[Bug 1980095] Re: libnfsidmap built without hardening flags
Andreas Hasenack
1980095 at bugs.launchpad.net
Wed Aug 3 17:27:17 UTC 2022
** Description changed:
[Impact]
- * An explanation of the effects of the bug on users and
+ Hardening build flags are an integral part of Ubuntu security[1], and
+ were accidentally dropped from nfs-utils when the merge for version
+ 2.6.x happened.
- * justification for backporting the fix to the stable release.
+ Check that link[1] for:
+ - "Built with Fortify Source"
+ - "Built with BIND_NOW"
- * In addition, it is helpful, but not required, to include an
- explanation of how the upload fixes this bug.
+ 1. https://wiki.ubuntu.com/Security/Features#Userspace_Hardening
+
[Test Plan]
- * detailed instructions how to reproduce the bug
-
- * these should allow someone who is not familiar with the affected
- package to reproduce the bug and verify that the updated package fixes
- the problem.
-
- * if other testing is appropriate to perform before landing this update,
- this should also be described here.
+ The test plan is to inspect the build logs and verify hardening was applied. In particular:
+ - verify that -D_FORTIFY_SOURCE=2 is being used now, and it wasn't before
+ - verify that -Wl,-z,now is being used now, and it wasn't before (linker stage)
[Where problems could occur]
- * Think about what the upload changes in the software. Imagine the change is
- wrong or breaks something else: how would this show up?
+ This is rebuilding a package with new compiler flags, even though they
+ were there before. Regressions for such cases are either very quickly
+ caught, or only when a bigger user base tries the changes out. In the
+ case of nfs, it seems worth the risk, since it's a privileged service
+ that deals with network data.
- * It is assumed that any SRU candidate patch is well-tested before
- upload and has a low overall risk of regression, but it's important
- to make the effort to think about what ''could'' happen in the
- event of a regression.
-
- * This must '''never''' be "None" or "Low", or entirely an argument as to why
- your upload is low risk.
-
- * This both shows the SRU team that the risks have been considered,
- and provides guidance to testers in regression-testing the SRU.
[Other Info]
-
- * Anything else you think is useful to include
- * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
- * and address these questions in advance
+ I cleared[2] this with #security, and they deemed this worth including in an existing nfs-utils SRU, which is what I'm doing for bug #1977745.
+
+ 2. https://irclogs.ubuntu.com/2022/08/03/%23ubuntu-security.html#t14:39
[Original Description]
$ grep hardening ../lintian.log
I: libnfsidmap-regex: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so]
I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap.so.1.0.0]
I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/nsswitch.so]
I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/static.so]
I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/umich_ldap.so]
I: libnfsidmap-regex: hardening-no-fortify-functions [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so]
It was there before when we had src:libnfsidmap:
https://git.launchpad.net/ubuntu/+source/libnfsidmap/tree/debian/rules#n10
But we lost it when src:nfs-utils incorporated the libnfsidmap code.
** Description changed:
[Impact]
Hardening build flags are an integral part of Ubuntu security[1], and
were accidentally dropped from nfs-utils when the merge for version
- 2.6.x happened.
+ 2.6.x happened during the jammy development cycle.
Check that link[1] for:
- "Built with Fortify Source"
- "Built with BIND_NOW"
1. https://wiki.ubuntu.com/Security/Features#Userspace_Hardening
-
[Test Plan]
The test plan is to inspect the build logs and verify hardening was applied. In particular:
- verify that -D_FORTIFY_SOURCE=2 is being used now, and it wasn't before
- verify that -Wl,-z,now is being used now, and it wasn't before (linker stage)
[Where problems could occur]
This is rebuilding a package with new compiler flags, even though they
were there before. Regressions for such cases are either very quickly
caught, or only when a bigger user base tries the changes out. In the
case of nfs, it seems worth the risk, since it's a privileged service
that deals with network data.
-
[Other Info]
I cleared[2] this with #security, and they deemed this worth including in an existing nfs-utils SRU, which is what I'm doing for bug #1977745.
2. https://irclogs.ubuntu.com/2022/08/03/%23ubuntu-security.html#t14:39
-
[Original Description]
$ grep hardening ../lintian.log
I: libnfsidmap-regex: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so]
I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap.so.1.0.0]
I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/nsswitch.so]
I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/static.so]
I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/umich_ldap.so]
I: libnfsidmap-regex: hardening-no-fortify-functions [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so]
It was there before when we had src:libnfsidmap:
https://git.launchpad.net/ubuntu/+source/libnfsidmap/tree/debian/rules#n10
But we lost it when src:nfs-utils incorporated the libnfsidmap code.
** Also affects: nfs-utils (Ubuntu Jammy)
Importance: Undecided
Status: New
** Changed in: nfs-utils (Ubuntu Jammy)
Status: New => In Progress
** Changed in: nfs-utils (Ubuntu Jammy)
Assignee: (unassigned) => Andreas Hasenack (ahasenack)
** Description changed:
[Impact]
Hardening build flags are an integral part of Ubuntu security[1], and
were accidentally dropped from nfs-utils when the merge for version
2.6.x happened during the jammy development cycle.
Check that link[1] for:
- "Built with Fortify Source"
- "Built with BIND_NOW"
- 1. https://wiki.ubuntu.com/Security/Features#Userspace_Hardening
[Test Plan]
- The test plan is to inspect the build logs and verify hardening was applied. In particular:
+ The test plan is to inspect the build logs(old logs at [2]) and verify hardening was applied. In particular:
- verify that -D_FORTIFY_SOURCE=2 is being used now, and it wasn't before
- verify that -Wl,-z,now is being used now, and it wasn't before (linker stage)
+
[Where problems could occur]
This is rebuilding a package with new compiler flags, even though they
were there before. Regressions for such cases are either very quickly
caught, or only when a bigger user base tries the changes out. In the
case of nfs, it seems worth the risk, since it's a privileged service
that deals with network data.
+
[Other Info]
- I cleared[2] this with #security, and they deemed this worth including in an existing nfs-utils SRU, which is what I'm doing for bug #1977745.
+ I cleared[3] this with #security, and they deemed this worth including in an existing nfs-utils SRU, which is what I'm doing for bug #1977745.
- 2. https://irclogs.ubuntu.com/2022/08/03/%23ubuntu-security.html#t14:39
+ 1. https://wiki.ubuntu.com/Security/Features#Userspace_Hardening
+ 2. https://launchpad.net/ubuntu/+source/nfs-utils/1:2.6.1 1ubuntu1/+build/23229868
+ 3. https://irclogs.ubuntu.com/2022/08/03/%23ubuntu-security.html#t14:39
+
[Original Description]
$ grep hardening ../lintian.log
I: libnfsidmap-regex: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so]
I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap.so.1.0.0]
I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/nsswitch.so]
I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/static.so]
I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/umich_ldap.so]
I: libnfsidmap-regex: hardening-no-fortify-functions [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so]
It was there before when we had src:libnfsidmap:
https://git.launchpad.net/ubuntu/+source/libnfsidmap/tree/debian/rules#n10
But we lost it when src:nfs-utils incorporated the libnfsidmap code.
** Description changed:
[Impact]
Hardening build flags are an integral part of Ubuntu security[1], and
were accidentally dropped from nfs-utils when the merge for version
2.6.x happened during the jammy development cycle.
Check that link[1] for:
- "Built with Fortify Source"
- "Built with BIND_NOW"
-
[Test Plan]
The test plan is to inspect the build logs(old logs at [2]) and verify hardening was applied. In particular:
- verify that -D_FORTIFY_SOURCE=2 is being used now, and it wasn't before
- verify that -Wl,-z,now is being used now, and it wasn't before (linker stage)
-
[Where problems could occur]
This is rebuilding a package with new compiler flags, even though they
were there before. Regressions for such cases are either very quickly
caught, or only when a bigger user base tries the changes out. In the
case of nfs, it seems worth the risk, since it's a privileged service
that deals with network data.
-
[Other Info]
I cleared[3] this with #security, and they deemed this worth including in an existing nfs-utils SRU, which is what I'm doing for bug #1977745.
1. https://wiki.ubuntu.com/Security/Features#Userspace_Hardening
- 2. https://launchpad.net/ubuntu/+source/nfs-utils/1:2.6.1 1ubuntu1/+build/23229868
- 3. https://irclogs.ubuntu.com/2022/08/03/%23ubuntu-security.html#t14:39
-
+ https://launchpad.net/ubuntu/+source/nfs-utils/1:2.6.1-1ubuntu1/+build/232298683. https://irclogs.ubuntu.com/2022/08/03/%23ubuntu-security.html#t14:39
[Original Description]
$ grep hardening ../lintian.log
I: libnfsidmap-regex: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so]
I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap.so.1.0.0]
I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/nsswitch.so]
I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/static.so]
I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/umich_ldap.so]
I: libnfsidmap-regex: hardening-no-fortify-functions [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so]
It was there before when we had src:libnfsidmap:
https://git.launchpad.net/ubuntu/+source/libnfsidmap/tree/debian/rules#n10
But we lost it when src:nfs-utils incorporated the libnfsidmap code.
** Description changed:
[Impact]
Hardening build flags are an integral part of Ubuntu security[1], and
were accidentally dropped from nfs-utils when the merge for version
2.6.x happened during the jammy development cycle.
Check that link[1] for:
- "Built with Fortify Source"
- "Built with BIND_NOW"
[Test Plan]
The test plan is to inspect the build logs(old logs at [2]) and verify hardening was applied. In particular:
- verify that -D_FORTIFY_SOURCE=2 is being used now, and it wasn't before
- verify that -Wl,-z,now is being used now, and it wasn't before (linker stage)
[Where problems could occur]
This is rebuilding a package with new compiler flags, even though they
were there before. Regressions for such cases are either very quickly
caught, or only when a bigger user base tries the changes out. In the
case of nfs, it seems worth the risk, since it's a privileged service
that deals with network data.
[Other Info]
I cleared[3] this with #security, and they deemed this worth including in an existing nfs-utils SRU, which is what I'm doing for bug #1977745.
1. https://wiki.ubuntu.com/Security/Features#Userspace_Hardening
- https://launchpad.net/ubuntu/+source/nfs-utils/1:2.6.1-1ubuntu1/+build/232298683. https://irclogs.ubuntu.com/2022/08/03/%23ubuntu-security.html#t14:39
+ https://launchpad.net/ubuntu/+source/nfs-utils/1:2.6.1-1ubuntu1/+build/23229868
+ 3. https://irclogs.ubuntu.com/2022/08/03/%23ubuntu-security.html#t14:39
[Original Description]
$ grep hardening ../lintian.log
I: libnfsidmap-regex: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so]
I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap.so.1.0.0]
I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/nsswitch.so]
I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/static.so]
I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/umich_ldap.so]
I: libnfsidmap-regex: hardening-no-fortify-functions [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so]
It was there before when we had src:libnfsidmap:
https://git.launchpad.net/ubuntu/+source/libnfsidmap/tree/debian/rules#n10
But we lost it when src:nfs-utils incorporated the libnfsidmap code.
** Description changed:
[Impact]
Hardening build flags are an integral part of Ubuntu security[1], and
were accidentally dropped from nfs-utils when the merge for version
2.6.x happened during the jammy development cycle.
Check that link[1] for:
- "Built with Fortify Source"
- "Built with BIND_NOW"
[Test Plan]
The test plan is to inspect the build logs(old logs at [2]) and verify hardening was applied. In particular:
- - verify that -D_FORTIFY_SOURCE=2 is being used now, and it wasn't before
+ - verify that -D_FORTIFY_SOURCE=2 is being used now, and it wasn't before (Note: old jammy build logs do show this define being used already, unsure why lintian complained back then)
- verify that -Wl,-z,now is being used now, and it wasn't before (linker stage)
[Where problems could occur]
This is rebuilding a package with new compiler flags, even though they
were there before. Regressions for such cases are either very quickly
caught, or only when a bigger user base tries the changes out. In the
case of nfs, it seems worth the risk, since it's a privileged service
that deals with network data.
[Other Info]
I cleared[3] this with #security, and they deemed this worth including in an existing nfs-utils SRU, which is what I'm doing for bug #1977745.
1. https://wiki.ubuntu.com/Security/Features#Userspace_Hardening
https://launchpad.net/ubuntu/+source/nfs-utils/1:2.6.1-1ubuntu1/+build/23229868
3. https://irclogs.ubuntu.com/2022/08/03/%23ubuntu-security.html#t14:39
[Original Description]
$ grep hardening ../lintian.log
I: libnfsidmap-regex: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so]
I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap.so.1.0.0]
I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/nsswitch.so]
I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/static.so]
I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/umich_ldap.so]
I: libnfsidmap-regex: hardening-no-fortify-functions [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so]
It was there before when we had src:libnfsidmap:
https://git.launchpad.net/ubuntu/+source/libnfsidmap/tree/debian/rules#n10
But we lost it when src:nfs-utils incorporated the libnfsidmap code.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to nfs-utils in Ubuntu.
https://bugs.launchpad.net/bugs/1980095
Title:
libnfsidmap built without hardening flags
Status in nfs-utils package in Ubuntu:
Fix Released
Status in nfs-utils source package in Jammy:
In Progress
Bug description:
[Impact]
Hardening build flags are an integral part of Ubuntu security[1], and
were accidentally dropped from nfs-utils when the merge for version
2.6.x happened during the jammy development cycle.
Check that link[1] for:
- "Built with Fortify Source"
- "Built with BIND_NOW"
[Test Plan]
The test plan is to inspect the build logs(old logs at [2]) and verify hardening was applied. In particular:
- verify that -D_FORTIFY_SOURCE=2 is being used now, and it wasn't before (Note: old jammy build logs do show this define being used already, unsure why lintian complained back then)
- verify that -Wl,-z,now is being used now, and it wasn't before (linker stage)
[Where problems could occur]
This is rebuilding a package with new compiler flags, even though they
were there before. Regressions for such cases are either very quickly
caught, or only when a bigger user base tries the changes out. In the
case of nfs, it seems worth the risk, since it's a privileged service
that deals with network data.
[Other Info]
I cleared[3] this with #security, and they deemed this worth including in an existing nfs-utils SRU, which is what I'm doing for bug #1977745.
1. https://wiki.ubuntu.com/Security/Features#Userspace_Hardening
https://launchpad.net/ubuntu/+source/nfs-utils/1:2.6.1-1ubuntu1/+build/23229868
3. https://irclogs.ubuntu.com/2022/08/03/%23ubuntu-security.html#t14:39
[Original Description]
$ grep hardening ../lintian.log
I: libnfsidmap-regex: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so]
I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap.so.1.0.0]
I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/nsswitch.so]
I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/static.so]
I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/umich_ldap.so]
I: libnfsidmap-regex: hardening-no-fortify-functions [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so]
It was there before when we had src:libnfsidmap:
https://git.launchpad.net/ubuntu/+source/libnfsidmap/tree/debian/rules#n10
But we lost it when src:nfs-utils incorporated the libnfsidmap code.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nfs-utils/+bug/1980095/+subscriptions
More information about the foundations-bugs
mailing list