Debian

Available patches from Ubuntu

To see Ubuntu differences wrt. to Debian, write down a grep-dctrl query identifying the packages you're interested in:
grep-dctrl -n -sPackage Sources.Debian
(e.g. -FPackage linux-ntfs or linux-ntfs)

Modified packages are listed below:

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: libnfsidmap

libnfsidmap (0.25-5.1ubuntu1) disco; urgency=medium * d/p/03-uid-map-krb5.patch: fix uid mapping when sec=krb5 is used (LP: #1819197) -- Andreas Hasenack <andreas@canonical.com> Fri, 22 Mar 2019 09:22:23 -0300

Modifications :
  1. Download patch debian/control

    --- 0.25-5.1/debian/control 2013-05-25 00:34:52.000000000 +0000 +++ 0.25-5.1ubuntu1/debian/control 2019-03-22 12:22:23.000000000 +0000 @@ -1,7 +1,8 @@ Source: libnfsidmap Priority: optional Section: libs -Maintainer: Anibal Monsalve Salazar <anibal@debian.org> +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> +XSBC-Original-Maintainer: Anibal Monsalve Salazar <anibal@debian.org> Build-Depends: dpkg-dev (>= 1.16.1~), debhelper (>= 9), libldap2-dev, autotools-dev, automake1.11, autoconf (>= 2.68), libtool Standards-Version: 3.9.4 Homepage: http://www.citi.umich.edu/projects/nfsv4/linux/
  2. Download patch debian/patches/series

    --- 0.25-5.1/debian/patches/series 2013-05-25 00:52:12.000000000 +0000 +++ 0.25-5.1ubuntu1/debian/patches/series 2019-03-22 12:22:13.000000000 +0000 @@ -1,2 +1,3 @@ 01-661215-wrong-double-ldap-check.patch 02-idmapd.conf.5.patch +03-uid-map-krb5.patch
  3. Download patch debian/patches/03-uid-map-krb5.patch

    --- 0.25-5.1/debian/patches/03-uid-map-krb5.patch 1970-01-01 00:00:00.000000000 +0000 +++ 0.25-5.1ubuntu1/debian/patches/03-uid-map-krb5.patch 2019-03-22 12:22:13.000000000 +0000 @@ -0,0 +1,30 @@ +From 309a89975a50bf53c408233a1bb5b10fd579ca30 Mon Sep 17 00:00:00 2001 +From: "Signed-off-by: Shijoe Panjikkaran" <spanjikk@redhat.com> +Date: Wed, 30 Apr 2014 13:19:34 -0400 +Subject: [PATCH] nss: use strrchr() instead of strchr() to get the last + occurrence of "@" + +Signed-off-by: Shijoe Panjikkaran <spanjikk@redhat.com> +Signed-off-by: Steve Dickson <steved@redhat.com> + +Origin: https://github.com/Distrotech/libnfsidmap/commit/309a89975 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924425 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/libnfsidmap/+bug/1819197 +Last-Update: 2019-03-15 +--- + nss.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/nss.c b/nss.c +index b2b1227..f8129fe 100644 +--- a/nss.c ++++ b/nss.c +@@ -135,7 +135,7 @@ static char *strip_domain(const char *name, const char *domain) + char *l = NULL; + int len; + +- c = strchr(name, '@'); ++ c = strrchr(name, '@'); + if (c == NULL && domain != NULL) + goto out; + if (c == NULL && domain == NULL) {

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: nfs-ganesha

nfs-ganesha (3.2-2ubuntu1) groovy; urgency=medium * Re-merge lost, but required delta of 3.0.3-0ubuntu3 - d/control: Drop universe runtime dependency on daemon as its not used. - d/rules: Install sample ganesha configuration file as ganesha.conf, avoiding hard requirement on nfs-ganesha-vfs for default install. -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 04 Jun 2020 12:26:24 +0200

Modifications :
  1. Download patch debian/rules

    --- 3.2-2/debian/rules 2020-03-16 11:33:18.000000000 +0000 +++ 3.2-2ubuntu1/debian/rules 2020-06-04 10:26:24.000000000 +0000 @@ -63,7 +63,7 @@ override_dh_install: mkdir -p debian/tmp/etc/dbus-1/system.d/ mkdir -p debian/tmp/usr/lib/ganesha/ mkdir -p debian/tmp/usr/sbin/ - cp src/config_samples/vfs.conf debian/tmp/etc/ganesha/ganesha.conf + cp src/config_samples/ganesha.conf.example debian/tmp/etc/ganesha/ganesha.conf cp src/config_samples/vfs.conf debian/tmp/etc/ganesha/vfs.conf cp src/config_samples/xfs.conf debian/tmp/etc/ganesha/xfs.conf cp src/config_samples/ceph.conf debian/tmp/etc/ganesha/ceph.conf
  2. Download patch debian/control

    --- 3.2-2/debian/control 2020-03-16 11:33:18.000000000 +0000 +++ 3.2-2ubuntu1/debian/control 2020-06-04 10:26:24.000000000 +0000 @@ -1,7 +1,8 @@ Source: nfs-ganesha Section: net Priority: optional -Maintainer: Philippe Deniel <philippe.deniel@cea.fr> +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> +XSBC-Original-Maintainer: Philippe Deniel <philippe.deniel@cea.fr> Uploaders: Christoph Martin <martin@uni-mainz.de> Standards-Version: 4.1.1 Homepage: https://github.com/nfs-ganesha/nfs-ganesha @@ -45,7 +46,6 @@ Depends: dbus, nfs-common, rpcbind, ${shlibs:Depends}, ${perl:Depends}, ${misc:Depends}, - daemon Description: NFS server in User Space NFS-GANESHA is a NFS Server running in user space with a large cache. It comes with various backend modules to support different file systems

