OpenAFS Security Advisories 2009-001 and 2009-002

Bug #356861 reported by Anders Kaseorg on 2009-04-07
258
Affects Status Importance Assigned to Milestone
openafs (Ubuntu)
Undecided
Unassigned
Declined for Gutsy by Kees Cook
Dapper
Undecided
Marc Deslauriers
Hardy
Undecided
Unassigned
Intrepid
Undecided
Marc Deslauriers
Jaunty
Undecided
Unassigned

Bug Description

To fix this for...

Dapper: http://launchpadlibrarian.net/25552980/openafs_1.4.1-2%2Bubuntu0.1.debdiff
This additionally fixes OPENAFS-SA-2007-003 (aka CVE-2007-6599 aka bug #180792) and OPENAFS-SA-2007-001 (aka CVE-2007-1507 aka bug #94787)

Hardy: http://launchpadlibrarian.net/25552981/openafs_1.4.6.dfsg1-2%2Bubuntu0.1.debdiff

Intrepid: http://launchpadlibrarian.net/25552982/openafs_1.4.7.dfsg1-6%2Bubuntu0.1.debdiff

Jaunty: http://web.mit.edu/andersk/Public/openafs/openafs_1.4.9.dfsg1-0+ubuntu1.dsc
(debdiff for reference: http://web.mit.edu/andersk/Public/openafs/openafs_1.4.8.dfsg1-3_1.4.9.dfsg1-0+ubuntu1.debdiff )

===

Two security advisories released today affect all versions of OpenAFS from 1.0 through 1.4.8. They have both been corrected in the simultaneous release of 1.4.9 (which only fixes these two issues over 1.4.8) and 1.4.10 (which also includes other bugfixes). Release announcement:
<http://lists.openafs.org/pipermail/openafs-announce/2009/000285.html>

OPENAFS-SA-2009-001 - Network based buffer overflow attack against Unix cache manager
<http://www.openafs.org/security/OPENAFS-SA-2009-001.txt>
AFS's XDR data marshalling language permits the construction of arrays with a size constrained by the interface definition. The XDR decoding language will accept data from the server up to this maximum size, which in some cases is stored into a buffer allocated by the client. In several locations, the AFS client assumes that the server will never return more data than requested, and so allocates a buffer smaller than this maximum size. Whilst this causes no problems when communicating with valid servers, an attacker can return more data than expected, and overflow the client's buffer.

OPENAFS-SA-2009-002 - Denial of service attack against Linux cache manager
<http://www.openafs.org/security/OPENAFS-SA-2009-002.txt>
AFS may pass an error code obtained from the fileserver directly to the Linux kernel, using a Linux mechanism that merges error codes and pointers into a single value. However, this mechanism is unable to distinguish certain error codes from pointers. When AFS returns a code of this type to the kernel, the kernel treats it as a pointer and attempts to dereference it. This causes a kernel panic, and results in a denial of service attack.

Anders Kaseorg (andersk) on 2009-04-07
visibility: private → public
Changed in openafs (Ubuntu):
status: New → Confirmed
Evan Broder (broder) wrote :

Be careful choosing version numbers for this. The normal mechanism for an Ubuntu security version number will result in kernel modules with a lower version than the current modules. Something like 1.4.7.dfsg1-6+ubuntu0.1 should work for Intrepid:

priscus:~ evan$ dpkg --compare-versions '1.4.7.dfsg1-6+2.6.27-11.27' lt '1.4.7.dfsg1-6ubuntu0.1+2.6.27-11.27' && echo "Yes" || echo "No"
No
priscus:~ evan$ dpkg --compare-versions '1.4.7.dfsg1-6+2.6.27-11.27' lt '1.4.7.dfsg1-6+ubuntu0.1+2.6.27-11.27' && echo "Yes" || echo "No"
Yes

Anders Kaseorg (andersk) wrote :

I have built a 1.4.9 update for Jaunty:
  http://web.mit.edu/andersk/Public/openafs/openafs_1.4.9.dfsg1-0+ubuntu1.dsc
  http://web.mit.edu/andersk/Public/openafs/openafs_1.4.9.dfsg1-0+ubuntu1.diff.gz
  http://web.mit.edu/andersk/Public/openafs/openafs_1.4.9.dfsg1.orig.tar.gz
Although it has a new upstream version, this is a minimal update to fix only these two security issues. Debdiff from Jaunty’s 1.4.8.dfsg1-3:
  http://web.mit.edu/andersk/Public/openafs/openafs_1.4.8.dfsg1-3_1.4.9.dfsg1-0+ubuntu1.debdiff
The package has been built and tested in my PPA:
  https://launchpad.net/~anders-kaseorg/+archive/ppa

Alternatively, we could wait for 1.4.10 to hit sid (it’s currently sitting on incoming.debian.org) and sync that into Jaunty. I would prefer 1.4.10, since it has a number of other bugfixes (release announcement: <http://lists.openafs.org/pipermail/openafs-announce/2009/000285.html>), but I will leave that decision up to the sponsors team.

Anders Kaseorg (andersk) wrote :

Changelog from 1.4.8.dfsg1-3 to 1.4.9.dfsg1-0+ubuntu1:

 openafs (1.4.9.dfsg1-0+ubuntu1) jaunty; urgency=low
 .
   * New upstream release.
     - Fix OPENAFS-SA-2009-001 - Network based buffer overflow attack
       against Unix cache manager. (LP: #356861)
     - Fix OPENAFS-SA-2009-002 - Denial of service attack against Linux
       cache manager. (LP: #356861)

Changelog from 1.4.8.dfsg1-3 to 1.4.10+dfsg1-1:

 openafs (1.4.10+dfsg1-1) unstable; urgency=high
 .
   * New upstream release.
     - OPENAFS-SA-2009-001: Avoid a potential kernel memory overrun if more
       items than requested are returned from an InlineBulk or BulkStatus
       message. (CVE-2009-1251)
     - OPENAFS-SA-2009-002: Avoid converting negative errors into invalid
       kernel memory pointers. (CVE-2009-1250)
     - Preliminary support for 2.6.30 kernels.
     - Dynamic vcache allocation support to deal with inotify vcache
       pinning.
     - Do appropriate locking for CellServDB in /proc.
     - Use +dfsg instead of .dfsg for saner version sorting.
   * Debian's 2.6.29 packages no longer include symlinks from the
     architecture-specific header tree to the common header tree and
     instead overlay both header trees using kbuild. Change the Autoconf
     probes to always use kbuild and generate stub headers in the paths
     that OpenAFS expects that include the linux headers. Patch from Aaron
     M. Ucko. (Closes: #521745)
   * Build PIC versions of libafsauthent and libafsrpc and install them in
     libopenafs-dev for use when AFS code should be embedded into shared
     libraries. Patch from Garrett Wollman.
   * Update CellServDB to 2008-11-07 version. (Closes: #522451)
   * Update debian/watch for +dfsg naming instead of .dfsg.
   * Update standards version to 3.8.1 (no changes required).
   * Translation updates:
     - Japanese, thanks Hideki Yamane. (Closes: #521518)

Anders Kaseorg (andersk) wrote :

1.4.10+dfsg1-1 is now in sid, so we can fix this by syncing 1.4.10+dfsg1-1 from sid into Jaunty. This is my preferred solution, but if you feel a minimal patch would be better, see above.

Anders Kaseorg (andersk) wrote :

To fix this for Intrepid, please sync openafs 1.4.7.dfsg1-6+lenny1 from Debian stable into Intrepid. Full changelog since Intrepid’s 1.4.7.dfsg1-6:

openafs (1.4.7.dfsg1-6+lenny1) stable-security; urgency=high

  * Apply upstream security patches from 1.4.9:
    - OPENAFS-SA-2009-001: Avoid a potential kernel memory overrun if more
      items than requested are returned from an InlineBulk or BulkStatus
      message. (CVE-2009-1251)
    - OPENAFS-SA-2009-002: Avoid converting negative errors into invalid
      kernel memory pointers. (CVE-2009-1250)

 -- Russ Allbery <email address hidden> Mon, 06 Apr 2009 15:53:20 -0700

Evan Broder (broder) wrote :

Here's a patch for Hardy that includes those two patches. There is a build in my PPA (https://launchpad.net/~broder/+archive/ppa) with the patch.

Evan Broder (broder) wrote :

Whoops - here's a patch for Hardy that includes the LP closer.

Evan Broder (broder) wrote :

I've built this package in my PPA. I've also installed it and used the new openafs-modules-source package to build the new version of the kernel modules, which built successfully and installed successfully. I was able to use AFS after installing the new kernel modules.

Changed in openafs (Ubuntu Hardy):
status: New → In Progress
Evan Broder (broder) wrote :

Here is a patch for Ubuntu Dapper. It also includes a patch for OPENAFS-SA-2007-003 aka CVE-2007-6599 aka LP bug #180792.

Evan Broder (broder) wrote :

I've uploaded a package with the patch I attached to my PPA, where it built successfully. I installed it on a test Dapper machine, and was able to build, install, and use the AFS kernel module.

Changed in openafs (Ubuntu Dapper):
status: New → In Progress
Evan Broder (broder) wrote :

Here are the portions of upstream changelog for 1.4.8 -> 1.4.10 that are relevant for Linux:

Linux:
- Support for Linux through kernel 2.6.29 and prereleases of 2.6.30.
- Corrected support for some Linux VM system functionality.
- Dynamic vcache pool allocation on Linux to address issues with inotify()
   (as used by famd, beagle and other file monitor programs).

All platforms:
- Fixes for shutdown issues caused by memory double-freeing.
- Support for multiple local Kerberos realms (where username space is
   identical between realms)
- Ubik database recovery issues in database servers corrected.
- Rx idle time tracking fixes.
- Corrected host tracking and hashing in the fileserver.
- Rx network stack corrected to avoid double-freeing packets due to a
   race.

Evan Broder (broder) wrote :

Here is the build log of 1.4.10 from my PPA. The only change from the 1.4.10 package in Debian was the addition of the PPA changelog entry.

Evan Broder (broder) wrote :

Here is a log of the install of 1.4.10 from my PPA, as well as some quick testing.

I uninstalled the package and then installed it again, so I didn't get the normal debconf prompts this time. There are two high priority prompts - one for what your home cell is, and one for how large your AFS cache should be.

Evan Broder (broder) on 2009-04-15
description: updated
summary: - OpenAFS Security Advisories 2009-001 and 2009-002
+ [FinalFreezeException] OpenAFS Security Advisories 2009-001 and 2009-002

Here is the full list of deltas that were included in 1.4.10.

Luca Falavigna (dktrkranz) wrote :

Since we don't have 2.6.29 in Jaunty, I'd like to weigh changes to fix security fixes and major bugfixes only, just to limit regression potential at the minimum. We're releasing in a week, and we'll cease to upload fixes for universe even sooner, so there would no time to catch a regression.

Changed in openafs (Ubuntu Jaunty):
status: Confirmed → New
Evan Broder (broder) on 2009-04-15
description: updated
summary: - [FinalFreezeException] OpenAFS Security Advisories 2009-001 and 2009-002
+ OpenAFS Security Advisories 2009-001 and 2009-002
Changed in openafs (Ubuntu Jaunty):
status: New → In Progress
Anders Kaseorg (andersk) on 2009-04-15
description: updated
Marc Deslauriers (mdeslaur) wrote :

Thanks for the debdiffs.

The dapper debdiff needs a patch for CVE-2007-1507. See LP#94787.

Also, could someone make a debdiff for intrepid?

