Ubuntu
libtirpc package

[MIR] libtirpc, rpcbind

Bug #781516 reported by Steve Langasek
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libtirpc (Ubuntu)
Fix Released
High
Unassigned
Oneiric
Fix Released
High
Unassigned
rpcbind (Ubuntu)
Fix Released
High
Unassigned
Oneiric
Fix Released
High
Unassigned

Bug Description

The new nfs-utils in Debian adds dependencies on libtirpc and rpcbind for IPv6. One is a network-sensitive library and the other is a network server, so I guess we'll want some careful review.

== libtirpc ==
* Availability: Package is in universe, synced from Debian
* Rationale: Dependency of rpcbind which is required for IPv6 support
* Security:
** No CVE: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tirpc
** 2 old (2008) secunia advisories: http://secunia.com/advisories/product/17898/?task=advisories (fixed by upstream)
** Ubuntu CVE tracker: none
** SUID/SGID binaries: none
** Executables in sbin: none
** Daemons: none
* QA:
** Just a library with two binary packages (one for the lib and one -dev), no debconf question or configuration.
** No bug in Ubuntu: https://launchpad.net/ubuntu/+source/libtirpc/+bugs
** No critical bugs in Debian: http://bugs.debian.org/cgi-bin/pkgreport.cgi?repeatmerged=no&src=libtirpc
** Package is maintained in Debian though not very active (last upload in December, moved to testing in February)
** Currently Build-depends on universe package "libgss-dev" but isn't necessary. Next Debian upload will drop it.

== rpcbind ==
* Availability: Package is in universe, synced from Debian.
* Rationale: Replacement of portmap as a nfs-utils build-depend required for IPv6 support.
* Security:
** No CVE that seem to target the current code base: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tirpc
** No secunia advisories: http://secunia.com/search/?search=rpcbind
** Ubuntu CVE tracker: none
** SUID/SGID binaries: none
** Executables in sbin: /sbin/rpcbind (the daemon) and /usr/sbin/rpcinfo (a client)
** Daemons: rpcbind (sysvinit script, probably to be converted to upstart similar to what was done for portmap)
* QA:
** No debconf question, one config file in /etc (/etc/insserv.conf.d/rpcbind) but no user changes required
** No critical bugs in Ubuntu: https://launchpad.net/ubuntu/+source/rpcbind/+bugs
** No critical bugs in Debian: http://bugs.debian.org/cgi-bin/pkgreport.cgi?repeatmerged=no&src=rpcbind
** Package is maintained in Debian, last upload in March.
** Depends and build-depends on libtirpc (see MIR above)

See original description
Steve Langasek (vorlon)
Changed in libtirpc (Ubuntu):
assignee: nobody → Stéphane Graber (stgraber)
status: New → Incomplete
Changed in rpcbind (Ubuntu):
assignee: nobody → Stéphane Graber (stgraber)
status: New → Incomplete
Changed in libtirpc (Ubuntu):
importance: Undecided → High
Changed in rpcbind (Ubuntu):
importance: Undecided → High
Stéphane Graber (stgraber)
description: updated
Stéphane Graber (stgraber)
description: updated
Steve Langasek (vorlon)
Changed in libtirpc (Ubuntu Oneiric):
status: Incomplete → New
Changed in rpcbind (Ubuntu Oneiric):
status: Incomplete → New
Stéphane Graber (stgraber)
Changed in libtirpc (Ubuntu Oneiric):
assignee: Stéphane Graber (stgraber) → nobody
Changed in rpcbind (Ubuntu Oneiric):
assignee: Stéphane Graber (stgraber) → nobody
Revision history for this message
Matthias Klose (doko) wrote :

for the nfs-utils merge, see bug #789117

Changed in libtirpc (Ubuntu Oneiric):
assignee: nobody → Canonical Security Team (canonical-security)
Changed in rpcbind (Ubuntu Oneiric):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Changed in libtirpc (Ubuntu Oneiric):
assignee: Canonical Security Team (canonical-security) → Ubuntu Security Team (ubuntu-security)
Revision history for this message
Steve Langasek (vorlon) wrote :

libtirpc in Debian no longer build-depends on libgss-dev, only libgssglue-dev; dropped the comment in the bug description about this.

description: updated
Revision history for this message
Steve Langasek (vorlon) wrote :

Also, with eglibc 2.14 dropping its bundled rpc support by default, I would appreciate if we could at least get the MIR for libtirpc done ASAP. Could someone from the security team please have a look at this?

Revision history for this message
Kees Cook (kees) wrote :

There were a few things that gave me some pause in libtirpc, but I've now convinced myself that they are okay. This code could probably use a few more eyes on it, but it looks reasonable, and it does attempt to be careful about lengths, etc. +1

Changed in libtirpc (Ubuntu Oneiric):
status: New → In Progress
assignee: Ubuntu Security Team (ubuntu-security) → nobody
Revision history for this message
Steve Langasek (vorlon) wrote :

libtirpc promoted to main to let the new nfs-utils build.

Still waiting for confirmation on the rpcbind part of this.

Changed in libtirpc (Ubuntu Oneiric):
status: In Progress → Fix Released
Revision history for this message
Kees Cook (kees) wrote :

Nothing jumps out at me, but the protocol is complex and runs as root.
It would be nice to audit this more carefully.

Changed in rpcbind (Ubuntu Oneiric):
status: New → In Progress
assignee: Ubuntu Security Team (ubuntu-security) → nobody
Revision history for this message
Kees Cook (kees) wrote :

(Sorry, and by that, I meant +1 for rpcbind)

Revision history for this message
Steve Langasek (vorlon) wrote :

promoted to main, thanks for the review!

Changed in rpcbind (Ubuntu Oneiric):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Related blueprints

Remote bug watches

Bug watches keep track of this bug in other bug trackers.