SA 2007-003: Denial of service in OpenAFS fileserver

Bug #180792 reported by Johan Christiansen on 2008-01-06
270
Affects Status Importance Assigned to Milestone
openafs (Ubuntu)
Undecided
Unassigned

Bug Description

Binary package hint: openafs-client

A user with network access can attack a fileserver via a race condition and cause it to crash.

A security advisory can be found upstream at http://openafs.org/security/OPENAFS-SA-2007-003.txt

A new openafs-release fixes this.
This is fixed for: Hardy (1.4.6)

To solve this in gutsy, feisty and dapper requires either:
1) A backport of 1.4.6 to both feisty and dapper, which is a "big jump" from 1.4.2 in dapper to 1.4.6 - perhaps Russ would like to comment on the feasability of this.
2) A patch and repackage of 1.4.2 and 1.4.4.

CVE References

description: updated
Johan Christiansen (johandc) wrote :

Added CVE reference and changing to confirmed.

Changed in openafs:
status: New → Confirmed

Johan Christiansen <email address hidden> writes:

> To solve this in gutsy, feisty and dapper requires either:
> 1) A backport of 1.4.6 to both feisty and dapper, which is a "big jump"
> from 1.4.2 in dapper to 1.4.6 - perhaps Russ would like to comment on
> the feasability of this.

I don't think it's particularly likely to break anything, but it is a big
jump.

> 2) A patch and repackage of 1.4.2 and 1.4.4.

This is probably a better option. The upstream delta between 1.4.5 and
1.4.6 is almost exactly just the security fix (there are some changes to
debugging code as well) and it should backport fairly easily to 1.4.2.

--
Russ Allbery (<email address hidden>) <http://www.eyrie.org/~eagle/>

Björn Torkelsson (torkel) wrote :

openafs-modules-source 1.4.6.dfsg1-2 does not compile on dapper though. It looks like the compiler output of warnings have changed. In dapper I get:

/scratch/openafs-1.4.6/openafs-1.4.6.dfsg1/conftest.dir/conftest.c: In function 'conftest':
/scratch/openafs-1.4.6/openafs-1.4.6.dfsg1/conftest.dir/conftest.c:37: warning: implicit declaration of function 'sysctl_check_table'
*** Warning: "sysctl_check_table" [/scratch/openafs-1.4.6/openafs-1.4.6.dfsg1/conftest.dir/conftest.ko] undefined!

so the 'grep "^WARNING: .* undefined!$" conftest.err' does not match and thus configure thinks the kernal has sysctl_check_table.

binary:Version (openafs-dbg in debian/control) is also missing in dapper.

After fixing those two things everything compiles and we have already deployed it on the servers and we are currently working on deploying it on our clients too.

Johan Christiansen (johandc) wrote :

About repackaging:
Since this is a bug against the fileserver, I would say that our primary focus should be on getting a fix for dapper. Also Gutsy is of some importance since i do belevie that there is some people out there running gutsy servers.
Considering that i have never done any .deb packaging, it would take me a long time to find the relevant security patch from 1.4.5 to 1.4.6, apply it to 1.4.1-2 (dapper) and repackage. Perhaps with some help from Russ to find the actual patch i will give it a go.

Another option:
What about debian stable? Is 1.4.2-6 (etch) going to be patched, if so, can we draw from the effort there?

Perhaps not relevant:
The kernel modules for edgy is broken. This is an old bug which has been closed with a backport release, which essentially does not solve the problem for non-backport users and fresh installs. I'm not sure how many edgy clients are still out here, so perhaps it's not worth the effort. But it should receive both a security patch for the fileserver, and version upgrade to 1.4.4 at least in order to make the kernel modules compile.

Also:
Don't forget the security issue 2007-001 (#94787) with all versions < 1.4.4, so in fact we should create two patches for dapper. Either that, or we figure out a way to get 1.4.6 to work on dapper, what do you guys say?

Johan Christiansen <email address hidden> writes:

> About repackaging:

> Since this is a bug against the fileserver, I would say that our primary
> focus should be on getting a fix for dapper. Also Gutsy is of some
> importance since i do belevie that there is some people out there
> running gutsy servers.

> Considering that i have never done any .deb packaging, it would take me
> a long time to find the relevant security patch from 1.4.5 to 1.4.6,
> apply it to 1.4.1-2 (dapper) and repackage. Perhaps with some help from
> Russ to find the actual patch i will give it a go.

Sorry, I should have been more specific when I said the upstream delta
between the versions was all you need. I mentioned that because we
publish it as a diff file.

http://dl.openafs.org/dl/openafs/1.4.6/openafs-1.4.6-src.diff.gz is the
patch that you want. The changes to viced/viced.c and vol/partition.c are
unimportant and can be omitted, as (of course) can the RCSID changes.

> Another option:
> What about debian stable? Is 1.4.2-6 (etch) going to be patched, if so,
> can we draw from the effort there?

kcr was working on Debian stable updates. I don't know what his current
status is for those. I haven't had time to look at them personally,
unfortunately.

--
Russ Allbery (<email address hidden>) <http://www.eyrie.org/~eagle/>

Russ Allbery (rra-debian) wrote :

Russ Allbery <email address hidden> writes:
> Johan Christiansen <email address hidden> writes:

>> Another option:
>> What about debian stable? Is 1.4.2-6 (etch) going to be patched, if so,
>> can we draw from the effort there?
>
> kcr was working on Debian stable updates. I don't know what his current
> status is for those. I haven't had time to look at them personally,
> unfortunately.

Oh, sorry, it was noahm who was working on this. He just got a CVE
assigned (CVE-2007-6599) and is working on an update now.

--
Russ Allbery (<email address hidden>) <http://www.eyrie.org/~eagle/>

Philip Wyett (philwyett) wrote :

Has this issue and CVE been fixed as yet across Ubuntu versions?

If yes, we can close this bug report.

Scott Kitterman (kitterman) wrote :

Have a look at the package page and tell me how many security uploads you see:

https://launchpad.net/ubuntu/+source/openafs

I'm sure you're trying to help, but sending everyone in ubuntu-security and motu-swat bugmail asking a question you can trivially look up for yourself doesn't really get there.

Evan Broder (broder) wrote :

http://launchpadlibrarian.net/25468149/openafs_1.4.1-2%2Bubuntu0.1.debdiff contains a patch for this vulnerability, as well as OPENAFS-SA-2009-001 and 2009-002 (bug #356861)

Changed in openafs (Ubuntu):
status: Confirmed → In Progress
Marc Deslauriers (mdeslaur) wrote :

This was released for dapper today.

Changed in openafs (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers