Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 509020 - net-fs/openafs: RXS_CheckResponse denial of service (CVE-2014-2852)
Summary: net-fs/openafs: RXS_CheckResponse denial of service (CVE-2014-2852)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa]
Keywords:
Depends on: 544158
Blocks:
  Show dependency tree
 
Reported: 2014-04-28 21:43 UTC by GLSAMaker/CVETool Bot
Modified: 2015-11-09 22:15 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
openafs-cve-2014-2852.patch (openafs-1.6.5-cve-2014-2852.patch,499 bytes, patch)
2015-01-24 01:38 UTC, Adam Feldman 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2014-04-28 21:43:11 UTC 
CVE-2014-2852 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2852):
  OpenAFS before 1.6.7 delays the listen thread when an RXS_CheckResponse
  fails, which allows remote attackers to cause a denial of service
  (performance degradation) via an invalid packet.
Comment 1 Adam Feldman gentoo-dev 2015-01-24 01:38:46 UTC 
Created attachment 394742 [details, diff]
openafs-cve-2014-2852.patch

Upstream has a patch for this: http://openafs.org/pages/security/openafs-sa-2014-001.patch.  I've tested: 1.6.5 compiles with it successfully.
Comment 2 Adam Feldman gentoo-dev 2015-01-24 01:55:04 UTC 
whoops, sorry about that, I posted in wrong bug report.  I meant to post in 507420.
Comment 3 Adam Feldman gentoo-dev 2015-01-24 02:37:46 UTC 
Correct upstream patch: Correct upstream patch: http://git.openafs.org/?p=openafs.git;a=commit;h=19c4d6023c8f616de0d194e560e64576e5986f70 however it does not apply correctly and will require some work to get it working on 1.6.5.
Comment 4 Andrew Savchenko gentoo-dev 2015-03-22 21:51:02 UTC 
Fixed version 1.6.11 is in tree. Old unstable versions are removed.
Comment 5 Andrew Savchenko gentoo-dev 2015-03-22 22:01:09 UTC 
Arch teams, please stabilize =net-fs/openafs-1.6.11.
Comment 6 Agostino Sarubbo gentoo-dev 2015-03-24 08:59:36 UTC 
stabilization done in bug 536272
Comment 7 Andrew Savchenko gentoo-dev 2015-03-25 02:41:16 UTC 
All vulnerable versions are removed from tree.
Comment 8 Stefan Behte (RETIRED) gentoo-dev Security 2015-11-09 22:08:19 UTC 
Vote: NO.
Comment 9 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-11-09 22:15:58 UTC 
GLSA Vote: No