The cache manager in the client in OpenAFS 1.0 through 1.4.8 and 1.5.0
through 1.5.58 on Linux allows remote attackers to cause a denial of
service (system crash) via an RX response with a large error-code value
that is interpreted as a pointer and dereferenced, related to use of
the ERR_PTR macro.
Heap-based buffer overflow in the cache manager in the client in
OpenAFS 1.0 through 1.4.8 and 1.5.0 through 1.5.58 on Unix platforms
allows remote attackers to cause a denial of service (system crash) or
possibly execute arbitrary code via an RX response containing more data
than specified in a request, related to use of XDR arrays.
The OpenAFS project recommends that administrators with Linux clients
upgrade to OpenAFS version 1.4.9 or newer, or as appropriate for people
testing features in the OpenAFS 1.5 series, OpenAFS version 1.5.59 or newer.
By forging responses from an existing fileserver, or by getting a user to
visit a fileserver under their control, an attacker may overflow
the heap buffer of a client machine. This buffer resides in kernel memory.
A remote user can use this overflow to crash the client under attack, and
may be able to execute arbitrary code within a client's kernel.
Is B2 still appropriate for that?
I'd call it B1 since it compromises root.
Openafs-1.4.9 now in the tree. It is an update of the latest testing (net-fs/openafs-1.4.8-r1 and net-fs/openafs-kernel-1.4.8-r1), as it seemed more sensible: openafs-kernel-1.4.8-r1 supports more recent kernels (though not yet 2.6.29), openafs-1.4.8-1 is only a small fix, and both have been in testing for a long time, since 20090131.
First tests show openafs-1.4.9 to work fine, as is to be expected: upstream says it is only a security update to 1.4.8. I will postpone introducing 1.4.10 until this bug is fixed.
Arches, please test and mark stable:
Target keywords : "amd64 ppc ppc64 x86"
make: Entering directory `/var/tmp/portage/dev-util/cvs-1.12.12-r6/work/cvs-1.12.12/windowchecking whether yytext is a pointer... yes
./configure: line 4569: /bin: is a directory
checking host system type... powerpc64-unknown-linux-gnu
checking for library containing strerror... none required
checking for pid_t... yes
checking for size_t... yes
checking return type of signal handlers... void
checking for __FUNCTION__ and __LINE__ macros... yes
checking for a BSD-compatible install... /usr/bin/install -c
checking whether ln -s works... yes
checking for powerpc64-unknown-linux-gnu-ranlib... powerpc64-unknown-linux-gnu-ranlib
checking for bison... bison -y
checking whether byte order is known at compile time... yes
checking whether byte ordering is bigendian... yes
checking your OS... linux
checking your AFS sysname... ppc64_linux26
checking if powerpc64-unknown-linux-gnu-gcc accepts -march=pentium... yes
checking if powerpc64-unknown-linux-gnu-gcc needs -fno-strength-reduce... yes
checking if powerpc64-unknown-linux-gnu-gcc needs -fno-strict-aliasing... yes
checking if powerpc64-unknown-linux-gnu-gcc supports -fno-common... yes
checking if powerpc64-unknown-linux-gnu-gcc supports -pipe... yes
checking whether to build osi_vfs.h... yes
checking if linux kbuild requires EXTRA_CFLAGS... yes
checking for linux kernel module build works... no
configure: error: in `/var/tmp/portage/net-fs/openafs-kernel-1.4.9/work/openafs-1.4.9':
configure: error: Fix problem or use --disable-kernel-module...
See `config.log' for more details.
!!! Please attach the following file when seeking support:
* ERROR: net-fs/openafs-kernel-1.4.9 failed.
* Call stack:
quad ~ # emerge --info
Portage 188.8.131.52 (default/linux/powerpc/ppc64/2008.0/64bit-userland/desktop, gcc-4.3.2, glibc-2.8_p20080602-r1, 2.6.27-gentoo-r8-g5-64 ppc64)
System uname: Linux-2.6.27-gentoo-r8-g5-64-ppc64-PPC970MP,_altivec_supported-with-glibc2.3
Timestamp of tree: Fri, 24 Apr 2009 13:15:01 +0000
dev-java/java-config: 1.3.7-r1, 2.1.7
dev-lang/python: 2.4.4-r13, 2.5.4-r2
sys-devel/autoconf: 2.13, 2.63
sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.2
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config /var/bind /var/lib/hsqldb"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d"
FEATURES="autoaddcvs cvs digest distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch"
GENTOO_MIRRORS="http://quad/ http://drake/gentoo/ http://butthead/ http://gentoo.mirrors.tds.net/gentoo"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTDIR_OVERLAY="/usr/portage/local/layman/cell /usr/portage/local/layman/powerpc /usr/local/portage"
USE="X acl alsa arts berkdb bluetooth branding bzip2 cairo cdr cli cracklib crypt cups dbus dri dvd dvdr dvdread eds emboss encode esd evo fam firefox fortran gdbm gif gnome gpm gstreamer gtk hal ibm iconv ipv6 isdnlog jpeg kde ldap libnotify mad midi mikmod mp3 mpeg mudflap mysql ncurses nls nptl nptlonly ogg opengl openmp pam pcre pdf perl png ppc64 ppds pppd python qt3 qt3support qt4 quicktime readline reflection sdl session spell spl ssl startup-notification svg sysfs tcpd tiff truetype unicode usb vorbis xml xorg xulrunner xv zlib" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="fbdev mach64 mga nv r128 radeon vesa vga"
Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA
Created attachment 189380 [details]
powerpc failure during configure
I am seeing a failure on ppc32 and ppc64 during configure. Information above.
It is with pain in my heart, but only because noone has been able to fix this (also see bug #211378), that I suggest to drop ppc32 and ppc64 keywords...
(In reply to comment #10)
> It is with pain in my heart, but only because noone has been able to fix this
> (also see bug #211378), that I suggest to drop ppc32 and ppc64 keywords...
No, please don't! I am able to run openafs-1.4.9 on ppc32 by doing the following:
# ebuild /usr/portage/net-fs/openafs/openafs-1.4.9.ebuild merge
(i.e., the non-kernel parts simply works)
# ebuild /usr/portage/net-fs/openafs-kernel/openafs-kernel-1.4.9.ebuild merge
when it dies on the above mentioned
"checking for linux kernel module build works... no"
I do *the same* configure as the ebuild, i.e., :
# cd /var/tmp/portage/net-fs/openafs-kernel-1.4.9/work/openafs-1.4.9/
# ./configure --prefix=/usr --build=powerpc-unknown-linux-gnu --host=powerpc-unknown-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib --with-linux-kernel-headers=/usr/src/linux --with-linux-kernel-build=/lib/modules/2.6.29-gentoo-r5/build
Surprisingly, this gives:
"checking for linux kernel module build works... yes"
and proceeds to completion. I then do 'make' and get a usable kernel module. I don't know enough about ebuilds to know why ebuild "preinst" and "install" didn't work after that (something about 'addread' and LC_ALL=C ...), but simply doing:
# mkdir /lib/modules/2.6.29-gentoo-r5/kernel/fs/openafs
# cp src/libafs/MODLOAD-2.6.29-gentoo-r5-SP/libafs.ko /lib/modules/2.6.29-gentoo-r5/kernel/fs/openafs/.
# depmod -a
# modprobe libafs
# /etc/init.d/openafs-client start
worked. It seems *perhaps* it is just a single step that fails. I am willing to keep looking into it. Provide testing for ebuilds, etc. Any pointers from those of you who actually know what you're doing would be appreciated :-)
Stefaan, could you reproduce the fix mentioned by Mike above? If not, we'll need to mask this application on pcc and ppc64.
Well, the fix for the configure issue is from the linux profile adding -Wl,-O1 by default, filtering that away on ppc/ppc64 is probably a good idea. I'm looking into the rest of the open issues, but hopefully we can get this fixed without dropping keywords.
Actually, on closer inspection, it's that the kernel module test is pass LDFLAGS directly to LD, but elsewhere is passing them through GCC. Having no LDFLAGS set lets it run through configure and compile the module on ppc, but there are still issues with ppc64.
GLSA request filed.
Can you comment on the LDFLAGS issue? I'd like to clear these bugs out and get AFS back together on ppc.
*** Bug 211367 has been marked as a duplicate of this bug. ***
*** Bug 236438 has been marked as a duplicate of this bug. ***
*ping* to ppc and ppc64. This has high severity, so please stabilize.
If someone familiar with AFS would like to comment on my findings above and helped us fix the issues on ppc, we'd be happy to mark it stable.
Ping from PPC again. I'm okay with dropping ppc64, but if we can work out the issues with LDFLAGS, we can keep OpenAFS on ppc.
Any suggestions? Thanks!
ive simply dropped stable ppc/ppc64 keywords for now since the package is compile broken in stable anyways. if there are unresolved issues with ppc, fork into a new bug please.
This issue was resolved and addressed in
GLSA 201404-05 at http://security.gentoo.org/glsa/glsa-201404-05.xml
by GLSA coordinator Mikle Kolyada (Zlogene).