diff -u openafs-1.4.12+dfsg/debian/changelog openafs-1.4.12+dfsg/debian/changelog --- openafs-1.4.12+dfsg/debian/changelog +++ openafs-1.4.12+dfsg/debian/changelog @@ -1,3 +1,14 @@ +openafs (1.4.12+dfsg-3+ubuntu0.2) lucid-security; urgency=low + + * Apply upstream security patches: + - OPENAFS-SA-2013-001: Fix fileserver buffer overflow when parsing + client-supplied ACL entries and protect against client parsing of + bad ACL entries. (CVE-2013-1794) (LP: #1145560) + - OPENAFS-SA-2013-002: Fix ptserver buffer overflow via integer + overflow in the IdToName RPC. (CVE-2013-1795) (LP: #1145560) + + -- Luke Faraone Tue, 05 Mar 2013 02:23:07 -0500 + openafs (1.4.12+dfsg-3+ubuntu0.1) lucid-security; urgency=low * SECURITY UPDATE: update ticket5 from heimdal. Avoids a double-free which only in patch2: unchanged: --- openafs-1.4.12+dfsg.orig/src/libadmin/client/afs_clientAdmin.c +++ openafs-1.4.12+dfsg/src/libadmin/client/afs_clientAdmin.c @@ -1530,7 +1530,7 @@ */ is_dfs = - sscanf(old_acl_string, "%d dfs:%d %s", &cur_acl.nplus, &cur_acl.dfs, + sscanf(old_acl_string, "%d dfs:%d %1024s", &cur_acl.nplus, &cur_acl.dfs, cur_acl.cell); ptr = strchr(old_acl_string, '\n'); ptr++; @@ -1555,7 +1555,7 @@ */ for (i = 0; i < (cur_acl.nplus + cur_acl.nminus); i++) { - sscanf(ptr, "%s%d\n", cur_user, &cur_user_acl); + sscanf(ptr, "%63s%d\n", cur_user, &cur_user_acl); /* * Skip the entry for the user we are replacing/adding */ only in patch2: unchanged: --- openafs-1.4.12+dfsg.orig/src/ptserver/ptprocs.c +++ openafs-1.4.12+dfsg/src/ptserver/ptprocs.c @@ -691,7 +691,7 @@ size = aid->idlist_len; if (size == 0) return 0; - if (size < 0) + if (size < 0 || size > INT_MAX / PR_MAXNAMELEN) return PRTOOMANY; aname->namelist_val = (prname *) malloc(size * PR_MAXNAMELEN); aname->namelist_len = 0; only in patch2: unchanged: --- openafs-1.4.12+dfsg.orig/src/libacl/aclprocs.c +++ openafs-1.4.12+dfsg/src/libacl/aclprocs.c @@ -23,6 +23,7 @@ #else #include #endif +#include #include #include #include @@ -247,7 +248,7 @@ if (sscanf(elist, "%d\n%d\n", &p, &n) != 2) return -1; - if (p + n > ACL_MAXENTRIES) + if (p < 0 || n < 0 || p > INT_MAX - n || p + n > ACL_MAXENTRIES) return (-1); acl_NewACL(p + n, acl); (*acl)->total = p + n; @@ -272,7 +273,7 @@ nextc++; /* now at the beginning of the entry list */ for (i = 0; i < (*acl)->positive; i++) { int k; - if (sscanf(nextc, "%s\t%d\n", lnames.namelist_val[i], &k) != 2) { + if (sscanf(nextc, "%63s\t%d\n", lnames.namelist_val[i], &k) != 2) { free(lnames.namelist_val); return (-1); } @@ -284,7 +285,7 @@ for (i = (*acl)->total - 1; i >= (*acl)->total - (*acl)->negative; i--, j++) { if (sscanf - (nextc, "%s\t%d\n", lnames.namelist_val[j], + (nextc, "%63s\t%d\n", lnames.namelist_val[j], &((*acl)->entries[j].rights)) != 2) { free(lnames.namelist_val); return (-1); only in patch2: unchanged: --- openafs-1.4.12+dfsg.orig/src/venus/fs.c +++ openafs-1.4.12+dfsg/src/venus/fs.c @@ -561,7 +561,7 @@ tp->nplus = tp->nminus = 0; tp->pluslist = tp->minuslist = 0; tp->dfs = 0; - sscanf(astr, "%d dfs:%d %s", &junk, &tp->dfs, tp->cell); + sscanf(astr, "%d dfs:%d %1024s", &junk, &tp->dfs, tp->cell); return tp; } @@ -576,7 +576,7 @@ ta = (struct Acl *)malloc(sizeof(struct Acl)); assert(ta); ta->dfs = 0; - sscanf(astr, "%d dfs:%d %s", &ta->nplus, &ta->dfs, ta->cell); + sscanf(astr, "%d dfs:%d %1024s", &ta->nplus, &ta->dfs, ta->cell); astr = SkipLine(astr); sscanf(astr, "%d", &ta->nminus); astr = SkipLine(astr); @@ -587,7 +587,7 @@ last = 0; first = 0; for (i = 0; i < nplus; i++) { - sscanf(astr, "%100s %d", tname, &trights); + sscanf(astr, "%99s %d", tname, &trights); astr = SkipLine(astr); tl = (struct AclEntry *)malloc(sizeof(struct AclEntry)); assert(tl); @@ -605,7 +605,7 @@ last = 0; first = 0; for (i = 0; i < nminus; i++) { - sscanf(astr, "%100s %d", tname, &trights); + sscanf(astr, "%99s %d", tname, &trights); astr = SkipLine(astr); tl = (struct AclEntry *)malloc(sizeof(struct AclEntry)); assert(tl);