SA 2007-003: Denial of service in OpenAFS fileserver

Added CVE reference and changing to confirmed.

Johan Christiansen <email address hidden> writes:

> To solve this in gutsy, feisty and dapper requires either:
> 1) A backport of 1.4.6 to both feisty and dapper, which is a "big jump"
> from 1.4.2 in dapper to 1.4.6 - perhaps Russ would like to comment on
> the feasability of this.

I don't think it's particularly likely to break anything, but it is a big
jump.

> 2) A patch and repackage of 1.4.2 and 1.4.4.

This is probably a better option. The upstream delta between 1.4.5 and
1.4.6 is almost exactly just the security fix (there are some changes to
debugging code as well) and it should backport fairly easily to 1.4.2.

--
Russ Allbery (<email address hidden>) <http://www.eyrie.org/~eagle/>

openafs-modules-source 1.4.6.dfsg1-2 does not compile on dapper though. It looks like the compiler output of warnings have changed. In dapper I get:

/scratch/openafs-1.4.6/openafs-1.4.6.dfsg1/conftest.dir/conftest.c: In function 'conftest':
/scratch/openafs-1.4.6/openafs-1.4.6.dfsg1/conftest.dir/conftest.c:37: warning: implicit declaration of function 'sysctl_check_table'
*** Warning: "sysctl_check_table" [/scratch/openafs-1.4.6/openafs-1.4.6.dfsg1/conftest.dir/conftest.ko] undefined!

so the 'grep "^WARNING: .* undefined!$" conftest.err' does not match and thus configure thinks the kernal has sysctl_check_table.

binary:Version (openafs-dbg in debian/control) is also missing in dapper.

After fixing those two things everything compiles and we have already deployed it on the servers and we are currently working on deploying it on our clients too.

About repackaging:
Since this is a bug against the fileserver, I would say that our primary focus should be on getting a fix for dapper. Also Gutsy is of some importance since i do belevie that there is some people out there running gutsy servers.
Considering that i have never done any .deb packaging, it would take me a long time to find the relevant security patch from 1.4.5 to 1.4.6, apply it to 1.4.1-2 (dapper) and repackage. Perhaps with some help from Russ to find the actual patch i will give it a go.

Another option:
What about debian stable? Is 1.4.2-6 (etch) going to be patched, if so, can we draw from the effort there?

Perhaps not relevant:
The kernel modules for edgy is broken. This is an old bug which has been closed with a backport release, which essentially does not solve the problem for non-backport users and fresh installs. I'm not sure how many edgy clients are still out here, so perhaps it's not worth the effort. But it should receive both a security patch for the fileserver, and version upgrade to 1.4.4 at least in order to make the kernel modules compile.

Also:
Don't forget the security issue 2007-001 (#94787) with all versions < 1.4.4, so in fact we should create two patches for dapper. Either that, or we figure out a way to get 1.4.6 to work on dapper, what do you guys say?

Johan Christiansen <email address hidden> writes:

> About repackaging:

> Since this is a bug against the fileserver, I would say that our primary
> focus should be on getting a fix for dapper. Also Gutsy is of some
> importance since i do belevie that there is some people out there
> running gutsy servers.

> Considering that i have never done any .deb packaging, it would take me
> a long time to find the relevant security patch from 1.4.5 to 1.4.6,
> apply it to 1.4.1-2 (dapper) and repackage. Perhaps with some help from
> Russ to find the actual patch i will give it a go.

Sorry, I should have been more specific when I said the upstream delta
between the versions was all you need. I mentioned that because we
publish it as a diff file.

http://dl.openafs.org/dl/openafs/1.4.6/openafs-1.4.6-src.diff.gz is the
patch that you want. The changes to viced/viced.c and vol/partition.c are
unimportant and can be omitted, as (of course) can the RCSID changes.

> Another option:
> What about debian stable? Is 1.4.2-6 (etch) going to be patched, if so,
> can we draw from the effort there?

kcr was working on Debian stable updates. I don't know what his current
status is for those. I haven't had time to look at them personally,
unfortunately.

--
Russ Allbery (<email address hidden>) <http://www.eyrie.org/~eagle/>

Russ Allbery <email address hidden> writes:
> Johan Christiansen <email address hidden> writes:

>> Another option:
>> What about debian stable? Is 1.4.2-6 (etch) going to be patched, if so,
>> can we draw from the effort there?
>
> kcr was working on Debian stable updates. I don't know what his current
> status is for those. I haven't had time to look at them personally,
> unfortunately.

Oh, sorry, it was noahm who was working on this. He just got a CVE
assigned (CVE-2007-6599) and is working on an update now.

--
Russ Allbery (<email address hidden>) <http://www.eyrie.org/~eagle/>

Has this issue and CVE been fixed as yet across Ubuntu versions?

If yes, we can close this bug report.

Have a look at the package page and tell me how many security uploads you see:

https://launchpad.net/ubuntu/+source/openafs

I'm sure you're trying to help, but sending everyone in ubuntu-security and motu-swat bugmail asking a question you can trivially look up for yourself doesn't really get there.

http://launchpadlibrarian.net/25468149/openafs_1.4.1-2%2Bubuntu0.1.debdiff contains a patch for this vulnerability, as well as OPENAFS-SA-2009-001 and 2009-002 (bug #356861)

This was released for dapper today.