Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 943361 (CVE-2024-10394, CVE-2024-10396, CVE-2024-10397) - <net-fs/openafs-1.8.13: multiple vulnerabilities
Summary: <net-fs/openafs-1.8.13: multiple vulnerabilities
Status: IN_PROGRESS
Alias: CVE-2024-10394, CVE-2024-10396, CVE-2024-10397
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa? cleanup]
Keywords: PullRequest
Depends on: 945130
Blocks:
  Show dependency tree
 
Reported: 2024-11-13 14:37 UTC by Cheyenne Wills
Modified: 2024-12-07 10:40 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Cheyenne Wills 2024-11-13 14:37:15 UTC
Upstream openafs has published a security release

From NEWS file:

OpenAFS 1.8.13

  All client platforms

    * Fix OPENAFS-SA-2024-001: theft of credentials in Unix client PAGs
      (CVE-2024-10394)
      Local users can bypass the PAG throttling mechanism in Unix clients and
      create a PAG using an existing id number and thereby gain access to any
      credentials in that PAG.

    * Fix OPENAFS-SA-2024-003: buffer overflows in XDR responses
      (CVE-2024-10397)
      A malicious server can return more data than the preallocated buffer
      holds and cause a buffer overflow, which can crash the OpenAFS cache
      manager and other client utilities, and possibly result in arbitrary
      code execution.

  All platforms

    * Fix OPENAFS-SA-2024-002: unsafe memory access in ACL processing
      (CVE-2024-10396)
      Authenticated users can provide malformed ACLs to the fileserver's
      StoreACL RPC, causing the fileserver to crash, possibly expose the
      contents of uninitialized memory, and possibly store garbage data
      in the audit log.
      Malicious servers or network MITM can provide malformed ACLs to
      clients, possibly causing the process to crash and possibly storing
      the contents of uninitialized memory in ACLs stored on the server.


Reproducible: Always




I have created an updated ebuild with the associated gentoo specific patches and will be creating a PR for it.
Comment 1 Cheyenne Wills 2024-11-13 19:47:36 UTC
I've submitted a PR for the 1.8.13 release.  

https://github.com/gentoo/gentoo/pull/39306

Notes:

The gentoo packaging for openafs needs some TLC.  The above pull request was done with the minimum required changes to the prior packages in order to bring the package up to date with the latest upstream branch.




Prior versions of the ebuilds pulled a tar file with the gentoo patches and associated files.  I've placed these directly into the files directory.


Patches: 

The xxxx-compiler-settings.patch was replaced with an upstream patch (it's been merged into upstream master, but hasn't made it into 1.8.x yet).

The xxxx-gssapi-configure.patch is no longer applicable.  The gssapi support wasn't meant for 1.8.x and the autoconf test for it was removed.

The xxxx-docbook2pdf.patch needed to be updated to increase the hash_extra value.

Files:

The README.gentoo is way outdated and needs work.

The systemd/openafs-client.service file has been updated to sync up with the upstream version of the service unit (there was some work done to address a problem if the openafs client wasn't stopped properly then later restarted).

The openRC init scripts probably need some work as well.

QA checks:  There are some QA complaints about implicit function declarations in the configure log.  The QA reports in this case are flagging Linux kernel functions that were being tested for.
Comment 2 Cheyenne Wills 2024-11-14 19:41:31 UTC
I've pushed an update to the PR that addresses some of the feedback.

However I am getting a build problem that I'm investigating when updating to EAPI 8.  I'm getting unresolved symbols at various places within the build that I'm trying to track down and figure the reason behind it (I believe the problem is within libtool somewhere, but I'm not quite sure exactly where yet.)
Comment 3 Cheyenne Wills 2024-11-15 14:33:18 UTC
The problem with updating to EAPI 8 has been resolved.  EAPI 8 was setting a configuration default of --disable-static which was causing the build problem.  Adding '--enable-static' to the econf parameters resolved the problem. 

I confirmed that '--disable-static' breaks the upstream builds outside of a Gentoo build and upstream will need to investigate this further.

Thanks to Sam for suggesting that might be the problem.
Comment 4 Larry the Git Cow gentoo-dev 2024-11-16 09:32:17 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0f31b49a7cacc5f9e71b5721c46879eb7c6d46bf

commit 0f31b49a7cacc5f9e71b5721c46879eb7c6d46bf
Author:     Cheyenne Wills <cwills@witznd.net>
AuthorDate: 2024-11-14 19:31:06 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-11-16 09:31:49 +0000

    net-fs/openafs: add 1.8.13
    
    Closes: https://bugs.gentoo.org/943361
    Closes: https://bugs.gentoo.org/933779
    Closes: https://bugs.gentoo.org/910214
    Closes: https://bugs.gentoo.org/886183
    Closes: https://bugs.gentoo.org/908700
    Closes: https://bugs.gentoo.org/909327
    Closes: https://bugs.gentoo.org/828989
    Closes: https://bugs.gentoo.org/926801
    Signed-off-by: Cheyenne Wills <cwills@witznd.net>
    Closes: https://github.com/gentoo/gentoo/pull/39306
    Signed-off-by: Sam James <sam@gentoo.org>

 net-fs/openafs/Manifest                            |   2 +
 ...-autoconf-use-AC_CHECK_TOOL-for-as-and-ld.patch |  54 ++++
 net-fs/openafs/files/0002-pam-paths.patch          |  46 +++
 net-fs/openafs/files/0003-fbsd.patch               |  28 ++
 net-fs/openafs/files/0004-sparc.patch              |  59 ++++
 net-fs/openafs/files/0005-uname.patch              |  37 +++
 net-fs/openafs/files/0006-resolv.patch             |  32 ++
 net-fs/openafs/files/0007-afsauthent-symbols.patch |  27 ++
 net-fs/openafs/files/0008-flags.patch              |  33 ++
 net-fs/openafs/files/0009-docbook2pdf.patch        | 127 ++++++++
 net-fs/openafs/files/0010-libperl.patch            |  31 ++
 net-fs/openafs/files/0011-xbsa.patch               |  31 ++
 net-fs/openafs/files/0012-xml-dtd.patch            |  67 ++++
 net-fs/openafs/files/0013-kernel-cc-ld.patch       |  47 +++
 net-fs/openafs/files/README.Gentoo                 | 297 ++++++++++++++++++
 net-fs/openafs/files/ThisCell.default              |   1 +
 net-fs/openafs/files/cacheinfo.default             |   1 +
 net-fs/openafs/files/openrc/openafs-client.confd   |  55 ++++
 net-fs/openafs/files/openrc/openafs-client.initd   | 137 +++++++++
 net-fs/openafs/files/openrc/openafs-server.confd   |   7 +
 net-fs/openafs/files/openrc/openafs-server.initd   |  33 ++
 .../openafs/files/systemd/openafs-client.service   |  17 ++
 .../files/systemd/openafs-client.service.conf      |  62 ++++
 .../openafs/files/systemd/openafs-server.service   |  11 +
 .../files/systemd/openafs-server.service.conf      |   4 +
 .../files/systemd/tmpfiles.d/openafs-client.conf   |   1 +
 net-fs/openafs/openafs-1.8.13.ebuild               | 339 +++++++++++++++++++++
 27 files changed, 1586 insertions(+)