Upstream openafs has published a security release From NEWS file: OpenAFS 1.8.13 All client platforms * Fix OPENAFS-SA-2024-001: theft of credentials in Unix client PAGs (CVE-2024-10394) Local users can bypass the PAG throttling mechanism in Unix clients and create a PAG using an existing id number and thereby gain access to any credentials in that PAG. * Fix OPENAFS-SA-2024-003: buffer overflows in XDR responses (CVE-2024-10397) A malicious server can return more data than the preallocated buffer holds and cause a buffer overflow, which can crash the OpenAFS cache manager and other client utilities, and possibly result in arbitrary code execution. All platforms * Fix OPENAFS-SA-2024-002: unsafe memory access in ACL processing (CVE-2024-10396) Authenticated users can provide malformed ACLs to the fileserver's StoreACL RPC, causing the fileserver to crash, possibly expose the contents of uninitialized memory, and possibly store garbage data in the audit log. Malicious servers or network MITM can provide malformed ACLs to clients, possibly causing the process to crash and possibly storing the contents of uninitialized memory in ACLs stored on the server. Reproducible: Always I have created an updated ebuild with the associated gentoo specific patches and will be creating a PR for it.
I've submitted a PR for the 1.8.13 release. https://github.com/gentoo/gentoo/pull/39306 Notes: The gentoo packaging for openafs needs some TLC. The above pull request was done with the minimum required changes to the prior packages in order to bring the package up to date with the latest upstream branch. Prior versions of the ebuilds pulled a tar file with the gentoo patches and associated files. I've placed these directly into the files directory. Patches: The xxxx-compiler-settings.patch was replaced with an upstream patch (it's been merged into upstream master, but hasn't made it into 1.8.x yet). The xxxx-gssapi-configure.patch is no longer applicable. The gssapi support wasn't meant for 1.8.x and the autoconf test for it was removed. The xxxx-docbook2pdf.patch needed to be updated to increase the hash_extra value. Files: The README.gentoo is way outdated and needs work. The systemd/openafs-client.service file has been updated to sync up with the upstream version of the service unit (there was some work done to address a problem if the openafs client wasn't stopped properly then later restarted). The openRC init scripts probably need some work as well. QA checks: There are some QA complaints about implicit function declarations in the configure log. The QA reports in this case are flagging Linux kernel functions that were being tested for.
I've pushed an update to the PR that addresses some of the feedback. However I am getting a build problem that I'm investigating when updating to EAPI 8. I'm getting unresolved symbols at various places within the build that I'm trying to track down and figure the reason behind it (I believe the problem is within libtool somewhere, but I'm not quite sure exactly where yet.)
The problem with updating to EAPI 8 has been resolved. EAPI 8 was setting a configuration default of --disable-static which was causing the build problem. Adding '--enable-static' to the econf parameters resolved the problem. I confirmed that '--disable-static' breaks the upstream builds outside of a Gentoo build and upstream will need to investigate this further. Thanks to Sam for suggesting that might be the problem.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0f31b49a7cacc5f9e71b5721c46879eb7c6d46bf commit 0f31b49a7cacc5f9e71b5721c46879eb7c6d46bf Author: Cheyenne Wills <cwills@witznd.net> AuthorDate: 2024-11-14 19:31:06 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-11-16 09:31:49 +0000 net-fs/openafs: add 1.8.13 Closes: https://bugs.gentoo.org/943361 Closes: https://bugs.gentoo.org/933779 Closes: https://bugs.gentoo.org/910214 Closes: https://bugs.gentoo.org/886183 Closes: https://bugs.gentoo.org/908700 Closes: https://bugs.gentoo.org/909327 Closes: https://bugs.gentoo.org/828989 Closes: https://bugs.gentoo.org/926801 Signed-off-by: Cheyenne Wills <cwills@witznd.net> Closes: https://github.com/gentoo/gentoo/pull/39306 Signed-off-by: Sam James <sam@gentoo.org> net-fs/openafs/Manifest | 2 + ...-autoconf-use-AC_CHECK_TOOL-for-as-and-ld.patch | 54 ++++ net-fs/openafs/files/0002-pam-paths.patch | 46 +++ net-fs/openafs/files/0003-fbsd.patch | 28 ++ net-fs/openafs/files/0004-sparc.patch | 59 ++++ net-fs/openafs/files/0005-uname.patch | 37 +++ net-fs/openafs/files/0006-resolv.patch | 32 ++ net-fs/openafs/files/0007-afsauthent-symbols.patch | 27 ++ net-fs/openafs/files/0008-flags.patch | 33 ++ net-fs/openafs/files/0009-docbook2pdf.patch | 127 ++++++++ net-fs/openafs/files/0010-libperl.patch | 31 ++ net-fs/openafs/files/0011-xbsa.patch | 31 ++ net-fs/openafs/files/0012-xml-dtd.patch | 67 ++++ net-fs/openafs/files/0013-kernel-cc-ld.patch | 47 +++ net-fs/openafs/files/README.Gentoo | 297 ++++++++++++++++++ net-fs/openafs/files/ThisCell.default | 1 + net-fs/openafs/files/cacheinfo.default | 1 + net-fs/openafs/files/openrc/openafs-client.confd | 55 ++++ net-fs/openafs/files/openrc/openafs-client.initd | 137 +++++++++ net-fs/openafs/files/openrc/openafs-server.confd | 7 + net-fs/openafs/files/openrc/openafs-server.initd | 33 ++ .../openafs/files/systemd/openafs-client.service | 17 ++ .../files/systemd/openafs-client.service.conf | 62 ++++ .../openafs/files/systemd/openafs-server.service | 11 + .../files/systemd/openafs-server.service.conf | 4 + .../files/systemd/tmpfiles.d/openafs-client.conf | 1 + net-fs/openafs/openafs-1.8.13.ebuild | 339 +++++++++++++++++++++ 27 files changed, 1586 insertions(+)