diff -u openafs-1.4.6.dfsg1/debian/patches/series openafs-1.4.6.dfsg1/debian/patches/series --- openafs-1.4.6.dfsg1/debian/patches/series +++ openafs-1.4.6.dfsg1/debian/patches/series @@ -1,3 +1,5 @@ +openafs-sa-2009-002.patch -p0 +openafs-sa-2009-001.patch -p0 dfsg paths fstrace-paths diff -u openafs-1.4.6.dfsg1/debian/control openafs-1.4.6.dfsg1/debian/control --- openafs-1.4.6.dfsg1/debian/control +++ openafs-1.4.6.dfsg1/debian/control @@ -1,7 +1,8 @@ Source: openafs Section: net Priority: optional -Maintainer: Sam Hartman +Maintainer: Ubuntu MOTU Developers +XSBC-Original-Maintainer: Sam Hartman Uploaders: Russ Allbery Build-Depends: debhelper (>= 5), libncurses5-dev, libpam0g-dev, bison, flex, perl, comerr-dev, libkrb5-dev, autoconf, automake, quilt (>= 0.40) diff -u openafs-1.4.6.dfsg1/debian/rules openafs-1.4.6.dfsg1/debian/rules --- openafs-1.4.6.dfsg1/debian/rules +++ openafs-1.4.6.dfsg1/debian/rules @@ -217,11 +217,11 @@ DH_OPTIONS= dh_installinit -popenafs-fileserver -r dh_link dh_strip --dbg-package=openafs-dbg - rm -r debian/openafs-dbg/usr/lib/debug/lib - rm -r debian/openafs-dbg/usr/lib/debug/sbin - rm -r debian/openafs-dbg/usr/lib/debug/usr/bin - rm -r debian/openafs-dbg/usr/lib/debug/usr/sbin - cd debian/openafs-dbg/usr/lib/debug/usr/lib/openafs \ + -rm -r debian/openafs-dbg/usr/lib/debug/lib + -rm -r debian/openafs-dbg/usr/lib/debug/sbin + -rm -r debian/openafs-dbg/usr/lib/debug/usr/bin + -rm -r debian/openafs-dbg/usr/lib/debug/usr/sbin + -cd debian/openafs-dbg/usr/lib/debug/usr/lib/openafs \ && rm buserver ptserver salvager upserver upclient vlserver dh_compress dh_fixperms diff -u openafs-1.4.6.dfsg1/debian/changelog openafs-1.4.6.dfsg1/debian/changelog --- openafs-1.4.6.dfsg1/debian/changelog +++ openafs-1.4.6.dfsg1/debian/changelog @@ -1,3 +1,15 @@ +openafs (1.4.6.dfsg1-2+ubuntu0.1) hardy-security; urgency=low + + * Apply upstream security patches from 1.4.9 (LP: #356861): + - OPENAFS-SA-2009-001: Avoid a potential kernel memory overrun if more + items than requested are returned from an InlineBulk or BulkStatus + message. (CVE-2009-1251) + - OPENAFS-SA-2009-002: Avoid converting negative errors into invalid + kernel memory pointers. (CVE-2009-1250) + * Fix a FTBFS when trying to delete non-existant files and directories. + + -- Evan Broder Tue, 14 Apr 2009 13:59:51 -0400 + openafs (1.4.6.dfsg1-2) unstable; urgency=low * Apply additional upstream patches to the 2.6.24 support to fix only in patch2: unchanged: --- openafs-1.4.6.dfsg1.orig/debian/patches/openafs-sa-2009-001.patch +++ openafs-1.4.6.dfsg1/debian/patches/openafs-sa-2009-001.patch @@ -0,0 +1,82 @@ +Index: src/afs/VNOPS/afs_vnop_lookup.c +=================================================================== +--- src/afs/VNOPS/afs_vnop_lookup.c 2009-04-01 17:01:49.000000000 +0100 ++++ src/afs/VNOPS/afs_vnop_lookup.c 2009-04-01 17:01:58.000000000 +0100 +@@ -538,8 +538,6 @@ + int nskip; /* # of slots in the LRU queue to skip */ + struct vcache *lruvcp; /* vcache ptr of our goal pos in LRU queue */ + struct dcache *dcp; /* chunk containing the dir block */ +- char *statMemp; /* status memory block */ +- char *cbfMemp; /* callback and fid memory block */ + afs_size_t temp; /* temp for holding chunk length, &c. */ + struct AFSFid *fidsp; /* file IDs were collecting */ + struct AFSCallBack *cbsp; /* call back pointers */ +@@ -597,13 +595,11 @@ + * one for fids and callbacks, and one for stat info. Well set + * up our pointers to the memory from there, too. + */ +- statMemp = osi_AllocLargeSpace(nentries * sizeof(AFSFetchStatus)); +- statsp = (struct AFSFetchStatus *)statMemp; +- cbfMemp = +- osi_AllocLargeSpace(nentries * +- (sizeof(AFSCallBack) + sizeof(AFSFid))); +- fidsp = (AFSFid *) cbfMemp; +- cbsp = (AFSCallBack *) (cbfMemp + nentries * sizeof(AFSFid)); ++ statsp = (AFSFetchStatus *) ++ osi_Alloc(AFSCBMAX * sizeof(AFSFetchStatus)); ++ fidsp = (AFSFid *) osi_AllocLargeSpace(nentries * sizeof(AFSFid)); ++ cbsp = (AFSCallBack *) ++ osi_Alloc(AFSCBMAX * sizeof(AFSCallBack)); + + /* next, we must iterate over the directory, starting from the specified + * cookie offset (dirCookie), and counting out nentries file entries. +@@ -1091,8 +1087,9 @@ + code = 0; + } + done2: +- osi_FreeLargeSpace(statMemp); +- osi_FreeLargeSpace(cbfMemp); ++ osi_FreeLargeSpace((char *)fidsp); ++ osi_Free((char *)statsp, AFSCBMAX * sizeof(AFSFetchStatus)); ++ osi_Free((char *)cbsp, AFSCBMAX * sizeof(AFSCallBack)); + return code; + } + +Index: src/sys/rmtsysc.c +=================================================================== +--- src/sys/rmtsysc.c 2009-03-23 12:39:25.000000000 +0000 ++++ src/sys/rmtsysc.c 2009-04-01 17:17:16.000000000 +0100 +@@ -241,8 +241,14 @@ + InData.rmtbulk_len = data->in_size; + InData.rmtbulk_val = inbuffer; + inparam_conversion(cmd, InData.rmtbulk_val, 0); +- OutData.rmtbulk_len = data->out_size; +- OutData.rmtbulk_val = data->out; ++ ++ OutData.rmtbulk_len = MAXBUFFERLEN * sizeof(*OutData.rmtbulk_val); ++ OutData.rmtbulk_val = malloc(OutData.rmtbulk_len); ++ if (!OutData.rmtbulk_val) { ++ free(inbuffer); ++ return -1; ++ } ++ + /* We always need to pass absolute pathnames to the remote pioctl since we + * lose the current directory value when doing an rpc call. Below we + * prepend the current absolute path directory, if the name is relative */ +@@ -279,8 +285,15 @@ + if (!errorcode) { + /* Do the conversions back to the host order; store the results back + * on the same buffer */ +- outparam_conversion(cmd, OutData.rmtbulk_val, 1); ++ if (data->out_size < OutData.rmtbulk_len) { ++ errno = EINVAL; ++ errorcode = -1; ++ } else { ++ memcpy(data->out, OutData.rmtbulk_val, data->out_size); ++ outparam_conversion(cmd, data->out, 1); ++ } + } ++ free(OutData.rmtbulk_val); + free(inbuffer); + return errorcode; + } only in patch2: unchanged: --- openafs-1.4.6.dfsg1.orig/debian/patches/openafs-sa-2009-002.patch +++ openafs-1.4.6.dfsg1/debian/patches/openafs-sa-2009-002.patch @@ -0,0 +1,58 @@ +Index: src/afs/LINUX/osi_vnodeops.c +=================================================================== +RCS file: /cvs/openafs/src/afs/LINUX/osi_vnodeops.c,v +retrieving revision 1.81.2.77 +diff -u -r1.81.2.77 osi_vnodeops.c +--- src/afs/LINUX/osi_vnodeops.c 19 Mar 2009 04:54:50 -0000 1.81.2.77 ++++ src/afs/LINUX/osi_vnodeops.c 1 Apr 2009 19:12:50 -0000 +@@ -45,6 +45,10 @@ + #define pageoff(pp) pp->offset + #endif + ++#ifndef MAX_ERRNO ++#define MAX_ERRNO 1000L ++#endif ++ + #if defined(AFS_LINUX26_ENV) + #define UnlockPage(pp) unlock_page(pp) + extern struct backing_dev_info afs_backing_dev_info; +@@ -1087,8 +1087,10 @@ + #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,2,10) + if (code == ENOENT) + return ERR_PTR(0); +- else ++ else if ((code >= 0) && (code <= MAX_ERRNO)) + return ERR_PTR(-code); ++ else ++ return ERR_PTR(-EIO); + #else + if (code == ENOENT) + code = 0; +@@ -1429,7 +1431,10 @@ + + if (code < 0) { + dput(basep); +- res = ERR_PTR(code); ++ if (code < -MAX_ERRNO) ++ res = ERR_PTR(-EIO); ++ else ++ res = ERR_PTR(code); + } else { + name[code] = '\0'; + res = lookup_dentry(name, basep, follow); +Index: src/afs/VNOPS/afs_vnop_lookup.c +=================================================================== +RCS file: /cvs/openafs/src/afs/VNOPS/afs_vnop_lookup.c,v +retrieving revision 1.50.2.22 +diff -u -r1.50.2.22 afs_vnop_lookup.c +--- src/afs/VNOPS/afs_vnop_lookup.c 26 Aug 2008 14:02:14 -0000 1.50.2.22 ++++ src/afs/VNOPS/afs_vnop_lookup.c 1 Apr 2009 19:12:51 -0000 +@@ -1081,7 +1081,7 @@ + afs_PutVolume(volp, READ_LOCK); + + /* If we did the InlineBulk RPC pull out the return code */ +- if (inlinebulk) { ++ if (inlinebulk && code == 0) { + if ((&statsp[0])->errorCode) { + afs_Analyze(tcp, (&statsp[0])->errorCode, &adp->fid, areqp, + AFS_STATS_FS_RPCIDX_BULKSTATUS, SHARED_LOCK, NULL);