Bug 772570 (CVE-2012-3417) - VUL-0: CVE-2012-3417: quota: incorrect use of tcp_wrappers
Summary: VUL-0: CVE-2012-3417: quota: incorrect use of tcp_wrappers
Status: RESOLVED FIXED
Alias: CVE-2012-3417
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Deadline: 2012-08-17
Assignee: Daniel Lovasko
QA Contact: Security Team bot
URL:
Whiteboard: maint:released:sle11-sp1:48906 maint:...
Keywords:
Depends on:
Blocks:
 
Reported: 2012-07-23 07:08 UTC by Sebastian Krahmer
Modified: 2016-02-04 18:17 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Krahmer 2012-07-23 07:08:57 UTC 
Via OSS-sec:

Date: Thu, 19 Jul 2012
From: Kurt Seifried
To: oss-security

On 07/19/2012 02:36 AM, Huzaifa Sidhpurwala wrote:
> Hi All,
>
> rquotad seems to re-use good_client implementation from portmap.
> The way good_client called tcp_wrappers via hosts_ctl was not
> correct, possibly causing hosts access rules defined in
> hosts.{allow,deny} not to be honored.
>
> Reference: https://bugzilla.redhat.com/show_bug.cgi?id=566717
>
> Can a CVE id be please allocated to this issue? (Possibly 2010 i
> think)
>
> Thanks!.


Please use CVE-2012-3417 for this issue.
Comment 1 Swamp Workflow Management 2012-07-23 22:00:14 UTC 
bugbot adjusting priority
Comment 8 Marcus Meissner 2012-08-02 08:54:15 UTC 
also opensuse submit failed to build
Comment 9 Dirk Mueller 2012-08-02 13:33:34 UTC 
the submissions fail to build, could you please check?
Comment 10 Swamp Workflow Management 2012-08-03 07:59:57 UTC 
The SWAMPID for this issue is 48572.
This issue was rated as moderate.
Please submit fixed packages until 2012-08-17.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 20 Daniel Lovasko 2012-08-22 14:03:01 UTC 
#21445 for SLE-11-SP1
Comment 21 Leonardo Chiquitto 2012-08-22 21:33:31 UTC 
The last submission includes the fix for bug #752338 but not for this one :)
Since we had two submissions (one for each bug), I took the liberty of merging them and resubmitting (SR #21449).
Comment 22 Marcus Meissner 2012-08-23 11:04:27 UTC 
sle11 sp2 has a branched quota version, please also submit the fixes for it.
Comment 23 Leonardo Chiquitto 2012-08-23 11:32:26 UTC 
Done for 11-SP2 now (SR #21450).
Comment 25 Swamp Workflow Management 2012-08-29 21:08:59 UTC 
openSUSE-SU-2012:1058-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 772570
CVE References: CVE-2012-3417
Sources used:
openSUSE 11.4 (src):    quota-3.17-20.1
Comment 26 Swamp Workflow Management 2012-08-30 13:07:17 UTC 
Update released for: quota, quota-debuginfo, quota-debugsource, quota-nfs
Products:
SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP2 (i386, x86_64)
SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP2 (i386, x86_64)
Comment 27 Swamp Workflow Management 2012-08-30 13:08:45 UTC 
Update released for: quota, quota-debuginfo, quota-debugsource, quota-nfs
Products:
SLE-SERVER 11-SP1-TERADATA (x86_64)
Comment 28 Swamp Workflow Management 2012-08-30 13:28:57 UTC 
Update released for: quota, quota-debuginfo, quota-debugsource, quota-nfs
Products:
SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP2 (i386, x86_64)
SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP2 (i386, x86_64)
Comment 29 Swamp Workflow Management 2012-08-30 15:06:12 UTC 
Update released for: quota, quota-debuginfo, quota-debugsource, quota-nfs
Products:
SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP1 (i386, x86_64)
SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP1 (i386, x86_64)
Comment 30 Marcus Meissner 2012-08-30 15:58:53 UTC 
all dione i hopoe
Comment 31 Swamp Workflow Management 2012-08-31 12:05:57 UTC 
Update released for: quota
Products:
SLE-DESKTOP 10-SP4 (i386, x86_64)
SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
Comment 32 Swamp Workflow Management 2012-08-31 13:08:46 UTC 
Update released for: quota
Products:
SLE-SERVER 10-SP3-TERADATA (x86_64)
Comment 33 Marcus Meissner 2012-09-07 10:06:12 UTC 
we need this fix also for sles9-sp3-teradata, if affected.

sorry for not brining this up sooner.
Comment 37 Daniel Lovasko 2012-09-19 08:06:24 UTC 
i was not sure - so i submitted it to SUSE:SLE-9-SP3:Update:Teradata:Test with request id 21747 and to SUSE:SLE-9-SP3:Update:Test with request id 21746.
Comment 39 Swamp Workflow Management 2012-09-24 11:08:41 UTC 
Update released for: quota
Products:
SUSE-CORE 9-SP3-TERADATA (x86_64)