Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 355533

Summary: <net-fs/openafs-1.4.14: multiple vulnerabilities (CVE-2011-{0430,0431})
Product: Gentoo Security Reporter: Paweł Hajdan, Jr. (RETIRED) <phajdan.jr>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: andrej.filipcic, net-fs, proxy-maint, stefaan
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/43407
Whiteboard: B1 [glsa]
Package list:
Runtime testing required: ---

Description Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-02-19 09:30:22 UTC 
Description
Some vulnerabilities have been reported in OpenAFS, which can be exploited by malicious, local users to cause a DoS (Denial of Service) and by malicious people to cause a DoS and potentially compromise a vulnerable system.

1) An error within the "afs_linux_lock()" function in src/afs/LINUX/osi_vnodeops.c can be exploited to cause a kernel crash.

Note: This only affects Linux systems.

2) A double-free error within the RX server can be exploited to cause a crash and potentially execute arbitrary code by sending specially crafted ASN1 encoded values to the RX server.

Solution
Update to version 1.4.14.

Provided and/or discovered by
Reported by the vendor.

Original Advisory
OpenAFS:
http://www.openafs.org/release/latest.html
Comment 1 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-02-19 09:32:04 UTC 
It's not obvious whether 1.4.14 fixes all of those vulnerabilities. Secunia claims it does, but there are no recent security advisories on http://www.openafs.org/security .
Comment 2 Andrej Filipcic 2011-02-19 10:08:11 UTC 
I will request masking and removal of older releases.
Comment 3 SpanKY gentoo-dev 2011-02-19 17:21:30 UTC 
we cant remove 1.4.9 until 1.4.14 is stabilized
Comment 4 Andrej Filipcic 2011-03-02 17:53:33 UTC 
I suggest to stabilize openafs 1.4.14. It is reported not to have the security vulnerability and it has been in unstable for more than a month with no problems reported.
Comment 5 SpanKY gentoo-dev 2011-09-18 21:37:11 UTC 
openafs-1.4.14-r1 and openafs-kernel-1.4.14 are now stable
Comment 6 Tim Sammut (RETIRED) gentoo-dev 2011-09-19 18:41:52 UTC 
(In reply to comment #5)
> openafs-1.4.14-r1 and openafs-kernel-1.4.14 are now stable

Great, thanks. GLSA request filed.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2011-10-08 15:17:56 UTC 
CVE-2011-0430 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0430):
  Double free vulnerability in the Rx server process in OpenAFS 1.4.14,
  1.4.12, 1.4.7, and possibly other versions allows remote attackers to cause
  a denial of service and execute arbitrary code via unknown vectors.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2014-04-07 21:53:01 UTC 
This issue was resolved and addressed in
 GLSA 201404-05 at http://security.gentoo.org/glsa/glsa-201404-05.xml
by GLSA coordinator Mikle Kolyada (Zlogene).