File 0008-rpcinfo-improve-implicit-portmapper-rules-... of Package SuSEfirewall2.6458

Overview Repositories Revisions Requests Users Attributes Meta

File 0008-rpcinfo-improve-implicit-portmapper-rules-logic.patch of Package SuSEfirewall2.6458

From a720fa197f4d8e9680d7a6dc193ed01cfc9f09c1 Mon Sep 17 00:00:00 2001
From: Matthias Gerstner <matthias.gerstner@suse.de>
Date: Thu, 19 Oct 2017 14:16:49 +0200
Subject: [PATCH] rpcinfo: fixed implicit portmapper rules logic (bnc#1064127,
 CVE-2017-15638)

- no longer rely on the environment variable to control the implicit add
- only add the rule implicitly for parameters that include source
  net/port restrictions, and here actually respect them also for the
  portmapper rules
---
 SuSEfirewall2         |  9 +++++++--
 SuSEfirewall2-rpcinfo | 13 +++++++------
 2 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/SuSEfirewall2 b/SuSEfirewall2
index 481eb71..f82e87b 100755
--- a/SuSEfirewall2
+++ b/SuSEfirewall2
@@ -1866,10 +1866,15 @@ process_trusted_nets()
 # determine port numbers of rpc services and generate a suitable iptables
 # parameter fragment
 #
-# parameters: names of rpc services, e.g. ypbind mountd
+# parameters:
+# $1: names of rpc services, e.g. ypbind mountd or a comma separated tuple
+# like 192.168.1.0/24,_rpc_,nfs
 rpcservicerules()
 {
-    perl "$SCRIPTSDIR/SuSEfirewall2-rpcinfo" "$@" 2>/dev/null
+    # The -rpcinfo script by default implicitly adds extra rules for portmap
+    # itself. This is because portmap needs to be reached in order for other
+    # rpc services to work at all.
+    perl "$SCRIPTSDIR/SuSEfirewall2-rpcinfo" "$1"
 }
 
 # parameters: REJECT|DROP
diff --git a/SuSEfirewall2-rpcinfo b/SuSEfirewall2-rpcinfo
index 3abf3c4..2ab209a 100755
--- a/SuSEfirewall2-rpcinfo
+++ b/SuSEfirewall2-rpcinfo
@@ -60,6 +60,13 @@ foreach my $service (@ARGV)
 	$h{'net'} = $a[0] if($a[0] && length($a[0]));
 	$h{'sport'} = $a[3] if($a[3] && length($a[3]));
 	push @{$services{$a[2]}}, \%h;
+        # always also add portmapper with the given restrictions so clients
+        # can query for the service ports in question
+        #
+        # use a copy of the hashmap lest we share data between services with
+        # strange results
+        my %copy = %h;
+        push @{$services{'portmapper'}}, \%copy;
     }
 }
 
@@ -144,12 +151,6 @@ sub getportsfor($$)
 	}
     }
     close FILE;
-
-    # always also add portmapper
-    if($ret && !exists $services{'portmapper'})
-    {
-	push @{$services{'portmapper'}}, { tcp => [111], udp => [111] };
-    }
 }
 
 getportsfor('udp', \%udpports);
-- 
2.13.6

Places

File 0008-rpcinfo-improve-implicit-portmapper-rules-logic.patch of Package SuSEfirewall2.6458

Places