OPENAFS-SA-2015-007 "Tattletale"

Bug #1513461 reported by Klas Mattsson on 2015-11-05
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openafs (Ubuntu)
High
Unassigned
Precise
Undecided
Unassigned
Trusty
Undecided
Unassigned
Vivid
Undecided
Unassigned
Wily
Undecided
Unassigned
Xenial
High
Unassigned

Bug Description

The OPENAFS-SA-2015-007 vulnerability has been fixed in 16.04:
https://launchpad.net/ubuntu/+source/openafs/1.6.15-1

Attached is a debdiff against 1.6.1 in 12.04.

Klas Mattsson (klas-mattsson) wrote :
Steve Beattie (sbeattie) on 2015-11-05
information type: Private Security → Public Security
Changed in openafs (Ubuntu):
status: New → Triaged
importance: Undecided → High
Marc Deslauriers (mdeslaur) wrote :

ACK on the debdiff, thanks!

Update package is building now and will be released when ready. Thanks!

Changed in openafs (Ubuntu):
status: Triaged → Fix Committed
Marc Deslauriers (mdeslaur) wrote :

(FYI, I made a couple of minor changes to the debian/changelog file)

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openafs - 1.6.1-1+ubuntu0.7

---------------
openafs (1.6.1-1+ubuntu0.7) precise-security; urgency=low

  * SECURITY UPDATE: Apply OPENAFS-SA-2015-007 "Tattletale" patch
    (LP: #1513461)
    - OPENAFS-SA-2015-007.patch: Rx ACK packets leak plaintext of previous
      packets
    - CVE-2015-7762
    - CVE-2015-7763

 -- Klas Mattsson <email address hidden> Thu, 05 Nov 2015 12:50:39 +0100

Changed in openafs (Ubuntu):
status: Fix Committed → Fix Released
Klas Mattsson (klas-mattsson) wrote :

Great, thanks!

Klas Mattsson (klas-mattsson) wrote :

Here's the same patch but made for trusty and for 1.6.7 instead.

Marc Deslauriers (mdeslaur) wrote :

There are other CVEs which are still unfixed in the trusty package. Do you think you could add them also to the debdiff?

http://people.canonical.com/~ubuntu-security/cve/pkg/openafs.html

Thanks!

Klas Mattsson (klas-mattsson) wrote :

Hmm, I suppose I could.

All those errors seems to have been fixed in normal patches to openafs in different versions.
Would you prefer if i patched it up ti 1.6.15-1 directly or made a 1.6.7-ubuntu# which will basically be the same as 1.6.15-1?

Marc Deslauriers (mdeslaur) wrote :

We usually backport the specific security fixes, rather than whole versions so we don't introduce any other unrelated changes.

Could you simply add the security fixes as was done in precise's 1.6.1-1+ubuntu0.6 and 1.6.1-1+ubuntu0.7 packages?

Klas Mattsson (klas-mattsson) wrote :

Sure thing, I'll add a patch as soon as I've had time to make it.

You should note that one of the patches, the one addressing:
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-6587.html

Has a couple of issues.
Basically, it removes functionality as an interim fix for the actual patch which is added in 1.6.13.

So, while this patch will remove that security hole, it will also in some cases break functionality.
This issue already exists in 12.04 of course.

To quote the openafs git repo where they reverted back from this fix:

commit fc43236872c798fe426590714d19773c74d4bbbe
Author: Jeffrey Altman <email address hidden>
Date: Mon Aug 3 15:03:00 2015 -0400

    Revert "vlserver: Disable regex volume name processing in ListAttributesN2"

    This change reverts commit 22481ab3705522ac1988b7de038c4dbc1e5009a9 which
    by disabling regex queries of volume names breaks some backup software
    including TSM.

Klas Mattsson (klas-mattsson) wrote :

Ok then, here's the patch with all the CVEs addressed.

Fully copied from upstream.

Changed in openafs (Ubuntu Precise):
status: New → Fix Released
Changed in openafs (Ubuntu Trusty):
status: New → Confirmed
Changed in openafs (Ubuntu Vivid):
status: New → Confirmed
Changed in openafs (Ubuntu Wily):
status: New → Confirmed
Marc Deslauriers (mdeslaur) wrote :

Debdiff in comment #11 looks good, thanks!

Package is building now (with a couple of minor debian/changelog changes) and will be released when built.

Thanks!

Changed in openafs (Ubuntu Trusty):
status: Confirmed → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openafs - 1.6.7-1ubuntu1.1

---------------
openafs (1.6.7-1ubuntu1.1) trusty-security; urgency=low

  * SECURITY UPDATES (LP: #1513461):
    - CVE-2015-3282: Clear nvldbentry before sending on the wire
    - CVE-2015-3283: Use crypt for commands where spoofing could be a risk
    - CVE-2015-3284: Clear pioctl data interchange buffer before use
    - CVE-2015-3285: Use correct output buffer for FSCmd pioctl
    - CVE-2015-6587: Disable regex volume name processing in ListAttributesN2
    - CVE-2015-7762: Apply OPENAFS-SA-2015-007 "Tattletale" patch
    - CVE-2015-7763: Apply OPENAFS-SA-2015-007 "Tattletale" patch
    - OPENAFS-SA-2015-007.patch: Rx ACK packets leak plaintext of previous packets

 -- Klas Mattsson <email address hidden> Tue, 10 Nov 2015 08:03:52 +0100

Changed in openafs (Ubuntu Trusty):
status: In Progress → Fix Released
Marc Deslauriers (mdeslaur) wrote :

Unsubscribing ubuntu-security-sponsors as there is no further debdiff to process. Please re-subscribe when attaching another one. Thanks!

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers