OpenAFS Security Advisories 2009-001 and 2009-002

Be careful choosing version numbers for this. The normal mechanism for an Ubuntu security version number will result in kernel modules with a lower version than the current modules. Something like 1.4.7.dfsg1-6+ubuntu0.1 should work for Intrepid:

priscus:~ evan$ dpkg --compare-versions '1.4.7.dfsg1-6+2.6.27-11.27' lt '1.4.7.dfsg1-6ubuntu0.1+2.6.27-11.27' && echo "Yes" || echo "No"
No
priscus:~ evan$ dpkg --compare-versions '1.4.7.dfsg1-6+2.6.27-11.27' lt '1.4.7.dfsg1-6+ubuntu0.1+2.6.27-11.27' && echo "Yes" || echo "No"
Yes

I have built a 1.4.9 update for Jaunty:
  http://web.mit.edu/andersk/Public/openafs/openafs_1.4.9.dfsg1-0+ubuntu1.dsc
  http://web.mit.edu/andersk/Public/openafs/openafs_1.4.9.dfsg1-0+ubuntu1.diff.gz
  http://web.mit.edu/andersk/Public/openafs/openafs_1.4.9.dfsg1.orig.tar.gz
Although it has a new upstream version, this is a minimal update to fix only these two security issues. Debdiff from Jaunty’s 1.4.8.dfsg1-3:
  http://web.mit.edu/andersk/Public/openafs/openafs_1.4.8.dfsg1-3_1.4.9.dfsg1-0+ubuntu1.debdiff
The package has been built and tested in my PPA:
  https://launchpad.net/~anders-kaseorg/+archive/ppa

Alternatively, we could wait for 1.4.10 to hit sid (it’s currently sitting on incoming.debian.org) and sync that into Jaunty. I would prefer 1.4.10, since it has a number of other bugfixes (release announcement: <http://lists.openafs.org/pipermail/openafs-announce/2009/000285.html>), but I will leave that decision up to the sponsors team.

Changelog from 1.4.8.dfsg1-3 to 1.4.9.dfsg1-0+ubuntu1:

 openafs (1.4.9.dfsg1-0+ubuntu1) jaunty; urgency=low
 .
   * New upstream release.
     - Fix OPENAFS-SA-2009-001 - Network based buffer overflow attack
       against Unix cache manager. (LP: #356861)
     - Fix OPENAFS-SA-2009-002 - Denial of service attack against Linux
       cache manager. (LP: #356861)

Changelog from 1.4.8.dfsg1-3 to 1.4.10+dfsg1-1:

 openafs (1.4.10+dfsg1-1) unstable; urgency=high
 .
   * New upstream release.
     - OPENAFS-SA-2009-001: Avoid a potential kernel memory overrun if more
       items than requested are returned from an InlineBulk or BulkStatus
       message. (CVE-2009-1251)
     - OPENAFS-SA-2009-002: Avoid converting negative errors into invalid
       kernel memory pointers. (CVE-2009-1250)
     - Preliminary support for 2.6.30 kernels.
     - Dynamic vcache allocation support to deal with inotify vcache
       pinning.
     - Do appropriate locking for CellServDB in /proc.
     - Use +dfsg instead of .dfsg for saner version sorting.
   * Debian's 2.6.29 packages no longer include symlinks from the
     architecture-specific header tree to the common header tree and
     instead overlay both header trees using kbuild. Change the Autoconf
     probes to always use kbuild and generate stub headers in the paths
     that OpenAFS expects that include the linux headers. Patch from Aaron
     M. Ucko. (Closes: #521745)
   * Build PIC versions of libafsauthent and libafsrpc and install them in
     libopenafs-dev for use when AFS code should be embedded into shared
     libraries. Patch from Garrett Wollman.
   * Update CellServDB to 2008-11-07 version. (Closes: #522451)
   * Update debian/watch for +dfsg naming instead of .dfsg.
   * Update standards version to 3.8.1 (no changes required).
   * Translation updates:
     - Japanese, thanks Hideki Yamane. (Closes: #521518)

1.4.10+dfsg1-1 is now in sid, so we can fix this by syncing 1.4.10+dfsg1-1 from sid into Jaunty. This is my preferred solution, but if you feel a minimal patch would be better, see above.

To fix this for Intrepid, please sync openafs 1.4.7.dfsg1-6+lenny1 from Debian stable into Intrepid. Full changelog since Intrepid’s 1.4.7.dfsg1-6:

openafs (1.4.7.dfsg1-6+lenny1) stable-security; urgency=high

  * Apply upstream security patches from 1.4.9:
    - OPENAFS-SA-2009-001: Avoid a potential kernel memory overrun if more
      items than requested are returned from an InlineBulk or BulkStatus
      message. (CVE-2009-1251)
    - OPENAFS-SA-2009-002: Avoid converting negative errors into invalid
      kernel memory pointers. (CVE-2009-1250)

 -- Russ Allbery <email address hidden> Mon, 06 Apr 2009 15:53:20 -0700

Here's a patch for Hardy that includes those two patches. There is a build in my PPA (https://launchpad.net/~broder/+archive/ppa) with the patch.

Whoops - here's a patch for Hardy that includes the LP closer.

I've built this package in my PPA. I've also installed it and used the new openafs-modules-source package to build the new version of the kernel modules, which built successfully and installed successfully. I was able to use AFS after installing the new kernel modules.

Here is a patch for Ubuntu Dapper. It also includes a patch for OPENAFS-SA-2007-003 aka CVE-2007-6599 aka LP bug #180792.

I've uploaded a package with the patch I attached to my PPA, where it built successfully. I installed it on a test Dapper machine, and was able to build, install, and use the AFS kernel module.

Here are the portions of upstream changelog for 1.4.8 -> 1.4.10 that are relevant for Linux:

Linux:
- Support for Linux through kernel 2.6.29 and prereleases of 2.6.30.
- Corrected support for some Linux VM system functionality.
- Dynamic vcache pool allocation on Linux to address issues with inotify()
   (as used by famd, beagle and other file monitor programs).

All platforms:
- Fixes for shutdown issues caused by memory double-freeing.
- Support for multiple local Kerberos realms (where username space is
   identical between realms)
- Ubik database recovery issues in database servers corrected.
- Rx idle time tracking fixes.
- Corrected host tracking and hashing in the fileserver.
- Rx network stack corrected to avoid double-freeing packets due to a
   race.

Here is the build log of 1.4.10 from my PPA. The only change from the 1.4.10 package in Debian was the addition of the PPA changelog entry.

Here is a log of the install of 1.4.10 from my PPA, as well as some quick testing.

I uninstalled the package and then installed it again, so I didn't get the normal debconf prompts this time. There are two high priority prompts - one for what your home cell is, and one for how large your AFS cache should be.

Here is the full list of deltas that were included in 1.4.10.

Since we don't have 2.6.29 in Jaunty, I'd like to weigh changes to fix security fixes and major bugfixes only, just to limit regression potential at the minimum. We're releasing in a week, and we'll cease to upload fixes for universe even sooner, so there would no time to catch a regression.

Thanks for the debdiffs.

The dapper debdiff needs a patch for CVE-2007-1507. See LP#94787.

Also, could someone make a debdiff for intrepid?

Here's a new patch for Dapper that includes the OPENAFS-SA-2007-001 patch. I don't have easy access to a Dapper machine (I have to install a VM when I need one), so I don't know when I'll be able to test this, but the added patch is pretty simple:

--- openafs-1.4.1.orig/src/afs/afs_cell.c
+++ openafs-1.4.1/src/afs/afs_cell.c
@@ -708,8 +708,7 @@
  tc->vlport = AFS_VLPORT;
  RWLOCK_INIT(&tc->lock, "cell lock");
  newc = 1;
- if (afs_thiscell && !strcmp(acellName, afs_thiscell))
- aflags &= ~CNoSUID;
+ aflags |= CNoSUID;
     }
     ObtainWriteLock(&tc->lock, 688);

Hmm...didn't quite get the indentation on that last one. Should have looked more like this (hopefully?):
--- openafs-1.4.1.orig/src/afs/afs_cell.c
+++ openafs-1.4.1/src/afs/afs_cell.c
@@ -708,8 +708,7 @@
        tc->vlport = AFS_VLPORT;
        RWLOCK_INIT(&tc->lock, "cell lock");
        newc = 1;
- if (afs_thiscell && !strcmp(acellName, afs_thiscell))
- aflags &= ~CNoSUID;
+ aflags |= CNoSUID;
     }
     ObtainWriteLock(&tc->lock, 688);

Anyway, here's the debdiff for the version that should get synced from Debian. Do you want a version of the patch with an Ubuntu-style version number and LP closers?

Thanks for the dapper debdiff. Could you change the version and add the LP bugs to the intrepid one, please?

I'll build and release them as soon as I get the intrepid debdiff.

Thanks.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are new debdiffs for Dapper, Hardy, and Intrepid - I wanted to
add the openafs-client.NEWS changes for Dapper and Intrepid to make
sure that people were notified to rebuild their kernel modules.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAknnfXoACgkQ8mayMfLWcrCsZwCfe0s0sI1nBEloDEm8on283Y0p
Zp4An09wkuBcH4+KJJUFkhKymlVUII/Q
=eJFd
-----END PGP SIGNATURE-----

This bug was fixed in the package openafs - 1.4.9.dfsg1-0+ubuntu1

---------------
openafs (1.4.9.dfsg1-0+ubuntu1) jaunty; urgency=low

  * New upstream release.
    - OPENAFS-SA-2009-001: Avoid a potential kernel memory overrun if more
      items than requested are returned from an InlineBulk or BulkStatus
      message. (CVE-2009-1251) (LP: #356861)
    - OPENAFS-SA-2009-002: Avoid converting negative errors into invalid
      kernel memory pointers. (CVE-2009-1250) (LP: #356861)

 -- Anders Kaseorg <email address hidden> Tue, 07 Apr 2009 16:41:24 -0400

This bug was fixed in the package openafs - 1.4.7.dfsg1-6+ubuntu0.1

---------------
openafs (1.4.7.dfsg1-6+ubuntu0.1) intrepid-security; urgency=low

  * Apply upstream security patches from 1.4.9 (LP: #356861):
    - OPENAFS-SA-2009-001: Avoid a potential kernel memory overrun if more
      items than requested are returned from an InlineBulk or BulkStatus
      message. (CVE-2009-1251)
    - OPENAFS-SA-2009-002: Avoid converting negative errors into invalid
      kernel memory pointers. (CVE-2009-1250)

 -- Evan Broder <email address hidden> Thu, 16 Apr 2009 14:31:15 -0400