Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 265538 (CVE-2009-1250) - <net-fs/openafs-1.4.9: Arbitrary code execution, DoS (CVE-2009-{1250,1251})
Summary: <net-fs/openafs-1.4.9: Arbitrary code execution, DoS (CVE-2009-{1250,1251})
Status: RESOLVED FIXED
Alias: CVE-2009-1250
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://www.openafs.org/pages/security/
Whiteboard: B1 [glsa]
Keywords:
: 211367 236438 (view as bug list)
Depends on:
Blocks:
 
Reported: 2009-04-09 11:52 UTC by Alex Legler (RETIRED)
Modified: 2014-04-07 21:52 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
powerpc failure during configure (build.log,6.50 KB, text/plain)
2009-04-25 14:03 UTC, Brent Baude (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-04-09 11:52:08 UTC
Name:      CVE-2009-1250
URL:       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1250

The cache manager in the client in OpenAFS 1.0 through 1.4.8 and 1.5.0
through 1.5.58 on Linux allows remote attackers to cause a denial of
service (system crash) via an RX response with a large error-code value
that is interpreted as a pointer and dereferenced, related to use of
the ERR_PTR macro.

Name:      CVE-2009-1251
URL:       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1251

Heap-based buffer overflow in the cache manager in the client in
OpenAFS 1.0 through 1.4.8 and 1.5.0 through 1.5.58 on Unix platforms
allows remote attackers to cause a denial of service (system crash) or
possibly execute arbitrary code via an RX response containing more data
than specified in a request, related to use of XDR arrays.

Fix:
The OpenAFS project recommends that administrators with Linux clients 
upgrade to OpenAFS version 1.4.9 or newer, or as appropriate for people 
testing features in the OpenAFS 1.5 series, OpenAFS version 1.5.59 or newer.
Comment 1 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-04-09 11:57:01 UTC
OPENAFS-SA-2009-001 states:
By forging responses from an existing fileserver, or by getting a user to 
visit a fileserver under their control, an attacker may overflow
the heap buffer of a client machine. This buffer resides in kernel memory. 
A remote user can use this overflow to crash the client under attack, and 
may be able to execute arbitrary code within a client's kernel.

Is B2 still appropriate for that?
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-04-10 17:30:48 UTC
I'd call it B1 since it compromises root.
Comment 3 Stefaan De Roeck (RETIRED) gentoo-dev 2009-04-15 06:46:35 UTC
Openafs-1.4.9 now in the tree.  It is an update of the latest testing (net-fs/openafs-1.4.8-r1 and net-fs/openafs-kernel-1.4.8-r1), as it seemed more sensible: openafs-kernel-1.4.8-r1 supports more recent kernels (though not yet 2.6.29), openafs-1.4.8-1 is only a small fix, and both have been in testing for a long time, since 20090131.  
First tests show openafs-1.4.9 to work fine, as is to be expected: upstream says it is only a security update to 1.4.8.  I will postpone introducing 1.4.10 until this bug is fixed.  
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2009-04-16 08:53:44 UTC
Arches, please test and mark stable:
=net-fs/openafs-1.4.9
=net-fs/openafs-kernel-1.4.9

Target keywords : "amd64 ppc ppc64 x86"
Comment 5 Markus Meier gentoo-dev 2009-04-18 12:01:29 UTC
amd64/x86 stable
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2009-04-23 17:24:10 UTC
*ping* :)
Comment 7 Brent Baude (RETIRED) gentoo-dev 2009-04-25 14:02:16 UTC
make[2]: Entering directory `/var/tmp/portage/dev-util/cvs-1.12.12-r6/work/cvs-1.12.12/windowchecking whether yytext is a pointer... yes
./configure: line 4569: /bin: is a directory
checking host system type... powerpc64-unknown-linux-gnu
checking for library containing strerror... none required
checking for pid_t... yes
checking for size_t... yes
checking return type of signal handlers... void
checking for __FUNCTION__ and __LINE__ macros... yes
checking for a BSD-compatible install... /usr/bin/install -c
checking whether ln -s works... yes
checking for powerpc64-unknown-linux-gnu-ranlib... powerpc64-unknown-linux-gnu-ranlib
checking for bison... bison -y
checking whether byte order is known at compile time... yes
checking whether byte ordering is bigendian... yes
checking your OS... linux
checking your AFS sysname... ppc64_linux26
checking if powerpc64-unknown-linux-gnu-gcc accepts -march=pentium... yes
checking if powerpc64-unknown-linux-gnu-gcc needs -fno-strength-reduce... yes
checking if powerpc64-unknown-linux-gnu-gcc needs -fno-strict-aliasing... yes
checking if powerpc64-unknown-linux-gnu-gcc supports -fno-common... yes
checking if powerpc64-unknown-linux-gnu-gcc supports -pipe... yes
checking whether to build osi_vfs.h... yes
checking if linux kbuild requires EXTRA_CFLAGS... yes
checking for linux kernel module build works... no
configure: error: in `/var/tmp/portage/net-fs/openafs-kernel-1.4.9/work/openafs-1.4.9':
configure: error: Fix problem or use --disable-kernel-module...
See `config.log' for more details.

!!! Please attach the following file when seeking support:
!!! /var/tmp/portage/net-fs/openafs-kernel-1.4.9/work/openafs-1.4.9/config.log
 * 
 * ERROR: net-fs/openafs-kernel-1.4.9 failed.
 * Call stack:

quad ~ # emerge --info 
Portage 2.1.6.7 (default/linux/powerpc/ppc64/2008.0/64bit-userland/desktop, gcc-4.3.2, glibc-2.8_p20080602-r1, 2.6.27-gentoo-r8-g5-64 ppc64)
=================================================================
System uname: Linux-2.6.27-gentoo-r8-g5-64-ppc64-PPC970MP,_altivec_supported-with-glibc2.3
Timestamp of tree: Fri, 24 Apr 2009 13:15:01 +0000
app-shells/bash:     3.2_p39
dev-java/java-config: 1.3.7-r1, 2.1.7
dev-lang/python:     2.4.4-r13, 2.5.4-r2
dev-python/pycrypto: 2.0.1-r6
dev-util/cmake:      2.6.2-r1
sys-apps/baselayout: 1.12.11.1
sys-apps/sandbox:    1.6-r2
sys-devel/autoconf:  2.13, 2.63
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.2
sys-devel/binutils:  2.18-r3
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.27-r2
ACCEPT_KEYWORDS="ppc64"
CBUILD="powerpc64-unknown-linux-gnu"
CFLAGS="-O2 -pipe"
CHOST="powerpc64-unknown-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config /var/bind /var/lib/hsqldb"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d"
CXXFLAGS="-O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoaddcvs cvs digest distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch"
GENTOO_MIRRORS="http://quad/ http://drake/gentoo/ http://butthead/ http://gentoo.mirrors.tds.net/gentoo"
LDFLAGS="-Wl,-O1"
MAKEOPTS="-j6"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/portage/local/layman/cell /usr/portage/local/layman/powerpc /usr/local/portage"
SYNC="rsync://butthead/gentoo-portage"
USE="X acl alsa arts berkdb bluetooth branding bzip2 cairo cdr cli cracklib crypt cups dbus dri dvd dvdr dvdread eds emboss encode esd evo fam firefox fortran gdbm gif gnome gpm gstreamer gtk hal ibm iconv ipv6 isdnlog jpeg kde ldap libnotify mad midi mikmod mp3 mpeg mudflap mysql ncurses nls nptl nptlonly ogg opengl openmp pam pcre pdf perl png ppc64 ppds pppd python qt3 qt3support qt4 quicktime readline reflection sdl session spell spl ssl startup-notification svg sysfs tcpd tiff truetype unicode usb vorbis xml xorg xulrunner xv zlib" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="fbdev mach64 mga nv r128 radeon vesa vga"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA

Comment 8 Brent Baude (RETIRED) gentoo-dev 2009-04-25 14:03:23 UTC
Created attachment 189380 [details]
powerpc failure during configure
Comment 9 Brent Baude (RETIRED) gentoo-dev 2009-04-25 14:04:02 UTC
I am seeing a failure on ppc32 and ppc64 during configure.  Information above.  
Comment 10 Stefaan De Roeck (RETIRED) gentoo-dev 2009-04-30 07:47:29 UTC
It is with pain in my heart, but only because noone has been able to fix this (also see bug #211378), that I suggest to drop ppc32 and ppc64 keywords...
Comment 11 Mike Hammill 2009-06-04 12:49:09 UTC
(In reply to comment #10)
> It is with pain in my heart, but only because noone has been able to fix this
> (also see bug #211378), that I suggest to drop ppc32 and ppc64 keywords...
> 

No, please don't!  I am able to run openafs-1.4.9 on ppc32 by doing the following:

# ebuild /usr/portage/net-fs/openafs/openafs-1.4.9.ebuild merge
(i.e., the non-kernel parts simply works)
# ebuild /usr/portage/net-fs/openafs-kernel/openafs-kernel-1.4.9.ebuild merge
when it dies on the above mentioned 
"checking for linux kernel module build works... no"
I do *the same* configure as the ebuild, i.e., :
# cd /var/tmp/portage/net-fs/openafs-kernel-1.4.9/work/openafs-1.4.9/
# ./configure --prefix=/usr --build=powerpc-unknown-linux-gnu --host=powerpc-unknown-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib --with-linux-kernel-headers=/usr/src/linux --with-linux-kernel-build=/lib/modules/2.6.29-gentoo-r5/build

Surprisingly, this gives:
"checking for linux kernel module build works... yes"
and proceeds to completion.  I then do 'make' and get a usable kernel module.  I don't know enough about ebuilds to know why ebuild "preinst" and "install" didn't work after that (something about 'addread' and LC_ALL=C ...), but simply doing:

# mkdir /lib/modules/2.6.29-gentoo-r5/kernel/fs/openafs
# cp src/libafs/MODLOAD-2.6.29-gentoo-r5-SP/libafs.ko /lib/modules/2.6.29-gentoo-r5/kernel/fs/openafs/.
# depmod -a
# modprobe libafs
# /etc/init.d/openafs-client start
 
worked.  It seems *perhaps* it is just a single step that fails.  I am willing to keep looking into it.  Provide testing for ebuilds, etc.  Any pointers from those of you who actually know what you're doing would be appreciated :-)

/Mike
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2009-07-18 17:20:27 UTC
Stefaan, could you reproduce the fix mentioned by Mike above? If not, we'll need to mask this application on pcc and ppc64.
Comment 13 Joe Jezak (RETIRED) gentoo-dev 2009-07-23 18:17:46 UTC
Well, the fix for the configure issue is from the linux profile adding -Wl,-O1 by default, filtering that away on ppc/ppc64 is probably a good idea. I'm looking into the rest of the open issues, but hopefully we can get this fixed without dropping keywords.
Comment 14 Joe Jezak (RETIRED) gentoo-dev 2009-07-23 20:35:07 UTC
Actually, on closer inspection, it's that the kernel module test is pass LDFLAGS directly to LD, but elsewhere is passing them through GCC. Having no LDFLAGS set lets it run through configure and compile the module on ppc, but there are still issues with ppc64.
Comment 15 Stefan Behte (RETIRED) gentoo-dev Security 2009-12-18 01:50:42 UTC
GLSA request filed.
Comment 16 Joe Jezak (RETIRED) gentoo-dev 2010-02-10 15:55:09 UTC
Can you comment on the LDFLAGS issue? I'd like to clear these bugs out and get AFS back together on ppc.
Comment 17 Joe Jezak (RETIRED) gentoo-dev 2010-02-10 15:56:06 UTC
*** Bug 211367 has been marked as a duplicate of this bug. ***
Comment 18 Joe Jezak (RETIRED) gentoo-dev 2010-02-10 15:56:41 UTC
*** Bug 236438 has been marked as a duplicate of this bug. ***
Comment 19 Stefan Behte (RETIRED) gentoo-dev Security 2010-04-10 02:28:27 UTC
*ping* to ppc and ppc64. This has high severity, so please stabilize.
Comment 20 Joe Jezak (RETIRED) gentoo-dev 2010-04-11 20:23:10 UTC
If someone familiar with AFS would like to comment on my findings above and helped us fix the issues on ppc, we'd be happy to mark it stable.
Comment 21 Joe Jezak (RETIRED) gentoo-dev 2010-05-13 21:21:05 UTC
Ping from PPC again. I'm okay with dropping ppc64, but if we can work out the issues with LDFLAGS, we can keep OpenAFS on ppc.

Any suggestions? Thanks!
Comment 22 SpanKY gentoo-dev 2010-06-21 23:05:31 UTC
ive simply dropped stable ppc/ppc64 keywords for now since the package is compile broken in stable anyways.  if there are unresolved issues with ppc, fork into a new bug please.
Comment 23 GLSAMaker/CVETool Bot gentoo-dev 2014-04-07 21:52:54 UTC
This issue was resolved and addressed in
 GLSA 201404-05 at http://security.gentoo.org/glsa/glsa-201404-05.xml
by GLSA coordinator Mikle Kolyada (Zlogene).