File 0008-rpcinfo-improve-implicit-portmapper-rules-logic.patch of Package SuSEfirewall2.6018
From a720fa197f4d8e9680d7a6dc193ed01cfc9f09c1 Mon Sep 17 00:00:00 2001
From: Matthias Gerstner <matthias.gerstner@suse.de>
Date: Thu, 19 Oct 2017 14:16:49 +0200
Subject: [PATCH] rpcinfo: fixed implicit portmapper rules logic (bnc#1064127,
CVE-2017-15638)
- no longer rely on the environment variable to control the implicit add
- only add the rule implicitly for parameters that include source
net/port restrictions, and here actually respect them also for the
portmapper rules
---
SuSEfirewall2 | 9 +++++++--
SuSEfirewall2-rpcinfo | 13 +++++++------
2 files changed, 14 insertions(+), 8 deletions(-)
diff --git a/SuSEfirewall2 b/SuSEfirewall2
index 481eb71..f82e87b 100755
--- a/SuSEfirewall2
+++ b/SuSEfirewall2
@@ -1866,10 +1866,15 @@ process_trusted_nets()
# determine port numbers of rpc services and generate a suitable iptables
# parameter fragment
#
-# parameters: names of rpc services, e.g. ypbind mountd
+# parameters:
+# $1: names of rpc services, e.g. ypbind mountd or a comma separated tuple
+# like 192.168.1.0/24,_rpc_,nfs
rpcservicerules()
{
- perl "$SCRIPTSDIR/SuSEfirewall2-rpcinfo" "$@" 2>/dev/null
+ # The -rpcinfo script by default implicitly adds extra rules for portmap
+ # itself. This is because portmap needs to be reached in order for other
+ # rpc services to work at all.
+ perl "$SCRIPTSDIR/SuSEfirewall2-rpcinfo" "$1"
}
# parameters: REJECT|DROP
diff --git a/SuSEfirewall2-rpcinfo b/SuSEfirewall2-rpcinfo
index 3abf3c4..2ab209a 100755
--- a/SuSEfirewall2-rpcinfo
+++ b/SuSEfirewall2-rpcinfo
@@ -60,6 +60,13 @@ foreach my $service (@ARGV)
$h{'net'} = $a[0] if($a[0] && length($a[0]));
$h{'sport'} = $a[3] if($a[3] && length($a[3]));
push @{$services{$a[2]}}, \%h;
+ # always also add portmapper with the given restrictions so clients
+ # can query for the service ports in question
+ #
+ # use a copy of the hashmap lest we share data between services with
+ # strange results
+ my %copy = %h;
+ push @{$services{'portmapper'}}, \%copy;
}
}
@@ -144,12 +151,6 @@ sub getportsfor($$)
}
}
close FILE;
-
- # always also add portmapper
- if($ret && !exists $services{'portmapper'})
- {
- push @{$services{'portmapper'}}, { tcp => [111], udp => [111] };
- }
}
getportsfor('udp', \%udpports);
--
2.13.6