OpenAFS Security Advisories 2013-0003 and 2013-0004

Bug #1204195 reported by Jeffrey Hutzelman on 2013-07-23
272
This bug affects 2 people
Affects Status Importance Assigned to Milestone
openafs (Ubuntu)
Critical
Unassigned
Lucid
Critical
Unassigned
Precise
Critical
Unassigned
Quantal
Critical
Unassigned
Raring
Critical
Unassigned
Saucy
Critical
Unassigned

Bug Description

The following OpenAFS security issues were reported to the distros mailing list on July 16, 2013, and are due for public release tomorrow, Wednesday, July 24, 2013:

OpenAFS Security Advisory 2013-0003
Topic: Brute force DES attack permits compromise of AFS cell
       CVE-2013-4134

OpenAFS Security Advisory 2013-0004
Topic: vos -encrypt doesn't encrypt connection data
       CVE-2013-4135

The upstream releases that fix these problems are 1.4.15 and 1.6.5, due to be released tomorrow. For saucy, you will want 1.6.5-1 from Debian. For precise, quantal, and raring, upstream has provided a sequence of patches (which I will attach) which should apply to the existing releases. For lucid, upstream has provided a sequence of patches which may or may not apply cleanly, or I can provide the patch sequence which was applied for Debian squeeze (which runs a substantially similar version).

Jeffrey Hutzelman (jhutz) wrote :

These patches are from upstream and should apply cleanly to 1.6.4, and only slightly less cleanly to other 1.6.x versions. Patches 0001 through 0010 address OPENAFS-SA-2013-0003. Patch 0012 addresses OPENAFS-SA-2013-0004. You probably don't need patch 0011, which is about bumping the version number.

Changed in openafs (Ubuntu):
status: New → Confirmed
Luke Faraone (lfaraone) wrote :

I'll prepare debdiffs for the relevant releases.

Changed in openafs (Ubuntu Precise):
assignee: nobody → Luke Faraone (lfaraone)
Changed in openafs (Ubuntu Quantal):
assignee: nobody → Luke Faraone (lfaraone)
Changed in openafs (Ubuntu Raring):
assignee: nobody → Luke Faraone (lfaraone)
Changed in openafs (Ubuntu Saucy):
assignee: nobody → Luke Faraone (lfaraone)
Changed in openafs (Ubuntu Precise):
status: New → Confirmed
Changed in openafs (Ubuntu Raring):
status: New → Confirmed
Changed in openafs (Ubuntu Quantal):
status: New → Confirmed
Luke Faraone (lfaraone) on 2013-07-24
Changed in openafs (Ubuntu Lucid):
status: New → Confirmed
assignee: nobody → Luke Faraone (lfaraone)
Luke Faraone (lfaraone) wrote :
Luke Faraone (lfaraone) wrote :
Luke Faraone (lfaraone) wrote :
Luke Faraone (lfaraone) wrote :
Luke Faraone (lfaraone) wrote :

The patches above were adapted from a prerelease series distributed by individuals involved in OpenAFS upstream.

Changed in openafs (Ubuntu Lucid):
assignee: Luke Faraone (lfaraone) → nobody
Changed in openafs (Ubuntu Precise):
assignee: Luke Faraone (lfaraone) → nobody
Changed in openafs (Ubuntu Quantal):
assignee: Luke Faraone (lfaraone) → nobody
Changed in openafs (Ubuntu Raring):
assignee: Luke Faraone (lfaraone) → nobody
Changed in openafs (Ubuntu Saucy):
assignee: Luke Faraone (lfaraone) → nobody
Luke Faraone (lfaraone) wrote :

This can be fixed via a normal sync in saucy.

Changed in openafs (Ubuntu Saucy):
importance: Undecided → Critical
Changed in openafs (Ubuntu Raring):
importance: Undecided → Critical
Changed in openafs (Ubuntu Quantal):
importance: Undecided → Critical
Changed in openafs (Ubuntu Precise):
importance: Undecided → Critical
Changed in openafs (Ubuntu Lucid):
importance: Undecided → Critical
Changed in openafs (Ubuntu Saucy):
status: Confirmed → New
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in openafs (Ubuntu):
status: New → Confirmed
information type: Private Security → Public Security
Luke Faraone (lfaraone) wrote :

Updated debdiff for quantal.

We previously had strange behaviour where our patches in debian/patches/ were also getting rolled into debian/patches/debian-changes.

The issue turned out to be an erroneous debian/source/options setting which told dpkg to force-collapse changes into one patch. Annoyingly, this option was silently ignored on precise, but implemented in quantal, so it worked when I tested locally but failed on sbuild.

The attachment "Upstream patches for OpenAFS 1.6.x" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Luke Faraone (lfaraone) wrote :

The previous debdiff omitted a security fix previously shipped in the package.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openafs - 1.6.2-1+ubuntu2.1

---------------
openafs (1.6.2-1+ubuntu2.1) raring-security; urgency=low

  * SECURITY UPDATE: Brute force DES attack permits compromise of AFS cell.
    - 0001-Add-rxkad-server-hook-function-to-decrypt-more-types.patch
    - 0002-New-optional-rxkad-functionality-for-decypting-krb5-.patch
    - 0003-Integrate-keytab-based-decryption-into-afsconf_Build.patch
    - 0004-Derive-DES-fcrypt-session-key-from-other-key-types.patch
    - 0005-Move-akimpersonate-to-libauth.patch
    - 0006-Clean-up-akimpersonate-and-use-for-server-to-server.patch
    - 0007-auth-Do-not-always-fallback-to-noauth.patch
    - 0008-Avoid-calling-afsconf_GetLatestKey-directly.patch
    - 0009-Reload-rxkad.keytab-on-CellServDB-modification.patch
    - 0010-Add-support-for-deriving-DES-keys-to-klog.krb5.patch
    - 0011 skipped because it was a version bump
    - 0012-ubik-Fix-encryption-selection-in-ugen.patch
    - Thanks to Chaskiel Grundman, Alexander Chernyakhovsky, Ben Kaduk,
        Andrew Deason, and Michael Meffie for the above patch series.
    - swap-libs.patch: Resolve FTBFS with newer toolchains. Thanks to Anders
        Kaseorg.
    - OPENAFS-SA-2013-003
    - OPENAFS-SA-2013-004
    - CVE-2013-4134
    - CVE-2013-4135
    - LP: #1204195
 -- Luke Faraone <email address hidden> Tue, 23 Jul 2013 21:25:03 -0400

Changed in openafs (Ubuntu Raring):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openafs - 1.6.1-2+ubuntu2.1

---------------
openafs (1.6.1-2+ubuntu2.1) quantal-security; urgency=high

  * SECURITY UPDATE: Brute force DES attack permits compromise of AFS cell.
    vos -encrypt doesn't encrypt connection data.
    Buffer overflows which could cause a serverside denial of service.
    - openafs-sa-2013-001.patch: Fix fileserver buffer overflow when parsing
      client-supplied ACL entries and protect against client parsing of
      bad ACL entries. Thanks to Nickolai Zeldovich.
    - openafs-sa-2013-002.patch: Fix ptserver buffer overflow via integer
      overflow in the IdToName RPC. Thanks to Nickolai Zeldovich
    - 0001-Add-rxkad-server-hook-function-to-decrypt-more-types.patch
    - 0002-New-optional-rxkad-functionality-for-decypting-krb5-.patch
    - 0003-Integrate-keytab-based-decryption-into-afsconf_Build.patch
    - 0004-Derive-DES-fcrypt-session-key-from-other-key-types.patch
    - 0005-Move-akimpersonate-to-libauth.patch
    - 0006-Clean-up-akimpersonate-and-use-for-server-to-server.patch
    - 0007-auth-Do-not-always-fallback-to-noauth.patch
    - 0008-Avoid-calling-afsconf_GetLatestKey-directly.patch
    - 0009-Reload-rxkad.keytab-on-CellServDB-modification.patch
    - 0010-Add-support-for-deriving-DES-keys-to-klog.krb5.patch
    - 0011 skipped because it was a version bump
    - 0012-ubik-Fix-encryption-selection-in-ugen.patch
    - Thanks to Chaskiel Grundman, Alexander Chernyakhovsky, Ben Kaduk,
        Andrew Deason, and Michael Meffie for the above patch series.
    - swap-libs.patch: Resolve FTBFS with newer toolchains. Thanks to Anders
        Kaseorg.
    - OPENAFS-SA-2013-001
    - OPENAFS-SA-2013-002
    - OPENAFS-SA-2013-003
    - OPENAFS-SA-2013-004
    - CVE-2013-1794
    - CVE-2013-1795
    - CVE-2013-4134
    - CVE-2013-4135
    - LP: #1145560
    - LP: #1204195
  * Remove debian/source/options, which previously force-collaped the above
    patches into one debian/patches/debian-changes and caused confusing patch
    failures later. Thanks to Colin Watson for help with debugging and to
    Seth Arnold for identifying the failure.
 -- Luke Faraone <email address hidden> Wed, 24 Jul 2013 11:16:48 -0400

Changed in openafs (Ubuntu Quantal):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openafs - 1.6.1-1+ubuntu0.2

---------------
openafs (1.6.1-1+ubuntu0.2) precise-security; urgency=low

  * SECURITY UPDATE: Brute force DES attack permits compromise of AFS cell.
    vos -encrypt doesn't encrypt connection data.
    Buffer overflows which could cause a serverside denial of service.
    - openafs-sa-2013-001.patch: Fix fileserver buffer overflow when parsing
      client-supplied ACL entries and protect against client parsing of
      bad ACL entries. Thanks to Nickolai Zeldovich.
    - openafs-sa-2013-002.patch: Fix ptserver buffer overflow via integer
      overflow in the IdToName RPC. Thanks to Nickolai Zeldovich
    - 0001-Add-rxkad-server-hook-function-to-decrypt-more-types.patch
    - 0002-New-optional-rxkad-functionality-for-decypting-krb5-.patch
    - 0003-Integrate-keytab-based-decryption-into-afsconf_Build.patch
    - 0004-Derive-DES-fcrypt-session-key-from-other-key-types.patch
    - 0005-Move-akimpersonate-to-libauth.patch
    - 0006-Clean-up-akimpersonate-and-use-for-server-to-server.patch
    - 0007-auth-Do-not-always-fallback-to-noauth.patch
    - 0008-Avoid-calling-afsconf_GetLatestKey-directly.patch
    - 0009-Reload-rxkad.keytab-on-CellServDB-modification.patch
    - 0010-Add-support-for-deriving-DES-keys-to-klog.krb5.patch
    - 0011 skipped because it was a version bump
    - 0012-ubik-Fix-encryption-selection-in-ugen.patch
    - Thanks to Chaskiel Grundman, Alexander Chernyakhovsky, Ben Kaduk,
        Andrew Deason, and Michael Meffie for the above patch series.
    - swap-libs.patch: Resolve FTBFS with newer toolchains. Thanks to Anders
        Kaseorg.
    - OPENAFS-SA-2013-001
    - OPENAFS-SA-2013-002
    - OPENAFS-SA-2013-003
    - OPENAFS-SA-2013-004
    - CVE-2013-1794
    - CVE-2013-1795
    - CVE-2013-4134
    - CVE-2013-4135
    - LP: #1145560
    - LP: #1204195
 -- Luke Faraone <email address hidden> Tue, 23 Jul 2013 21:11:02 -0400

Changed in openafs (Ubuntu Precise):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openafs - 1.4.12+dfsg-3+ubuntu0.3

---------------
openafs (1.4.12+dfsg-3+ubuntu0.3) lucid-security; urgency=high

  * SECURITY UPDATE: Brute force DES attack permits compromise of AFS cell.
    vos -encrypt doesn't encrypt connection data.
    Buffer overflows which could cause a serverside denial of service.
    - Files changed:
        src/aklog/aklog_main.c
        src/aklog/klog.c
        src/auth/akimpersonate.c
        src/auth/akimpersonate.h
        src/auth/akimpersonate_v5gen.c
        src/auth/akimpersonate_v5gen.h
        src/auth/authcon.c
        src/auth/Makefile.in
        src/bozo/bosserver.c
        src/bozo/Makefile.in
        src/bucoord/Makefile.in
        src/budb/Makefile.in
        src/budb/server.c
        src/butc/Makefile.in
        src/cf/kerberos.m4
        src/config/Makefile.config.in
        src/fsprobe/Makefile.in
        src/kauth/Makefile.in
        src/libafsauthent/Makefile.in
        src/ptserver/Makefile.in
        src/ptserver/ptserver.c
        src/rxkad/Makefile.in
        src/rxkad/private_data.h
        src/rxkad/rxkad.p.h
        src/rxkad/rxkad_prototypes.h
        src/rxkad/rxkad_server.c
        src/rxkad/ticket5.c
        src/rxkad/ticket5_keytab.c
        src/scout/Makefile.in
        src/shlibafsauthent/Makefile.in
        src/shlibafsrpc/mapfile
        src/tbutc/Makefile.in
        src/tsm41/Makefile.in
        src/tviced/Makefile.in
        src/tvolser/Makefile.in
        src/update/Makefile.in
        src/update/server.c
        src/uss/Makefile.in
        src/util/dirpath.c
        src/util/dirpath.hin
        src/venus/Makefile.in
        src/viced/Makefile.in
        src/viced/viced.c
        src/vlserver/Makefile.in
        src/vlserver/vlserver.c
        src/volser/Makefile.in
        src/volser/volmain.c
    - Thanks to Chaskiel Grundman, Alexander Chernyakhovsky, and Ben Kaduk for
      the above fixes
    - OPENAFS-SA-2013-003
    - OPENAFS-SA-2013-004
    - CVE-2013-4134
    - CVE-2013-4135
    - LP: #1204195
 -- Luke Faraone <email address hidden> Wed, 24 Jul 2013 18:07:21 -0400

Changed in openafs (Ubuntu Lucid):
status: Confirmed → Fix Released
Luke Faraone (lfaraone) on 2013-07-25
Changed in openafs (Ubuntu Saucy):
status: Confirmed → Fix Committed
Seth Arnold (seth-arnold) wrote :

Thanks Luke!

Luke Faraone (lfaraone) wrote :

Patched in 1.6.5-1ubuntu1 which resolved the FTBFS that Debian's 1.6.5-1 introduced.

Changed in openafs (Ubuntu Saucy):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers