diff --git a/autofs-5.0.2-hosts-nosuid-default.patch b/autofs-5.0.2-hosts-nosuid-default.patch new file mode 100644 index 0000000..b93e5c8 --- /dev/null +++ b/autofs-5.0.2-hosts-nosuid-default.patch @@ -0,0 +1,76 @@ +diff -up autofs-5.0.1/modules/parse_sun.c.hosts-nosuid-default autofs-5.0.1/modules/parse_sun.c +--- autofs-5.0.1/modules/parse_sun.c.hosts-nosuid-default 2007-12-05 17:07:25.000000000 +0900 ++++ autofs-5.0.1/modules/parse_sun.c 2007-12-05 17:07:55.000000000 +0900 +@@ -496,6 +496,7 @@ static int sun_mount(struct autofs_point + int rv, cur_state; + char *mountpoint; + char *what; ++ char *type; + + if (*options == '\0') + options = NULL; +@@ -585,6 +586,36 @@ static int sun_mount(struct autofs_point + mountpoint = alloca(namelen + 1); + sprintf(mountpoint, "%.*s", namelen, name); + ++ type = ap->entry->maps->type; ++ if (type && !strcmp(type, "hosts")) { ++ if (options) { ++ if (!strstr(options, "suid")) { ++ char *tmp = alloca(strlen(options) + 8); ++ if (!tmp) { ++ error(ap->logopt, MODPREFIX ++ "alloca failed for options"); ++ if (nonstrict) ++ return -1; ++ return 1; ++ } ++ strcpy(tmp, options); ++ strcat(tmp, ",nosuid"); ++ options = tmp; ++ } ++ } else { ++ char *tmp = alloca(7); ++ if (!tmp) { ++ error(ap->logopt, ++ MODPREFIX "alloca failed for options"); ++ if (nonstrict) ++ return -1; ++ return 1; ++ } ++ strcpy(tmp, "nosuid"); ++ options = tmp; ++ } ++ } ++ + pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, &cur_state); + if (!strcmp(fstype, "nfs")) { + what = alloca(loclen + 1); +diff -up autofs-5.0.1/samples/auto.master.hosts-nosuid-default autofs-5.0.1/samples/auto.master +--- autofs-5.0.1/samples/auto.master.hosts-nosuid-default 2007-12-05 17:07:24.000000000 +0900 ++++ autofs-5.0.1/samples/auto.master 2007-12-05 17:07:55.000000000 +0900 +@@ -7,6 +7,11 @@ + # For details of the format look at autofs(5). + # + /misc /etc/auto.misc ++# ++# NOTE: mounts done from a hosts map will be mounted with the ++# "nosuid" option unless the "suid" option is explicitly ++# given. ++# + /net -hosts + # + # Include central master map if it can be found using +diff -up autofs-5.0.1/man/auto.master.5.in.hosts-nosuid-default autofs-5.0.1/man/auto.master.5.in +--- autofs-5.0.1/man/auto.master.5.in.hosts-nosuid-default 2007-12-05 17:07:25.000000000 +0900 ++++ autofs-5.0.1/man/auto.master.5.in 2007-12-05 17:07:55.000000000 +0900 +@@ -196,6 +196,9 @@ For example, with an entry in the master + .hy + accessing /net/myserver will mount exports from myserver on directories below + /net/myserver. ++.P ++NOTE: mounts done from a hosts map will be mounted with the "nosuid" option ++unless the "suid" option is explicitly given in the master map entry. + .SH LDAP MAPS + If the map type \fBldap\fP is specified the mapname is of the form + \fB[//servername/]dn\fP, where the optional \fBservername\fP is diff --git a/autofs.spec b/autofs.spec index bd06331..b842823 100644 --- a/autofs.spec +++ b/autofs.spec @@ -4,7 +4,7 @@ Summary: A tool for automatically mounting and unmounting filesystems Name: autofs Version: 5.0.1 -Release: 28 +Release: 29 Epoch: 1 License: GPL Group: System Environment/Daemons @@ -46,6 +46,7 @@ Patch33: autofs-5.0.2-fix-mount-nfs-nosymlink.patch Patch34: autofs-5.0.2-default-nsswitch.patch Patch35: autofs-5.0.1-add-ldaps-support.patch Patch36: autofs-5.0.1-add-ldap-schema-discovery.patch +Patch37: autofs-5.0.2-hosts-nosuid-default.patch Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: autoconf, hesiod-devel, openldap-devel, bison, flex, libxml2-devel, cyrus-sasl-devel, openssl-devel module-init-tools util-linux nfs-utils e2fsprogs Conflicts: kernel < 2.6.17 @@ -123,6 +124,7 @@ echo %{version}-%{release} > .version %patch34 -p1 %patch35 -p1 %patch36 -p1 +%patch37 -p1 %build #CFLAGS="$RPM_OPT_FLAGS" ./configure --prefix=/usr --libdir=%{_libdir} @@ -175,6 +177,10 @@ fi %{_libdir}/autofs/ %changelog +* Thu Dec 13 2007 Ian Kent - 5.0.1-29 +- Bug 421351: CVE-2007-5964 autofs defaults don't restrict suid in /net [f7] + - use mount option "nosuid" for "-hosts" map unless "suid" is explicily specified. + * Wed Sep 5 2007 Ian Kent - 5.0.1-28 - add ldaps support (required by schema discovery). - add back LDAP schema discovery if no schema is configured.