Changed in openafs (Ubuntu Dapper):
assignee: nobody → mdeslaur
status: In Progress → Incomplete
Changed in openafs (Ubuntu Intrepid):
assignee: nobody → mdeslaur
status: New → Incomplete
Evan Broder (broder) wrote :

Here's a new patch for Dapper that includes the OPENAFS-SA-2007-001 patch. I don't have easy access to a Dapper machine (I have to install a VM when I need one), so I don't know when I'll be able to test this, but the added patch is pretty simple:

--- openafs-1.4.1.orig/src/afs/afs_cell.c
+++ openafs-1.4.1/src/afs/afs_cell.c
@@ -708,8 +708,7 @@
  tc->vlport = AFS_VLPORT;
  RWLOCK_INIT(&tc->lock, "cell lock");
  newc = 1;
- if (afs_thiscell && !strcmp(acellName, afs_thiscell))
- aflags &= ~CNoSUID;
+ aflags |= CNoSUID;
     }
     ObtainWriteLock(&tc->lock, 688);

Evan Broder (broder) wrote :

Hmm...didn't quite get the indentation on that last one. Should have looked more like this (hopefully?):
--- openafs-1.4.1.orig/src/afs/afs_cell.c
+++ openafs-1.4.1/src/afs/afs_cell.c
@@ -708,8 +708,7 @@
        tc->vlport = AFS_VLPORT;
        RWLOCK_INIT(&tc->lock, "cell lock");
        newc = 1;
- if (afs_thiscell && !strcmp(acellName, afs_thiscell))
- aflags &= ~CNoSUID;
+ aflags |= CNoSUID;
     }
     ObtainWriteLock(&tc->lock, 688);

Anyway, here's the debdiff for the version that should get synced from Debian. Do you want a version of the patch with an Ubuntu-style version number and LP closers?

description: updated
Changed in openafs (Ubuntu Dapper):
status: Incomplete → In Progress
Changed in openafs (Ubuntu Intrepid):
status: Incomplete → In Progress
Marc Deslauriers (mdeslaur) wrote :

Thanks for the dapper debdiff. Could you change the version and add the LP bugs to the intrepid one, please?

I'll build and release them as soon as I get the intrepid debdiff.

Thanks.

Changed in openafs (Ubuntu Intrepid):
status: In Progress → Incomplete

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are new debdiffs for Dapper, Hardy, and Intrepid - I wanted to
add the openafs-client.NEWS changes for Dapper and Intrepid to make
sure that people were notified to rebuild their kernel modules.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAknnfXoACgkQ8mayMfLWcrCsZwCfe0s0sI1nBEloDEm8on283Y0p
Zp4An09wkuBcH4+KJJUFkhKymlVUII/Q
=eJFd
-----END PGP SIGNATURE-----

description: updated
Changed in openafs (Ubuntu Intrepid):
status: Incomplete → In Progress
Changed in openafs (Ubuntu Dapper):
status: In Progress → Fix Committed
Changed in openafs (Ubuntu Hardy):
status: In Progress → Fix Committed
Changed in openafs (Ubuntu Intrepid):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openafs - 1.4.9.dfsg1-0+ubuntu1

---------------
openafs (1.4.9.dfsg1-0+ubuntu1) jaunty; urgency=low

  * New upstream release.
    - OPENAFS-SA-2009-001: Avoid a potential kernel memory overrun if more
      items than requested are returned from an InlineBulk or BulkStatus
      message. (CVE-2009-1251) (LP: #356861)
    - OPENAFS-SA-2009-002: Avoid converting negative errors into invalid
      kernel memory pointers. (CVE-2009-1250) (LP: #356861)

 -- Anders Kaseorg <email address hidden> Tue, 07 Apr 2009 16:41:24 -0400

Changed in openafs (Ubuntu Jaunty):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openafs - 1.4.7.dfsg1-6+ubuntu0.1

---------------
openafs (1.4.7.dfsg1-6+ubuntu0.1) intrepid-security; urgency=low

  * Apply upstream security patches from 1.4.9 (LP: #356861):
    - OPENAFS-SA-2009-001: Avoid a potential kernel memory overrun if more
      items than requested are returned from an InlineBulk or BulkStatus
      message. (CVE-2009-1251)
    - OPENAFS-SA-2009-002: Avoid converting negative errors into invalid
      kernel memory pointers. (CVE-2009-1250)

 -- Evan Broder <email address hidden> Thu, 16 Apr 2009 14:31:15 -0400

Changed in openafs (Ubuntu Intrepid):
status: Fix Committed → Fix Released
Changed in openafs (Ubuntu Dapper):
status: Fix Committed → Fix Released
Changed in openafs (Ubuntu Hardy):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers