Debian Bug report logs - #361019
portmap: Portmap man page claims use of tcp_wrappers, however /hosts.deny has no effect

version graph

Package: portmap; Maintainer for portmap is Anibal Monsalve Salazar <anibal@debian.org>;

Reported by: Daniel Dickinson <cshore@wightman.ca>

Date: Thu, 6 Apr 2006 00:03:21 UTC

Severity: important

Tags: security

Found in version portmap/5-9

Fixed in version portmap/5-21

Done: Javier Fernandez-Sanguino Pen~a <jfs@computer.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#361019; Package portmap. Full text and rfc822 format available.

Acknowledgement sent to Daniel Dickinson <alemc@bmts.com>:
New Bug report received and forwarded. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Daniel Dickinson <alemc@bmts.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: portmap: Portmap man page claims use of tcp_wrappers, however /hosts.deny has no effect
Date: Wed, 05 Apr 2006 20:02:00 -0400
Package: portmap
Version: 5-9
Severity: grave
Tags: security
Justification: user security hole


The following hosts.deny

# /etc/hosts.deny: list of hosts that are _not_ allowed to access the system.
#                  See the manual pages hosts_access(5), hosts_options(5)
#                  and /usr/doc/netbase/portmapper.txt.gz
#
# Example:    ALL: some.host.name, .some.domain
#             ALL EXCEPT in.fingerd: other.host.name, .other.domain
#
# If you're going to protect the portmapper use the name "portmap" for the
# daemon name. Remember that you can only use the keyword "ALL" and IP
# addresses (NOT host or domain names) for the portmapper. See portmap(8)
# and /usr/doc/portmap/portmapper.txt.gz for further information.
#
# The PARANOID wildcard matches any host whose name does not match its
# address.

# You may wish to enable this to ensure any programs that don't
# validate looked up hostnames still leave understandable logs. In past
# versions of Debian this has been the default.
# ALL: PARANOID
ALL: ALL

plus hosts.allow

# /etc/hosts.allow: list of hosts that are allowed to access the system.
#                   See the manual pages hosts_access(5), hosts_options(5)
#                   and /usr/doc/netbase/portmapper.txt.gz
#
# Example:    ALL: LOCAL @some_netgroup
#             ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
#
# If you're going to protect the portmapper use the name "portmap" for the
# daemon name. Remember that you can only use the keyword "ALL" and IP
# addresses (NOT host or domain names) for the portmapper, as well as for
# rpc.mountd (the NFS mount daemon). See portmap(8), rpc.mountd(8) and 
# /usr/share/doc/portmap/portmapper.txt.gz for further information.
#

does not block rpcinfo -p (which returns the following:

   program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100003    4   udp   2049  nfs
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs
    100021    1   udp  32771  nlockmgr
    100021    3   udp  32771  nlockmgr
    100021    4   udp  32771  nlockmgr
    100021    1   tcp  35096  nlockmgr
    100021    3   tcp  35096  nlockmgr
    100021    4   tcp  35096  nlockmgr
    100005    1   udp    703  mountd
    100005    1   tcp    706  mountd
    100005    2   udp    703  mountd
    100005    2   tcp    706  mountd
    100005    3   udp    703  mountd
    100005    3   tcp    706  mountd
    391002    2   tcp    920  sgi_fam
    100024    1   udp    927  status
    100024    1   tcp    930  status

I have tried restarting the portmap daemon and inetd after making the 
hosts.deny/allow changes but that has no effect (as it should be; the 
changes to hosts.x files are supposed to be enough).

strings /sbin/portmap | grep hosts returns the following:

hosts_ctl

strings /lib/libwrap.so.0 | grep hosts returns:

hosts_allow_table
hosts_deny_table
hosts_access_verbose
hosts_access
hosts_ctl
/etc/hosts.allow
/etc/hosts.deny
@(#) hosts_access.c 1.21 97/02/12 02:13:22
@(#) hosts_ctl.c 1.4 94/12/28 17:42:27

So apparently there is some problem with portmap's use of libwrap0.

I am happy to provide further information.  I noticed a closed with 'it 
doesn't happen here' bug #84700 which appears to be the same complaint, 
albeit with less detail.

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (10, 'testing'), (7, 'unstable'), (3, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.15-1-k7
Locale: LANG=en_CA, LC_CTYPE=en_CA (charmap=ISO-8859-1)

Versions of packages portmap depends on:
ii  libc6                         2.3.5-13   GNU C Library: Shared libraries an
ii  libwrap0                      7.6.dbs-8  Wietse Venema's TCP wrappers libra

-- no debconf information



Information forwarded to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#361019; Package portmap. Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>. Full text and rfc822 format available.

Message #10 received at 361019@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: Daniel Dickinson <alemc@bmts.com>, 361019@bugs.debian.org
Subject: Re: Bug#361019: portmap: Portmap man page claims use of tcp_wrappers, however /hosts.deny has no effect
Date: Wed, 5 Apr 2006 20:13:58 -0700
[Message part 1 (text/plain, inline)]
severity 361019 important
thanks

On Wed, Apr 05, 2006 at 08:02:00PM -0400, Daniel Dickinson wrote:
> Package: portmap
> Version: 5-9
> Severity: grave
> Tags: security
> Justification: user security hole

This isn't a user security hole in the sense meant by
<http://www.debian.org/Bugs/Developer#severities>.  It does not result in
users gaining access to any accounts on the system; it leaks a small amount
of information about the system's configuration, but to the extent that this
information is actually useful to an attacker, it's almost certainly
available via brute force.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/
[signature.asc (application/pgp-signature, inline)]

Severity set to `important'. Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Changed Bug submitter from Daniel Dickinson <alemc@bmts.com> to Daniel Dickinson <cshore@wightman.ca>. Request was from Daniel Dickinson <cshore@wightman.ca> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#361019; Package portmap. Full text and rfc822 format available.

Acknowledgement sent to Jonas Meyer <shitse@web.de>:
Extra info received and forwarded to list. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>. Full text and rfc822 format available.

Message #19 received at 361019@bugs.debian.org (full text, mbox):

From: Jonas Meyer <shitse@web.de>
To: 361019@bugs.debian.org
Subject: it works almost fine
Date: Tue, 15 Aug 2006 16:30:25 +0200
rpcinfo -p always works on localhost as portmap accepts all connections
from localhost. this and something else should be added to the
manpage,though.from the README:
"In order to avoid deadlocks, the portmap program does not attempt to
look up the remote host name or user name, nor will it try to match NIS
netgroups. The upshot of all this is that only network number patterns
will work for portmap access control."
this means that only ip address matching works in hosts.allow. no
network name matching.

here's a patch:
--- portmap.8.old       2006-08-15 15:03:48.594577672 +0200
+++ portmap.8   2006-08-15 16:25:38.000000000 +0200
@@ -118,6 +118,9 @@

 portmap: 192.168.

+hostnames or network names won't work. numerical notation has to be
used.
+localhost can not be denied, so do your teting from another host.
+
 You have to use the daemon name
 .Nm portmap
 for the daemon name (even if the binary has a different name). For the




Reply sent to Javier Fernandez-Sanguino Pen~a <jfs@computer.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Daniel Dickinson <cshore@wightman.ca>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #24 received at 361019-close@bugs.debian.org (full text, mbox):

From: Javier Fernandez-Sanguino Pen~a <jfs@computer.org>
To: 361019-close@bugs.debian.org
Subject: Bug#361019: fixed in portmap 5-21
Date: Mon, 16 Oct 2006 23:17:13 -0700
Source: portmap
Source-Version: 5-21

We believe that the bug you reported is fixed in the latest version of
portmap, which is due to be installed in the Debian FTP archive:

portmap_5-21.diff.gz
  to pool/main/p/portmap/portmap_5-21.diff.gz
portmap_5-21.dsc
  to pool/main/p/portmap/portmap_5-21.dsc
portmap_5-21_i386.deb
  to pool/main/p/portmap/portmap_5-21_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 361019@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Javier Fernandez-Sanguino Pen~a <jfs@computer.org> (supplier of updated portmap package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 11 Oct 2006 12:12:10 +0200
Source: portmap
Binary: portmap
Architecture: source i386
Version: 5-21
Distribution: unstable
Urgency: low
Maintainer: Anibal Monsalve Salazar <anibal@debian.org>
Changed-By: Javier Fernandez-Sanguino Pen~a <jfs@computer.org>
Description: 
 portmap    - The RPC portmapper
Closes: 361019 379933 382962 383941
Changes: 
 portmap (5-21) unstable; urgency=low
 .
   * Add a note in the manpage related to the use of IP addresses in
     /etc/hosts.{allow,deny} when protecting portmapper. (Closes: #361019)
   * Updated translations:
     - Spanish translation update provided by Javier Fernandez-Sanguino
       (Closes: #382962)
     - Japanese translation update provided by Kenshi Muto (Closes: #379933)
   [ debian/postinst ]
   * Modify postinst so it does not run 'rpcinfo -p' for new installs of the
     package as suggested by Joey Hess, this solves a problem with new d-i
     installations since rpcinfo stalls when the package is being installed, a
     static IP address has been assigned, 'lo' is down and portmap tries
     to list the RPC services available. (Closes: #383941)
   [ debian/rules ]
   * Re-add the 'start' sentences in runlevels 2-5 (revert the change
     introduced in -17 and reopens #340158, #334758). This is needed because if
     someone goes to runlevel 1 (stops portmapper and NFS) and then back to
     runlevel 2 portmapper would not start and NFS would fail.
   [ debian/init.d ]
   * Reorder the "Starting portmap" message so it is presented before we say
     "Already running"
Files: 
 394e69bb8deb22ec3508de773fe0cc78 750 net standard portmap_5-21.dsc
 439001eb7d46316891e718da70bbb419 25718 net standard portmap_5-21.diff.gz
 eee6d336de04810d8fed5d2b66ba5010 33088 net standard portmap_5-21_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQCVAwUBRTMdyftEPvakNq0lAQJVnQP5AQdot6RWzuVl9LxBujlyQ72u6UMljJ+m
+q3zMBfjrLARVbYt9nHfVBEpQLm+wwxiOXvJ9p2bv3ZgLFT/m7DCkIdXU8vtwCIw
1/+oDTlKizHWKaAWTx340qs0wx7FGwKW7mm9VVqfhd4WUgH2eeVoqfOND6Vu/YaK
cyzzEEFPnns=
=edBS
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Jun 2007 19:22:52 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 19:56:20 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.