Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 556354 (CVE-2015-3282) - <net-fs/openafs{,-kernel}-1.6.12-r1: Multiple vulnerabilities (CVE-2015-{3282,3283,3284,3285,3286})
Summary: <net-fs/openafs{,-kernel}-1.6.12-r1: Multiple vulnerabilities (CVE-2015-{3282...
Status: RESOLVED FIXED
Alias: CVE-2015-3282
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: Normal minor
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa/cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-07-30 20:29 UTC by Adam Feldman
Modified: 2015-11-03 20:22 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Adam Feldman gentoo-dev 2015-07-30 20:29:10 UTC
CVE-2015-3282 through CVE-2015-3285 are linux specific and all versions in the repo are affected. CVE-2015-3286 is solaris kernel specific and only 1.6.12 is affected.

All of these are fixed in the release 1.6.13 which just came out.  Haven't had the opportunity to test the patches from upstream to patch the versions in the Gentoo repo.
Comment 2 Adam Feldman gentoo-dev 2015-08-13 23:29:55 UTC
All affected ebuilds have been patched in their -r1s in https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=526f3a75301840d7e04e436ca06aaa341b006d2c.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2015-08-14 14:20:55 UTC
CVE-2015-3286 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3286):
  Buffer overflow in the Solaris kernel extension in OpenAFS before 1.6.13
  allows local users to cause a denial of service (panic or deadlock) or
  possibly have other unspecified impact via a large group list when joining a
  PAG.

CVE-2015-3285 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3285):
  The pioctl for the OSD FS command in OpenAFS before 1.6.13 uses the wrong
  pointer when writing the results of the RPC, which allows local users to
  cause a denial of service (memory corruption and kernel panic) via a crafted
  OSD FS command.

CVE-2015-3284 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3284):
  pioctls in OpenAFS 1.6.x before 1.6.13 allows local users to read kernel
  memory via crafted commands.

CVE-2015-3283 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3283):
  OpenAFS before 1.6.13 allows remote attackers to spoof bos commands via
  unspecified vectors.

CVE-2015-3282 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3282):
  vos in OpenAFS before 1.6.13, when updating VLDB entries, allows remote
  attackers to obtain stack data by sniffing the network.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2015-08-14 14:28:53 UTC
What version would you like to stabilize?
Comment 5 Andrew Savchenko gentoo-dev 2015-08-14 15:39:42 UTC
(In reply to Yury German from comment #4)
> What version would you like to stabilize?

1.6.14 looks too new, so 1.6.12-r1 seems to be a reasonable choise.
Comment 6 Adam Feldman gentoo-dev 2015-08-14 20:33:25 UTC
1.6.12-r1 stable for amd64 and x86.
https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=77a9222b64402b1476d0fb86de5979fbba60c78f

CC'ing sparc team for STABLEREQ.
Comment 7 Adam Feldman gentoo-dev 2015-08-14 22:21:46 UTC
Sorry about that, mixed up keywording and stabilization in my head.  reverted my stabilization of 1.6.12-r1 for amd64 and x86.
Comment 8 Yury German Gentoo Infrastructure gentoo-dev 2015-08-15 16:56:22 UTC
Arches, please test and mark stable:

=net-fs/openafs-1.6.12-r1
=net-fs/openafs-kernel-1.6.12-r1

Target Keywords : "amd64 sparc x86"

Thank you!
Comment 9 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-08-16 14:22:10 UTC
amd64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2015-09-06 08:33:13 UTC
sparc stable
Comment 11 Agostino Sarubbo gentoo-dev 2015-10-16 08:10:00 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 12 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-10-31 14:51:30 UTC
GLSA Vote: No
Comment 13 Yury German Gentoo Infrastructure gentoo-dev 2015-11-02 23:12:56 UTC
GLSA Vote: No

Maintainer(s), please drop the vulnerable version(s).
Comment 14 Andrew Savchenko gentoo-dev 2015-11-03 19:07:46 UTC
All vulnerable versions are removed from the tree.
Comment 15 Yury German Gentoo Infrastructure gentoo-dev 2015-11-03 20:22:33 UTC
Thank you all. Closing as noglsa.