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: nfs-utils

nfs-utils (1:1.3.4-2.5ubuntu5) groovy; urgency=medium * SECURITY UPDATE: privilege escalation via directory permissions - debian/patches/CVE-2019-3689.patch: take user-id from /var/lib/nfs/sm in support/nsm/file.c, utils/statd/sm-notify.man, utils/statd/statd.man. - debian/nfs-common.postinst: don't make /var/lib/nfs owned by statd. - CVE-2019-3689 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 17 Jun 2020 08:42:59 -0400 nfs-utils (1:1.3.4-2.5ubuntu4) groovy; urgency=medium [ Rodrigo Barbieri ] * d/p/fix-start-ordering-1.patch, d/p/fix-start-ordering-2.patch, d/p/fix-start-ordering-3.patch, d/nfs-kernel-server.install: - Fix systemd service start ordering (LP: #1871214) -- Dariusz Gadomski <dariusz.gadomski@canonical.com> Thu, 28 May 2020 17:45:23 -0400 nfs-utils (1:1.3.4-2.5ubuntu3) focal; urgency=medium * No-change rebuild for libevent soname changes. -- Matthias Klose <doko@ubuntu.com> Sat, 19 Oct 2019 19:57:12 +0000 nfs-utils (1:1.3.4-2.5ubuntu2) eoan; urgency=medium * No-change upload with strops.h and sys/strops.h removed in glibc. -- Matthias Klose <doko@ubuntu.com> Thu, 05 Sep 2019 11:04:05 +0000 nfs-utils (1:1.3.4-2.5ubuntu1) eoan; urgency=low * Merge from Debian unstable. Remaining changes: - debian/nfs-common.default: always start idmapd automatically; drop the configuration option. - Add 90-gss-free-lucid-sec-context.patch: adjust for changes to the ctx argument of the serialize_krb5_ctx() function. - Add remove-gssproxy.patch: Drop gssproxy as it does not exist in Ubuntu - Fixing nfs-mountd dependency on rpcbind (race condition) by adding "rpcbind.socket" to "nfs-mountd.service" as a dependency to avoid race conditions: - Add systemd-Fix-nfs-mountd-dependency-on-rpcbind.patch - Convert mountstats and nfsiostat scripts to Python3 and recommend python3 instead of python. - truncate_gid*.patch: Backports from upstream to prevent truncating UIDs and GIDs over 65536 on certain architectures - Remove hard-coded dep on libtirpc1. - d/nfs-utils_env.sh: alongside RPCSVCGSSDARGS, also export SVCGSSDARGS, which is the variable name expected by the rpc-svcgssd systemd service. - d/p/nfsiostat-replace-list-reserved-word.patch: fix nfsiostat crash due to using 'list' as a variable name. * Dropped changes, included in Debian: - glibc-2.28-compat.patch: Include <sys/sysmacros.h> for major/minor. -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 02 May 2019 22:43:12 -0700

Modifications :
  1. Download patch debian/patches/truncate_uid_2.patch

    --- 1:1.3.4-2.5/debian/patches/truncate_uid_2.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:1.3.4-2.5ubuntu5/debian/patches/truncate_uid_2.patch 2020-05-13 11:50:39.000000000 +0000 @@ -0,0 +1,28 @@ +From 327446213593070733702aaab92045c46452e0c1 Mon Sep 17 00:00:00 2001 +From: Yongcheng Yang <yoyang@redhat.com> +Date: Sat, 21 Jul 2018 08:25:44 -0400 +Subject: [PATCH] rpc.gssd: fix typo checking "__NR_setresuid32" instead of + "__NR_setresgid32 + +Signed-off-by: Yongcheng Yang <yoyang@redhat.com> +Signed-off-by: Steve Dickson <steved@redhat.com> +--- + utils/gssd/gssd_proc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c +index 7a57c4e..bfcf3f0 100644 +--- a/utils/gssd/gssd_proc.c ++++ b/utils/gssd/gssd_proc.c +@@ -460,7 +460,7 @@ change_identity(uid_t uid) + * send a signal to all other threads to synchronize the uid in all + * other threads. To bypass this, we have to call syscall() directly. + */ +-#ifdef __NR_setresuid32 ++#ifdef __NR_setresgid32 + res = syscall(SYS_setresgid32, pw->pw_gid, pw->pw_gid, pw->pw_gid); + #else + res = syscall(SYS_setresgid, pw->pw_gid, pw->pw_gid, pw->pw_gid); +-- +1.8.3.1 +
  2. Download patch debian/patches/unbreak-blkmapd-rpc_pipefs-run.patch

    --- 1:1.3.4-2.5/debian/patches/unbreak-blkmapd-rpc_pipefs-run.patch 2019-04-06 16:30:39.000000000 +0000 +++ 1:1.3.4-2.5ubuntu5/debian/patches/unbreak-blkmapd-rpc_pipefs-run.patch 2020-05-13 11:50:39.000000000 +0000 @@ -8,11 +8,9 @@ From looking in the BTS gssd also seems Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828826 -diff --git a/utils/blkmapd/device-discovery.c b/utils/blkmapd/device-discovery.c -index 69f00fa..7b00c90 100644 --- a/utils/blkmapd/device-discovery.c +++ b/utils/blkmapd/device-discovery.c -@@ -55,9 +55,9 @@ +@@ -56,9 +56,9 @@ #define EVENT_SIZE (sizeof(struct inotify_event)) #define EVENT_BUFSIZE (1024 * EVENT_SIZE) @@ -25,4 +23,3 @@ index 69f00fa..7b00c90 100644 #define PID_FILE "/run/blkmapd.pid" struct bl_disk *visible_disk_list; -
  3. Download patch debian/patches/remove-gssproxy.patch

    --- 1:1.3.4-2.5/debian/patches/remove-gssproxy.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:1.3.4-2.5ubuntu5/debian/patches/remove-gssproxy.patch 2020-05-13 11:50:39.000000000 +0000 @@ -0,0 +1,57 @@ +Description: Remove gssproxy + Gssproxy isn't packages for Ubuntu so we should drop it from + the service definitions. It also makes rpc-svcgssd always show + as failing on the client. + . +Author: Bryan Quigley <bryan.quigley@canonical.com> +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1452667 + +--- a/systemd/auth-rpcgss-module.service ++++ b/systemd/auth-rpcgss-module.service +@@ -7,8 +7,8 @@ + [Unit] + Description=Kernel Module supporting RPCSEC_GSS + DefaultDependencies=no +-Before=gssproxy.service rpc-svcgssd.service rpc-gssd.service +-Wants=gssproxy.service rpc-svcgssd.service rpc-gssd.service ++Before=rpc-svcgssd.service rpc-gssd.service ++Wants=rpc-svcgssd.service rpc-gssd.service + ConditionPathExists=/etc/krb5.keytab + + [Service] +--- a/systemd/nfs-client.target ++++ b/systemd/nfs-client.target +@@ -6,8 +6,8 @@ + Wants=nfs-blkmap.service + + # GSS services dependencies and ordering +-Wants=auth-rpcgss-module.service +-After=rpc-gssd.service rpc-svcgssd.service gssproxy.service ++Wants=rpc-gssd.service ++After=rpc-gssd.service + + [Install] + WantedBy=multi-user.target +--- a/systemd/nfs-server.service ++++ b/systemd/nfs-server.service +@@ -13,7 +13,7 @@ + + # GSS services dependencies and ordering + Wants=auth-rpcgss-module.service +-After=rpc-gssd.service gssproxy.service rpc-svcgssd.service ++After=rpc-gssd.service rpc-svcgssd.service + + # start/stop server before/after client + Before=remote-fs-pre.target +--- a/systemd/rpc-svcgssd.service ++++ b/systemd/rpc-svcgssd.service +@@ -6,9 +6,6 @@ + PartOf=nfs-server.service + PartOf=nfs-utils.service + +-After=gssproxy.service +-ConditionPathExists=|!/run/gssproxy.pid +-ConditionPathExists=|!/proc/net/rpc/use-gss-proxy + ConditionPathExists=/etc/krb5.keytab + + Wants=nfs-config.service
  4. Download patch debian/nfs-utils_env.sh

    --- 1:1.3.4-2.5/debian/nfs-utils_env.sh 2019-04-06 16:30:39.000000000 +0000 +++ 1:1.3.4-2.5ubuntu5/debian/nfs-utils_env.sh 2020-05-13 11:50:39.000000000 +0000 @@ -12,7 +12,15 @@ echo PIPEFS_MOUNTPOINT=/run/rpc_pipefs echo RPCNFSDARGS=\"$RPCNFSDOPTS ${RPCNFSDCOUNT:-8}\" echo RPCMOUNTDARGS=\"$RPCMOUNTDOPTS\" echo STATDARGS=\"$STATDOPTS\" +# The rpc-svcgssd.service systemd file uses SVCGSSDARGS, not +# RPCSVCGSSDARGS, but for a long time just the latter was exported. +# To not break upgrades for people who have worked around this by +# overriding the systemd service to use RPCSVCGSSDARGS, both variables +# are being exported now. +# See https://bugs.launchpad.net/bugs/1616123 and +# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892654 for more details. echo RPCSVCGSSDARGS=\"$RPCSVCGSSDOPTS\" +echo SVCGSSDARGS=\"$RPCSVCGSSDOPTS\" } > /run/sysconfig/nfs-utils # the following are supported by the systemd units, but not exposed in default files
  5. Download patch debian/patches/nfsiostat-replace-list-reserved-word.patch

    --- 1:1.3.4-2.5/debian/patches/nfsiostat-replace-list-reserved-word.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:1.3.4-2.5ubuntu5/debian/patches/nfsiostat-replace-list-reserved-word.patch 2020-05-13 11:50:39.000000000 +0000 @@ -0,0 +1,38 @@ +Description: nfsiostat: replace 'list' reserved word + list is a reserved word in python and should not be used as a variable name. + Changing list to devicelist for list_nfs_mounts(). +Forwarded: https://marc.info/?l=linux-nfs&m=155346326413894&w=2 +Origin: upstream, http://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commitdiff;h=c4c14011b70375050d7bba7c57e2eaf4c715dc7c +Bug-Debian: http://bugs.debian.org/925943 +Bug-Ubuntu: https://launchpad.net/bugs/1821261 +Author: Matthew Ruffell <matthew.ruffell@canonical.com> +Last-Update: 2019-04-02 +Index: nfs-utils-1.3.4/tools/nfs-iostat/nfs-iostat.py +=================================================================== +--- nfs-utils-1.3.4.orig/tools/nfs-iostat/nfs-iostat.py ++++ nfs-utils-1.3.4/tools/nfs-iostat/nfs-iostat.py +@@ -484,20 +484,20 @@ def list_nfs_mounts(givenlist, mountstat + return a full list if the given list is empty - + may return an empty list if none found + """ +- list = [] ++ devicelist = [] + if len(givenlist) > 0: + for device in givenlist: + stats = DeviceData() + stats.parse_stats(mountstats[device]) + if stats.is_nfs_mountpoint(): +- list += [device] ++ devicelist += [device] + else: + for device, descr in list(mountstats.items()): + stats = DeviceData() + stats.parse_stats(descr) + if stats.is_nfs_mountpoint(): +- list += [device] +- return list ++ devicelist += [device] ++ return devicelist + + def iostat_command(name): + """iostat-like command for NFS mount points
  6. Download patch debian/patches/90-gss-free-lucid-sec-context.patch

    --- 1:1.3.4-2.5/debian/patches/90-gss-free-lucid-sec-context.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:1.3.4-2.5ubuntu5/debian/patches/90-gss-free-lucid-sec-context.patch 2020-03-23 18:39:27.000000000 +0000 @@ -0,0 +1,20 @@ +From: Sergio Gelato <Sergio.Gelato@astro.su.se> +Subject: Fix gss_free_lucid_sec_context() call + Commit 051eb4863cf880f0349a1de44517f9c99a9c5bd4 changed + serialize_krb5_ctx() to take a pointer to gss_ctx_id_t instead of a + gss_ctx_id_t directly. The call to gss_export_lucid_sec_context() + was adjusted accordingly but the call to gss_free_lucid_sec_context() + was not. +Bug-Ubuntu: https://launchpad.net/bugs/1331201 + +--- a/utils/gssd/context_lucid.c ++++ b/utils/gssd/context_lucid.c +@@ -302,7 +302,7 @@ + else + retcode = prepare_krb5_rfc4121_buffer(lctx, buf, endtime); + +- maj_stat = gss_free_lucid_sec_context(&min_stat, ctx, return_ctx); ++ maj_stat = gss_free_lucid_sec_context(&min_stat, *ctx, return_ctx); + if (maj_stat != GSS_S_COMPLETE) { + pgsserr("gss_free_lucid_sec_context", + maj_stat, min_stat, &krb5oid);
  7. Download patch debian/control

    --- 1:1.3.4-2.5/debian/control 2019-04-06 16:30:39.000000000 +0000 +++ 1:1.3.4-2.5ubuntu5/debian/control 2020-05-13 11:50:39.000000000 +0000 @@ -1,7 +1,8 @@ Source: nfs-utils Priority: optional Section: net -Maintainer: Debian kernel team <debian-kernel@lists.debian.org> +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> +XSBC-Original-Maintainer: Debian kernel team <debian-kernel@lists.debian.org> Uploaders: Anibal Monsalve Salazar <anibal@debian.org>, Ben Hutchings <ben@decadent.org.uk>, Steve Langasek <vorlon@debian.org>, Daniel Pocock <pocock@debian.org> Build-Depends: debhelper (>= 9.20160709), libwrap0-dev, libevent-dev, libnfsidmap-dev (>= 0.24), libkrb5-dev, libblkid-dev, libkeyutils-dev, pkg-config, libldap2-dev, libcap-dev, libtirpc-dev (>= 1.0.2), libdevmapper-dev, dh-autoreconf, libmount-dev, libsqlite3-dev Standards-Version: 4.2.1 @@ -32,7 +33,7 @@ Homepage: http://nfs.sourceforge.net/ Package: nfs-common Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends}, rpcbind, adduser, ucf, lsb-base (>= 1.3-9ubuntu3), keyutils -Recommends: python +Recommends: python3 Suggests: open-iscsi, watchdog Provides: nfs-client Conflicts: nfs-client
  8. Download patch debian/patches/truncate_uid.patch

    --- 1:1.3.4-2.5/debian/patches/truncate_uid.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:1.3.4-2.5ubuntu5/debian/patches/truncate_uid.patch 2020-05-13 11:50:39.000000000 +0000 @@ -0,0 +1,64 @@ +From 2a6b8307fa4243a7921270aedf8ce6506e31569a Mon Sep 17 00:00:00 2001 +From: Steve Dickson <steved@redhat.com> +Date: Tue, 17 Jul 2018 15:09:37 -0400 +Subject: [PATCH] rpc.gssd: truncates 32-bit UIDs/GIDs to 16 bits + architectures. + +utils/gssd_proc.c uses SYS_setresuid and SYS_setresgid in +change_identity when it should use SYS_setresuid32 and +SYS_setresgid32 instead. This causes it to truncate +UIDs/GIDs > 65536. + +Fixes: https://bugs.launchpad.net/ubuntu/+source/nfs-utils/+bug/1779962 +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1595927 + +Tested-by: James Ettle <theholyettlz@googlemail.com> +Tested-by: Sree <Sree@gmail.com> +Signed-off-by: Steve Dickson <steved@redhat.com> +--- + utils/gssd/gssd_proc.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c +index 8767e26..7a57c4e 100644 +--- a/utils/gssd/gssd_proc.c ++++ b/utils/gssd/gssd_proc.c +@@ -434,6 +434,7 @@ static int + change_identity(uid_t uid) + { + struct passwd *pw; ++ int res; + + /* drop list of supplimentary groups first */ + if (syscall(SYS_setgroups, 0, 0) != 0) { +@@ -459,14 +460,23 @@ change_identity(uid_t uid) + * send a signal to all other threads to synchronize the uid in all + * other threads. To bypass this, we have to call syscall() directly. + */ +- if (syscall(SYS_setresgid, pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0) { ++#ifdef __NR_setresuid32 ++ res = syscall(SYS_setresgid32, pw->pw_gid, pw->pw_gid, pw->pw_gid); ++#else ++ res = syscall(SYS_setresgid, pw->pw_gid, pw->pw_gid, pw->pw_gid); ++#endif ++ if (res != 0) { + printerr(0, "WARNING: failed to set gid to %u!\n", pw->pw_gid); + return errno; + } + +- if (syscall(SYS_setresuid, uid, uid, uid) != 0) { +- printerr(0, "WARNING: Failed to setuid for user with uid %u\n", +- uid); ++#ifdef __NR_setresuid32 ++ res = syscall(SYS_setresuid32, uid, uid, uid); ++#else ++ res = syscall(SYS_setresuid, uid, uid, uid); ++#endif ++ if (res != 0) { ++ printerr(0, "WARNING: Failed to setuid for user with uid %u\n", uid); + return errno; + } + +-- +1.8.3.1 +
  9. Download patch debian/nfs-common.postinst

    --- 1:1.3.4-2.5/debian/nfs-common.postinst 2019-04-06 16:30:39.000000000 +0000 +++ 1:1.3.4-2.5ubuntu5/debian/nfs-common.postinst 2020-06-17 12:42:59.000000000 +0000 @@ -21,9 +21,14 @@ case "$1" in fi fi + # Don't make /var/lib/nfs owned by statd. Only sm and sm.bak need to be + # accessible by statd or sm-notify after they drop privileges. + # (CVE-2019-3689) + if dpkg --compare-versions "$2" lt 1:1.3.4-2.5ubuntu5; then + chown root:root /var/lib/nfs + fi chown statd: /var/lib/nfs/sm \ - /var/lib/nfs/sm.bak \ - /var/lib/nfs + /var/lib/nfs/sm.bak if [ -f /var/lib/nfs/state ]; then chown statd /var/lib/nfs/state fi
  10. Download patch debian/patches/01-sm-notify-in-sbin.patch

    --- 1:1.3.4-2.5/debian/patches/01-sm-notify-in-sbin.patch 2019-04-06 16:30:39.000000000 +0000 +++ 1:1.3.4-2.5ubuntu5/debian/patches/01-sm-notify-in-sbin.patch 2020-05-13 11:50:39.000000000 +0000 @@ -1,6 +1,6 @@ ---- a/utils/statd/statd.c 2010-02-18 23:35:00.000000000 +1100 -+++ b/utils/statd/statd.c 2010-04-06 16:12:51.000000000 +1000 -@@ -190,7 +190,7 @@ static void run_sm_notify(int outport) +--- a/utils/statd/statd.c ++++ b/utils/statd/statd.c +@@ -194,7 +194,7 @@ char *av[6]; int ac = 0;
  11. Download patch debian/patches/python3.diff

    --- 1:1.3.4-2.5/debian/patches/python3.diff 1970-01-01 00:00:00.000000000 +0000 +++ 1:1.3.4-2.5ubuntu5/debian/patches/python3.diff 2020-05-13 11:50:39.000000000 +0000 @@ -0,0 +1,97 @@ +--- nfs-utils-1.3.4.orig/tools/mountstats/mountstats.py ++++ nfs-utils-1.3.4/tools/mountstats/mountstats.py +@@ -1,10 +1,8 @@ +-#!/usr/bin/env python ++#!/usr/bin/python3 + # -*- python-mode -*- + """Parse /proc/self/mountstats and display it in human readable form + """ + +-from __future__ import print_function +- + __copyright__ = """ + Copyright (C) 2005, Chuck Lever <cel@netapp.com> + +@@ -522,9 +520,9 @@ class DeviceData: + protocol = self.__rpc_data['protocol'] + + # copy self into result +- for key, value in self.__nfs_data.items(): ++ for key, value in list(self.__nfs_data.items()): + result.__nfs_data[key] = value +- for key, value in self.__rpc_data.items(): ++ for key, value in list(self.__rpc_data.items()): + result.__rpc_data[key] = value + + # compute the difference of each item in the list +@@ -711,7 +709,7 @@ def mountstats_command(args): + continue + mountpoints = check + else: +- for device, descr in mountstats.items(): ++ for device, descr in list(mountstats.items()): + stats = DeviceData() + stats.parse_stats(descr) + if stats.is_nfs_mountpoint(): +@@ -770,7 +768,7 @@ def nfsstat_command(args): + continue + mountpoints = check + else: +- for device, descr in mountstats.items(): ++ for device, descr in list(mountstats.items()): + stats = DeviceData() + stats.parse_stats(descr) + if stats.is_nfs_mountpoint(): +@@ -801,7 +799,7 @@ def nfsstat_command(args): + elif vers == 4 and (show_both or args.show_v4): + v4stats.accumulate_iostats(acc_stats) + +- sends, retrans, authrefrsh = map(add, v3stats.client_rpc_stats(), v4stats.client_rpc_stats()) ++ sends, retrans, authrefrsh = list(map(add, v3stats.client_rpc_stats(), v4stats.client_rpc_stats())) + print('Client rpc stats:') + print('calls retrans authrefrsh') + print('%-11u%-11u%-11u' % (sends, retrans, authrefrsh)) +@@ -852,7 +850,7 @@ def iostat_command(args): + continue + devices = check + else: +- for device, descr in mountstats.items(): ++ for device, descr in list(mountstats.items()): + stats = DeviceData() + stats.parse_stats(descr) + if stats.is_nfs_mountpoint(): +--- nfs-utils-1.3.4.orig/tools/nfs-iostat/nfs-iostat.py ++++ nfs-utils-1.3.4/tools/nfs-iostat/nfs-iostat.py +@@ -1,10 +1,8 @@ +-#!/usr/bin/python ++#!/usr/bin/python3 + # -*- python-mode -*- + """Emulate iostat for NFS mount points using /proc/self/mountstats + """ + +-from __future__ import print_function +- + __copyright__ = """ + Copyright (C) 2005, Chuck Lever <cel@netapp.com> + +@@ -203,9 +201,9 @@ class DeviceData: + result = DeviceData() + + # copy self into result +- for key, value in self.__nfs_data.items(): ++ for key, value in list(self.__nfs_data.items()): + result.__nfs_data[key] = value +- for key, value in self.__rpc_data.items(): ++ for key, value in list(self.__rpc_data.items()): + result.__rpc_data[key] = value + + # compute the difference of each item in the list +@@ -494,7 +492,7 @@ def list_nfs_mounts(givenlist, mountstat + if stats.is_nfs_mountpoint(): + list += [device] + else: +- for device, descr in mountstats.items(): ++ for device, descr in list(mountstats.items()): + stats = DeviceData() + stats.parse_stats(descr) + if stats.is_nfs_mountpoint():
  12. Download patch debian/nfs-kernel-server.install

    --- 1:1.3.4-2.5/debian/nfs-kernel-server.install 2019-04-06 16:30:39.000000000 +0000 +++ 1:1.3.4-2.5ubuntu5/debian/nfs-kernel-server.install 2020-05-28 21:29:06.000000000 +0000 @@ -10,3 +10,4 @@ debian/etc.exports /usr/share/nfs-kernel systemd/nfs-blkmap.service /lib/systemd/system systemd/nfs-mountd.service /lib/systemd/system systemd/nfs-server.service /lib/systemd/system +systemd/nfs-server-generator /lib/systemd/system-generators
  13. Download patch debian/patches/fix-start-ordering-1.patch
  14. Download patch debian/patches/series

    --- 1:1.3.4-2.5/debian/patches/series 2019-04-06 16:30:39.000000000 +0000 +++ 1:1.3.4-2.5ubuntu5/debian/patches/series 2020-06-17 12:42:59.000000000 +0000 @@ -8,10 +8,21 @@ 27-systemd-enable-with-systemctl-statd.patch unbreak-blkmapd-rpc_pipefs-run.patch unbreak-gssd-rpc_pipefs-run.patch +remove-gssproxy.patch +90-gss-free-lucid-sec-context.patch +systemd-Fix-nfs-mountd-dependency-on-rpcbind.patch 28-nfs-utils_env-location.patch 29-start-statd-fd-9.patch 0001-rpc.c-added-include-file-so-UINT16_MAX-is-defined.patch +python3.diff 30-remove-whitespace-service.patch fix-glibc2.28-ftbfs.patch 0010-gssd-replace-non-thread-safe-strtok-with-strsep.patch 0011-gssd-Duplicate-the-upcall-string-for-error-messages.patch +truncate_uid.patch +truncate_uid_2.patch +nfsiostat-replace-list-reserved-word.patch +fix-start-ordering-1.patch +fix-start-ordering-2.patch +fix-start-ordering-3.patch +CVE-2019-3689.patch
  15. Download patch debian/patches/fix-start-ordering-2.patch
  16. Download patch debian/patches/17-multiarch-kerberos-paths.patch

    --- 1:1.3.4-2.5/debian/patches/17-multiarch-kerberos-paths.patch 2019-04-06 16:30:39.000000000 +0000 +++ 1:1.3.4-2.5ubuntu5/debian/patches/17-multiarch-kerberos-paths.patch 2020-05-13 11:50:39.000000000 +0000 @@ -1,5 +1,5 @@ ---- trunk.orig/aclocal/kerberos5.m4 -+++ trunk/aclocal/kerberos5.m4 +--- a/aclocal/kerberos5.m4 ++++ b/aclocal/kerberos5.m4 @@ -29,6 +29,7 @@ elif test -f "/usr/lib/mit/bin/krb5-config"; then K5CONFIG="/usr/lib/mit/bin/krb5-config" @@ -8,7 +8,7 @@ if test "$K5CONFIG" != ""; then KRBCFLAGS=`$K5CONFIG --cflags` KRBLIBS=`$K5CONFIG --libs` -@@ -38,6 +39,7 @@ +@@ -40,6 +41,7 @@ \( -f $dir/lib/libgssapi_krb5.a -o \ -f $dir/lib64/libgssapi_krb5.a -o \ -f $dir/lib64/libgssapi_krb5.so -o \
  17. Download patch debian/patches/fix-start-ordering-3.patch

