Security bugs "DSA-3320-1 openafs -- security update"

Attached is a build tested debdiff against Precise Pangolin (12.04).

Hi Patrik - Thanks for the debdiff! I'll need to verify the patches with upstream but the patches don't contain the proper DEP-3 tags (I'm mostly interested in the Origin tag). From reading the changelog, it sounds like you reused the patches from Debian's source package. Is that correct?

The attachment "openafs-ubuntu12.04.2.patch" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

Hello Tyler,

This is correct, the diffs were created by doing "git show <hash>" against the relevant commits against the master branch on the mentioned git repo. I then applied those diffs with patch(1) against the unpacked debian package:

CVE-2015-3282.patch: 14a4e5bf9ec05946f67123531d6c64a612919e8c
CVE-2015-3283.patch: eea466507af6320c35e3e8dc751da60a52b15a23
CVE-2015-3284.patch: d4cd57807660a6fd3b47bc83de14a78fa8292a5f
CVE-2015-3285.patch: 06a5b0bd91f3ec6efad8b21831b4d1ec1a0f5003
CVE-2015-3287.patch: 63087b338e3d0fbbb26ee183a039052bf07aaaec

It is worth noting that while the master branch also includes a fix for CVE-2015-3286, this only affects solaris, and has not been added to the wheezy branch. For this reason I have skipped that one (It is not mentioned in the DSA either).

This was mentioned in the changelog, but for easy reference the upstream debian git repo is available here:
git://git.debian.org/git/pkg-k5-afs/openafs.git

... and of course i meant the diffs were applied with patch(1) against the unpacked _ubuntu_ package :).

Status changed to 'Confirmed' because the bug affects multiple users.

Thanks! Having a look now.

Hi Patrik - there are few problems with the debdiff:

1) It is prepared against the precise-backports pocket. This is not appropriate for uploads to precise-security since it pulls in changes unrelated to the security fixes. Please prepare a debdiff against 1.6.1-1+ubuntu0.5 from the precise-updates pocket.

2) As mentioned earlier, the patches are missing the proper DEP-3 tags. I was going to add those in myself based on the commit IDs that you provided but since #1 is going to require you to respin a new debdiff, I'd prefer if you handled that now. Description and Origin are sufficient.

3) The changelog entry needs a few changes. There's no need to mention the DSA since it won't likely mean anything to Ubuntu users. The target should be precise-security instead of precise. If adding the DEP-3 tags in each patch file, there's no longer a need to mention the Debian git tree in the changelog. It would be nice if there was a brief description of the issues that each patch fix so that users can understand the reasoning for the update.
 - An example changelog can be found here: https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging

4) Runtime testing is preferred. Issuing updates that have only been build tested has the potential to break users.

Once these issues are resolved, please attach the new debdiff, mark the bug status as New and unassign yourself. Thanks!

Attached is a patch against the non-backported edition of the package. It should address all your requests.
I do not have access to a lab cell for the openafs package, i was hoping someone else would have an easier time runtime testing it.

This bug was fixed in the package openafs - 1.6.1-1+ubuntu0.6

---------------
openafs (1.6.1-1+ubuntu0.6) precise-security; urgency=low

  * SECURITY UPDATE: Merge security patches from Debian git master
      (LP: #1481373)
    - CVE-2015-3282.patch: vos leaks stack data onto the wire in the clear
      when creating vldb entries
    - CVE-2015-3283.patch: bos commands can be spoofed, including some which
      alter server state
    - CVE-2015-3284.patch: pioctls leak kernel memory contents
    - CVE-2015-3285.patch: kernel pioctl support for OSD command passing can
      trigger a panic
    - CVE-2015-3287.patch: Buffer overflow in OpenAFS vlserver

 -- Patrik Lundin <email address hidden> Fri, 07 Aug 2015 15:27:00 +0200