:2.6.1-1ubuntu1.1~ppa2
  nfs-utils @ armhf:
    04.08.22 03:10:38 Log 🗒️ ✅ Triggers: nfs-utils/1:2.6.1-1ubuntu1.1~ppa2
  nfs-utils @ ppc64el:
    04.08.22 03:21:24 Log 🗒️ ✅ Triggers: nfs-utils/1:2.6.1-1ubuntu1.1~ppa2
  nfs-utils @ s390x:
    04.08.22 03:16:47 Log 🗒️ ✅ Triggers: nfs-utils/1:2.6.1-1ubuntu1.1~ppa2
Running: (none)
Waiting: (none)

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Uploaded, now it's up to the SRU team:

Uploading nfs-utils_2.6.1-1ubuntu1.1.dsc
Uploading nfs-utils_2.6.1-1ubuntu1.1.debian.tar.xz
Uploading nfs-utils_2.6.1-1ubuntu1.1_source.buildinfo
Uploading nfs-utils_2.6.1-1ubuntu1.1_source.changes

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index c8ab091..92e7b2e 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,17 @@
6+nfs-utils (1:2.6.1-1ubuntu1.1) jammy; urgency=medium
7+
8+ * rpc.svcgssd fixes and improvements (LP: #1977745):
9+ - d/p/svcgssd-fix-use-after-free.patch: fix use-after-free which was
10+ preventing svcgssd options set in /etc/nfs.conf from being used
11+ - d/p/svcgssd-display-principal-if-set.patch: improve logging,
12+ showing the expected principal name if it was set in the config
13+ - d/p/svcgssd-document-missing-options.patch: add missing options to
14+ the svcgssd manpage
15+ - d/p/nfs-conf-manpage-missing-svcgssd-options.patch: also
16+ document the missing svcgssd options to the nfs.conf(5) manpage
17+
18+ -- Andreas Hasenack <andreas@canonical.com> Wed, 14 Sep 2022 14:34:00 -0300
19+
20 nfs-utils (1:2.6.1-1ubuntu1) jammy; urgency=medium
21
22 * Merge with Debian unstable (LP: #1960829). Remaining changes:
23diff --git a/debian/patches/nfs-conf-manpage-missing-svcgssd-options.patch b/debian/patches/nfs-conf-manpage-missing-svcgssd-options.patch
24new file mode 100644
25index 0000000..b57ad8c
26--- /dev/null
27+++ b/debian/patches/nfs-conf-manpage-missing-svcgssd-options.patch
28@@ -0,0 +1,19 @@
29+Description: add missing svcgssd long options to nfs.conf(5)
30+Author: Andreas Hasenack <andreas@canonical.com>
31+Forwarded: https://marc.info/?l=linux-nfs&m=165635622607689&w=4
32+Last-Update: 2022-06-27
33+
34+--- a/systemd/nfs.conf.man
35++++ b/systemd/nfs.conf.man
36+@@ -283,7 +283,10 @@
37+ .TP
38+ .B svcgssd
39+ Recognized values:
40+-.BR principal .
41++.BR principal ,
42++.BR verbosity ,
43++.BR rpc-verbosity ,
44++.BR idmap-verbosity .
45+
46+ See
47+ .BR rpc.svcgssd (8)
48diff --git a/debian/patches/series b/debian/patches/series
49index 127f3e1..5626161 100644
50--- a/debian/patches/series
51+++ b/debian/patches/series
52@@ -4,3 +4,7 @@ multiarch-kerberos-paths.patch
53 nfs-utils-fix-man-page-syntax-errors.patch
54 tests-skip-test-if-dev-log-is-missing.patch
55 remove-regex-from-docs.patch
56+svcgssd-fix-use-after-free.patch
57+svcgssd-display-principal-if-set.patch
58+svcgssd-document-missing-options.patch
59+nfs-conf-manpage-missing-svcgssd-options.patch
60diff --git a/debian/patches/svcgssd-display-principal-if-set.patch b/debian/patches/svcgssd-display-principal-if-set.patch
61new file mode 100644
62index 0000000..a10edd8
63--- /dev/null
64+++ b/debian/patches/svcgssd-display-principal-if-set.patch
65@@ -0,0 +1,37 @@
66+From 284d249e0fe58443dafc96fa8be51a2cef4541a0 Mon Sep 17 00:00:00 2001
67+From: Marcel Ritter <marcel@linux-ng.de>
68+Date: Tue, 21 Jun 2022 09:21:36 -0400
69+Subject: [PATCH] svcgssd: Display principal if set
70+
71+It's a little irritating to only see the template "<...>@<...>" if you
72+set a specific principal name. So let's show it (if set).
73+
74+Signed-off-by: Steve Dickson <steved@redhat.com>
75+---
76+ utils/gssd/svcgssd.c | 6 +++---
77+ 1 file changed, 3 insertions(+), 3 deletions(-)
78+
79+Origin: upstream, http://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=284d249e0fe58443dafc96fa8be51a2cef4541a0
80+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/nfs-utils/+bug/1977745
81+Last-Update: 2022-06-27
82+
83+diff --git a/utils/gssd/svcgssd.c b/utils/gssd/svcgssd.c
84+index a242b78..ce78d8f 100644
85+--- a/utils/gssd/svcgssd.c
86++++ b/utils/gssd/svcgssd.c
87+@@ -295,9 +295,9 @@ main(int argc, char *argv[])
88+ (const gss_OID)GSS_C_NT_HOSTBASED_SERVICE);
89+ if (status == FALSE) {
90+ printerr(0, "unable to obtain root (machine) credentials\n");
91+- printerr(0, "do you have a keytab entry for "
92+- "nfs/<your.host>@<YOUR.REALM> in "
93+- "/etc/krb5.keytab?\n");
94++ printerr(0, "do you have a keytab entry for %s in"
95++ "/etc/krb5.keytab?\n",
96++ principal ? principal : "nfs/<your.host>@<YOUR.REALM>");
97+ exit(1);
98+ }
99+ } else {
100+--
101+1.8.3.1
102+
103diff --git a/debian/patches/svcgssd-document-missing-options.patch b/debian/patches/svcgssd-document-missing-options.patch
104new file mode 100644
105index 0000000..18cf721
106--- /dev/null
107+++ b/debian/patches/svcgssd-document-missing-options.patch
108@@ -0,0 +1,44 @@
109+From f541550358f136e9a6d1fd131e83d17e6269dae4 Mon Sep 17 00:00:00 2001
110+From: Marcel Ritter <marcel@linux-ng.de>
111+Date: Tue, 21 Jun 2022 09:23:22 -0400
112+Subject: [PATCH] svcgssd: Add (undocumented) config options to man page
113+
114+There seem to be some undocumented options implemented.
115+Why not mention them in the man page?
116+
117+Signed-off-by: Steve Dickson <steved@redhat.com>
118+---
119+ utils/gssd/svcgssd.man | 13 +++++++++++++
120+ 1 file changed, 13 insertions(+)
121+
122+Origin: upstream, http://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=f541550358f136e9a6d1fd131e83d17e6269dae4
123+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/nfs-utils/+bug/1977745
124+Last-Update: 2022-06-27
125+
126+diff --git a/utils/gssd/svcgssd.man b/utils/gssd/svcgssd.man
127+index 15ef4c9..8771c03 100644
128+--- a/utils/gssd/svcgssd.man
129++++ b/utils/gssd/svcgssd.man
130+@@ -61,6 +61,19 @@ this is equivalent to the
131+ option. If set to any other value, that is used like the
132+ .B -p
133+ option.
134++.TP
135++.B verbosity
136++Value which is equivalent to the number of
137++.BR -v .
138++.TP
139++.B rpc-verbosity
140++Value which is equivalent to the number of
141++.BR -r .
142++.TP
143++.B idmap-verbosity
144++Value which is equivalent to the number of
145++.BR -i .
146++
147+
148+ .SH SEE ALSO
149+ .BR rpc.gssd(8),
150+--
151+1.8.3.1
152+
153diff --git a/debian/patches/svcgssd-fix-use-after-free.patch b/debian/patches/svcgssd-fix-use-after-free.patch
154new file mode 100644
155index 0000000..5a9b0a6
156--- /dev/null
157+++ b/debian/patches/svcgssd-fix-use-after-free.patch
158@@ -0,0 +1,45 @@
159+From 2eabb25d5a43e48e769a0db29956e9f5dc5b5913 Mon Sep 17 00:00:00 2001
160+From: Marcel Ritter <marcel@linux-ng.de>
161+Date: Tue, 21 Jun 2022 09:19:17 -0400
162+Subject: [PATCH] svcgssd: Fix use-after-free bug (config variables)
163+
164+This patch fixes a bug when trying to set "principal" in /etc/nfs.conf.
165+Memory gets freed by conf_cleanup() before being used - moving cleanup
166+code resolves that.
167+
168+Signed-off-by: Steve Dickson <steved@redhat.com>
169+---
170+ utils/gssd/svcgssd.c | 6 +++---
171+ 1 file changed, 3 insertions(+), 3 deletions(-)
172+
173+Origin: upstream, http://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=2eabb25d5a43e48e769a0db29956e9f5dc5b5913
174+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/nfs-utils/+bug/1977745
175+Last-Update: 2022-06-27
176+
177+diff --git a/utils/gssd/svcgssd.c b/utils/gssd/svcgssd.c
178+index 881207b..a242b78 100644
179+--- a/utils/gssd/svcgssd.c
180++++ b/utils/gssd/svcgssd.c
181+@@ -211,9 +211,6 @@ main(int argc, char *argv[])
182+ rpc_verbosity = conf_get_num("svcgssd", "RPC-Verbosity", rpc_verbosity);
183+ idmap_verbosity = conf_get_num("svcgssd", "IDMAP-Verbosity", idmap_verbosity);
184+
185+- /* We don't need the config anymore */
186+- conf_cleanup();
187+-
188+ while ((opt = getopt(argc, argv, "fivrnp:")) != -1) {
189+ switch (opt) {
190+ case 'f':
191+@@ -328,6 +325,9 @@ main(int argc, char *argv[])
192+
193+ daemon_ready();
194+
195++ /* We don't need the config anymore */
196++ conf_cleanup();
197++
198+ nfs4_init_name_mapping(NULL); /* XXX: should only do this once */
199+
200+ rc = event_base_dispatch(evbase);
201+--
202+1.8.3.1
203+

Subscribers

People subscribed via source and target branches