    --- 1:1.3.4-2.5/debian/patches/fix-start-ordering-3.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:1.3.4-2.5ubuntu5/debian/patches/fix-start-ordering-3.patch 2020-05-28 21:39:07.000000000 +0000 @@ -0,0 +1,24 @@ +Description: Build nfs-server-generator without --with-systemd flag +Author: Dan Streetman <ddstreet@ubuntu.com> +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1871214 + +--- nfs-utils-1.3.4.orig/systemd/Makefile.am ++++ nfs-utils-1.3.4/systemd/Makefile.am +@@ -38,8 +38,8 @@ endif + + EXTRA_DIST = $(unit_files) + +-unit_dir = /usr/lib/systemd/system +-generator_dir = /usr/lib/systemd/system-generators ++unit_dir = /lib/systemd/system ++generator_dir = /lib/systemd/system-generators + + EXTRA_PROGRAMS = nfs-server-generator + genexecdir = $(generator_dir) +@@ -52,4 +52,6 @@ genexec_PROGRAMS = nfs-server-generator + install-data-hook: $(unit_files) + mkdir -p $(DESTDIR)/$(unitdir) + cp $(unit_files) $(DESTDIR)/$(unitdir) ++else ++noinst_PROGRAMS = nfs-server-generator + endif
  18. Download patch debian/patches/CVE-2019-3689.patch

    --- 1:1.3.4-2.5/debian/patches/CVE-2019-3689.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:1.3.4-2.5ubuntu5/debian/patches/CVE-2019-3689.patch 2020-06-09 12:12:57.000000000 +0000 @@ -0,0 +1,93 @@ +From: NeilBrown <neilb@suse.de> +Date: Mon, 14 Oct 2019 14:12:49 -0400 +Subject: statd: take user-id from /var/lib/nfs/sm +Origin: https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=fee2cc29e888f2ced6a76990923aef19d326dc0e +Bug: https://bugzilla.linux-nfs.org/show_bug.cgi?id=338 +Bug-Debian: https://bugs.debian.org/940848 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-3689 +Bug: https://bugzilla.suse.com/show_bug.cgi?id=1150733 + +Having /var/lib/nfs writeable by statd is not ideal +as there are files in there that statd doesn't need +to access. +After dropping privs, statd and sm-notify only need to +access files in the directories sm and sm.bak. +So take the uid for these deamons from 'sm'. + +Signed-off-by: NeilBrown <neilb@suse.de> +Signed-off-by: Steve Dickson <steved@redhat.com> +--- + support/nsm/file.c | 16 +++++----------- + utils/statd/sm-notify.man | 10 +++++++++- + utils/statd/statd.man | 10 +++++++++- + 3 files changed, 23 insertions(+), 13 deletions(-) + +--- a/support/nsm/file.c ++++ b/support/nsm/file.c +@@ -426,23 +426,17 @@ nsm_drop_privileges(const int pidfd) + + (void)umask(S_IRWXO); + +- /* +- * XXX: If we can't stat dirname, or if dirname is owned by +- * root, we should use "statduser" instead, which is set up +- * by configure.ac. Nothing in nfs-utils seems to use +- * "statduser," though. +- */ +- if (lstat(nsm_base_dirname, &st) == -1) { +- xlog(L_ERROR, "Failed to stat %s: %m", nsm_base_dirname); +- return false; +- } +- + if (chdir(nsm_base_dirname) == -1) { + xlog(L_ERROR, "Failed to change working directory to %s: %m", + nsm_base_dirname); + return false; + } + ++ if (lstat(NSM_MONITOR_DIR, &st) == -1) { ++ xlog(L_ERROR, "Failed to stat %s/%s: %m", nsm_base_dirname, NSM_MONITOR_DIR); ++ return false; ++ } ++ + if (!prune_bounding_set()) + return false; + +--- a/utils/statd/sm-notify.man ++++ b/utils/statd/sm-notify.man +@@ -190,7 +190,15 @@ by default. + After starting, + .B sm-notify + attempts to set its effective UID and GID to the owner +-and group of this directory. ++and group of the subdirectory ++.B sm ++of this directory. After changing the effective ids, ++.B sm-notify ++only needs to access files in ++.B sm ++and ++.B sm.bak ++within the state-directory-path. + .TP + .BI -v " ipaddr " | " hostname + Specifies the network address from which to send reboot notifications, +--- a/utils/statd/statd.man ++++ b/utils/statd/statd.man +@@ -259,7 +259,15 @@ by default. + After starting, + .B rpc.statd + attempts to set its effective UID and GID to the owner +-and group of this directory. ++and group of the subdirectory ++.B sm ++of this directory. After changing the effective ids, ++.B rpc.statd ++only needs to access files in ++.B sm ++and ++.B sm.bak ++within the state-directory-path. + .TP + .BR -v ", " -V ", " --version + Causes
  19. Download patch debian/nfs-common.default

