File 0003-rpcinfo-improve-implicit-portmapper-rules-logic.patch of Package SuSEfirewall2.openSUSE_Leap_42.3_Update

From a3cb3311d855a786d73399ccdbde9a45ac0c9c64 Mon Sep 17 00:00:00 2001
From: Matthias Gerstner <matthias.gerstner@suse.de>
Date: Thu, 19 Oct 2017 13:30:02 +0200
Subject: [PATCH] rpcinfo: fixed implicit portmapper rules logic (bnc#1064127,
 CVE-2017-15638)

- no longer rely on the environment variable to control the implicit add
- only add the rule implicitly for parameters that include source
  net/port restrictions, and here actually respect them also for the
  portmapper rules
---
 SuSEfirewall2         | 22 +++++-----------------
 SuSEfirewall2-rpcinfo | 13 +++++++------
 2 files changed, 12 insertions(+), 23 deletions(-)

diff --git a/SuSEfirewall2 b/SuSEfirewall2
index 55f4d5e..b657a90 100755
--- a/SuSEfirewall2
+++ b/SuSEfirewall2
@@ -2044,27 +2044,15 @@ process_trusted_nets()
 # parameter fragment
 #
 # parameters:
-# $1: names of rpc services, e.g. ypbind mountd
-# $2: whether portmapper ports shall be implicitly added (boolean)
+# $1: names of rpc services, e.g. ypbind mountd or a comma separated tuple
+# like 192.168.1.0/24,_rpc_,nfs
 rpcservicerules()
 {
+
     # The -rpcinfo script by default implicitly adds extra rules for portmap
     # itself. This is because portmap needs to be reached in order for other
     # rpc services to work at all.
-    # In some contexts this generates superfluous portmap rules, however. In
-    # conjunction with the update-rpc functionality we might end up with a lot
-    # of redundant rules. Thus we can selectively disabled this implicit
-    # behaviour.
-    # It would be better to only explicitly add the portmap rules. But this
-    # required more refactoring, and also the current solution is buggy: The
-    # implicit portmap rules don't take source subnet restrictions into
-    # account.
-    if [ $# -eq 2 ] && ! $2; then
-	export NOPORTMAP=1
-    fi
-
-    perl "$SCRIPTSDIR/SuSEfirewall2-rpcinfo" "$@" 2>/dev/null
-    unset NOPORTMAP
+    perl "$SCRIPTSDIR/SuSEfirewall2-rpcinfo" "$1"
 }
 
 # parameters:
@@ -2255,7 +2243,7 @@ allow_rpc_services()
 			# skip not matching services for incremental updates
 			[ -n "$selected" -a "$selected" != "$service" -a "$service" != "portmapper" ] && continue
 			comment_pars "rpc.$service"
-			rpcservicerules $service false | while read ARG; do
+			rpcservicerules $service | while read ARG; do
 				$LAC $IPTABLES $rpc_insert $comment ${LOG}"-`rulelog $chain`-ACC-RPC " -m conntrack --ctstate NEW $ARG
 				$LAA $IPTABLES $rpc_insert $comment ${LOG}"-`rulelog $chain`-ACC-RPC " $ARG
 				$IPTABLES $rpc_insert $comment -j "$ACCEPT" $ARG
diff --git a/SuSEfirewall2-rpcinfo b/SuSEfirewall2-rpcinfo
index 4f93eaf..2ab209a 100755
--- a/SuSEfirewall2-rpcinfo
+++ b/SuSEfirewall2-rpcinfo
@@ -60,6 +60,13 @@ foreach my $service (@ARGV)
 	$h{'net'} = $a[0] if($a[0] && length($a[0]));
 	$h{'sport'} = $a[3] if($a[3] && length($a[3]));
 	push @{$services{$a[2]}}, \%h;
+        # always also add portmapper with the given restrictions so clients
+        # can query for the service ports in question
+        #
+        # use a copy of the hashmap lest we share data between services with
+        # strange results
+        my %copy = %h;
+        push @{$services{'portmapper'}}, \%copy;
     }
 }
 
@@ -144,12 +151,6 @@ sub getportsfor($$)
 	}
     }
     close FILE;
-
-    # always also add portmapper
-    if($ret && !defined $ENV{"NOPORTMAP"} && !exists $services{'portmapper'})
-    {
-	push @{$services{'portmapper'}}, { tcp => [111], udp => [111] };
-    }
 }
 
 getportsfor('udp', \%udpports);
-- 
2.13.6