Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#73578 - [glibc] Re-enable NSS module loading for Postfix DNS lookups
Attached to Project:
Arch Linux
Opened by Harry Youd (harryyoud) - Monday, 31 January 2022, 18:36 GMT
Last edited by freswa (frederik) - Thursday, 10 February 2022, 21:45 GMT
Opened by Harry Youd (harryyoud) - Monday, 31 January 2022, 18:36 GMT
Last edited by freswa (frederik) - Thursday, 10 February 2022, 21:45 GMT
|
DetailsCVE-2019-14271 detailed potential Docker attack by loading chroot libraries into host processes. This was fixed with:
- https://sourceware.org/bugzilla/show_bug.cgi?id=27077 - https://sourceware.org/git/?p=glibc.git;a=commit;h=429029a73ec2dba7f808f69ec8b9e3d84e13e804 This disallows any module loading after chroot. This is problematic for running Postfix daemon processes in chroot, since if libnss_* modules are not loaded before chroot (which is not done routinely), reverse DNS lookups will fail silently (presumably getnameinfo returning null). This results in lines such as "connect from unknown": postfix/postscreen[130767]: CONNECT from [2a01:4f9:c010:9eb4::1]:33294 to [*************]:25 postfix/postscreen[130767]: PASS OLD [2a01:4f9:c010:9eb4::1]:33294 postfix/smtpd[290004]: connect from unknown[2a01:4f9:c010:9eb4::1] postfix/smtpd[290004]: BEFF1424729: client=unknown[2a01:4f9:c010:9eb4::1] postfix/cleanup[290006]: BEFF1424729: message-id=<mailman.3.1643544001.1267510.arch-dev-public@lists.archlinux.org> postfix/qmgr[130754]: BEFF1424729: from=<arch-dev-public-bounces@lists.archlinux.org>, size=6050, nrcpt=1 (queue active) postfix/smtpd[290004]: disconnect from unknown[2a01:4f9:c010:9eb4::1] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7 postfix/lmtp[290007]: BEFF1424729: to=<****@********>, relay=************[private/dovecot-lmtp], delay=1.1, delays=1/0.01/0.01/0.09, dsn=2.0.0, status=sent (250 2.0.0 <************> UwRnL8Z99mHYbAQAz8Fz3A Saved) postfix/qmgr[130754]: BEFF1424729: removed An strace reveals /etc/nsswitch.conf is read from the chroot, but no libnss_* modules are loaded. No errors are produced. I can provide the strace privately if required due to significant redactions needing to be made. I have not used a debugger to test. This issue is resolved with this patch which can be easily backported to glibc 2.33: https://sourceware.org/git/?p=glibc.git;a=commit;h=3e880d733753183696d1a81c34caef3a9add2b0c This is rumoured to also fix php-lpfm and openldap, but I do not use these, so cannot provide feedback about this. Steps to reproduce: 1. Configure Postfix smtpd to be chrooted in /etc/postfix/master.cf 2. Receive email 3. Observe no reverse DNS lookup Steps to obtain strace/debug: 1. Configure smtpd to run with "-D" debug flags in /etc/postfix/master.cf 2. Configure debugger_command in /etc/postfix/main.cf, using $process_id for substitution Mitigations: - Configure smtpd to run outside chroot [tested by me] - Rebuild glibc with above patch [tested by me] - Wait for glibc 2.34 [untested] |
This task depends upon
Closed by freswa (frederik)
Thursday, 10 February 2022, 21:45 GMT
Reason for closing: Fixed
Additional comments about closing: glibc-2.35-2 in [testing]
Thursday, 10 February 2022, 21:45 GMT
Reason for closing: Fixed
Additional comments about closing: glibc-2.35-2 in [testing]
glibc 2.33-5
postfix 3.6.4-1