    --- 1:1.3.4-2.5/debian/nfs-common.default 2019-04-06 16:30:39.000000000 +0000 +++ 1:1.3.4-2.5ubuntu5/debian/nfs-common.default 2020-03-23 18:39:27.000000000 +0000 @@ -2,8 +2,6 @@ # autodetected; this should be sufficient for most people. Valid alternatives # for the NEED_ options are "yes" and "no". -# Do you want to start the statd daemon? It is not needed for NFSv4. -NEED_STATD= # Options for rpc.statd. # Should rpc.statd listen on a specific port? This is especially useful @@ -12,8 +10,5 @@ NEED_STATD= # For more information, see rpc.statd(8) or http://wiki.debian.org/SecuringNFS STATDOPTS= -# Do you want to start the idmapd daemon? It is only needed for NFSv4. -NEED_IDMAPD= - # Do you want to start the gssd daemon? It is required for Kerberos mounts. NEED_GSSD=
  20. Download patch debian/patches/systemd-Fix-nfs-mountd-dependency-on-rpcbind.patch

    --- 1:1.3.4-2.5/debian/patches/systemd-Fix-nfs-mountd-dependency-on-rpcbind.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:1.3.4-2.5ubuntu5/debian/patches/systemd-Fix-nfs-mountd-dependency-on-rpcbind.patch 2020-03-23 18:39:27.000000000 +0000 @@ -0,0 +1,44 @@ +Description: systemd: Fix nfs-mountd dependency on rpcbind + +Following commit 91da135f - it replaced "rpcbind.target" by "rpcbind.socket" in +some unit files - "rpcbind.socket" should also be added to "nfs-mountd.service" +as a dependency to avoid race conditions. + +Usually "rpcbind.socket" is either started as a "sockets.target" dependency, or +as a dependency for "nfs-server.service", when unit files include it in +"BindsTo" or "After". Unfortunately there is a possilibility to have +"nfs-mountd.service" started when the rpcbind socket is not yet created: + +systemd[1]: Starting NFS Mount Daemon... +systemd[1]: nfs-mountd.service: Control process exited, code=exited status=1 +systemd[1]: Failed to start NFS Mount Daemon. +systemd[1]: nfs-mountd.service: Unit entered failed state. +systemd[1]: nfs-mountd.service: Failed with result 'exit-code'. + +Nowadays "nfs-mountd.service" uses "BindTo" directive to "nfs-server.service". +That, per se, doesn't guarantee ordering for NFS server to start rpcbind and for +nfs-mountd to depend on it. + +https://bugs.launchpad.net/bugs/1590799 + +Reviewed-by: NeilBrown <neilb@suse.com> +Signed-off-by: Rafael David Tinoco <rafael.tinoco@canonical.com> +Signed-off-by: Steve Dickson <steved@redhat.com> +- +Author: Rafael David Tinoco <rafael.tinoco@canonical.com> +Origin: upstream, commit: 907426b00bdcd69d9a56ac1870990e8ae8c6fe9f +Bug-Debian: https://bugs.debian.org/856328 +Bug-Ubuntu: https://launchpad.net/bugs/1590799 +Reviewed-By: Rafael David Tinoco <rafael.tinoco@canonical.com> +Last-Update: 2017-03-01 + +--- nfs-utils-1.2.8.orig/systemd/nfs-mountd.service ++++ nfs-utils-1.2.8/systemd/nfs-mountd.service +@@ -4,6 +4,7 @@ DefaultDependencies=no + Requires=proc-fs-nfsd.mount + After=proc-fs-nfsd.mount + After=network.target local-fs.target ++After=rpcbind.socket + BindsTo=nfs-server.service + + Wants=nfs-config.service
  21. Download patch debian/patches/03-handle-mtab-symlink.patch

    --- 1:1.3.4-2.5/debian/patches/03-handle-mtab-symlink.patch 2019-04-06 16:30:39.000000000 +0000 +++ 1:1.3.4-2.5ubuntu5/debian/patches/03-handle-mtab-symlink.patch 2020-05-13 11:50:39.000000000 +0000 @@ -1,6 +1,6 @@ ---- a/utils/mount/fstab.c 2010-02-18 23:35:00.000000000 +1100 -+++ b/utils/mount/fstab.c 2010-04-06 16:12:51.000000000 +1000 -@@ -57,7 +57,7 @@ mtab_does_not_exist(void) { +--- a/utils/mount/fstab.c ++++ b/utils/mount/fstab.c +@@ -57,7 +57,7 @@ return var_mtab_does_not_exist; } @@ -9,8 +9,8 @@ mtab_is_a_symlink(void) { get_mtab_info(); return var_mtab_is_a_symlink; ---- a/utils/mount/fstab.h 2010-02-18 23:35:00.000000000 +1100 -+++ b/utils/mount/fstab.h 2010-04-06 16:12:51.000000000 +1000 +--- a/utils/mount/fstab.h ++++ b/utils/mount/fstab.h @@ -7,6 +7,7 @@ #define _PATH_FSTAB "/etc/fstab" #endif @@ -19,9 +19,9 @@ int mtab_is_writable(void); int mtab_does_not_exist(void); void reset_mtab_info(void); ---- a/utils/mount/mount.c 2010-02-18 23:35:00.000000000 +1100 -+++ b/utils/mount/mount.c 2010-04-06 16:12:51.000000000 +1000 -@@ -232,6 +232,13 @@ create_mtab (void) { +--- a/utils/mount/mount.c ++++ b/utils/mount/mount.c +@@ -204,6 +204,13 @@ int flags; mntFILE *mfp;
  1. libnfsidmap
  2. nfs-ganesha
  3. nfs-utils