Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 564388 (CVE-2015-7762, CVE-2015-7763, CVE-2015-8312, CVE-2016-2860) - <net-fs/openafs{-kernel}-1.6.17: Multiple vulerabilities (CVE-2015-{7762,7763,8312},CVE-2016-{2860,4536})
Summary: <net-fs/openafs{-kernel}-1.6.17: Multiple vulerabilities (CVE-2015-{7762,7763...
Alias: CVE-2015-7762, CVE-2015-7763, CVE-2015-8312, CVE-2016-2860
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B4 [noglsa]
Depends on:
Reported: 2015-10-29 09:00 UTC by Volkmar Glauche
Modified: 2016-06-30 11:09 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Volkmar Glauche 2015-10-29 09:00:14 UTC
New upstream packages available that fix CVE-2015-7762 and CVE-2015-7763.

Reproducible: Always
Comment 1 Aaron Bauman (RETIRED) gentoo-dev 2016-02-14 12:25:51 UTC
rx/rx.c in OpenAFS before 1.6.15 and 1.7.x before 1.7.33 does not properly initialize the padding of a data structure when constructing an Rx acknowledgement (ACK) packet, which allows remote attackers to obtain sensitive information by (1) conducting a replay attack or (2) sniffing the network.


Upstream Advisory:

Upstream Fix:
Comment 2 Andrew Savchenko gentoo-dev 2016-02-23 09:59:55 UTC
openafs{,-kernel}-1.6.16 are in the tree now.

Upstream also mentions that one more CVE is fixed in 1.6.16:

    * Avoid a potential denial of service issue, by fixing a bug in pioctl
      logic that allowed a local user to overrun a kernel buffer with a
      NUL byte (commit 2ef86372) (RT #132256) (CVE-2015-8312)

Though I can't find this CVE in public area. Either it is not published yet or there is some typo in the number.
Comment 3 Adam Feldman gentoo-dev 2016-03-22 22:34:34 UTC
OpenAFS 1.6.17 (Security Release)

  All server platforms

    * Fix for OPENAFS-SA-2016-001: foreign users can create groups as
      if they were an administrator (RT #132822) (CVE-2016-2860)

  All client platforms

    * Fix for OPENAFS-SA-2016-002: information leakage from sending
      uninitialized memory over the network.  Multiple call sites
      were vulnerable, with potential for leaking both kernel and
      userland stack data (RT #132847)

Bumped to 1.6.17 in Gentoo repo in 8e33d4b5d5506a291ddcd93e2d060c1b0b450d00 and f7b023652efe0fd358a9d2f75b785ba6a985632e.
Comment 4 Adrian 2016-03-23 09:27:03 UTC
[ebuild     U ~] net-fs/openafs-kernel-1.6.17::gentoo [1.6.16::gentoo] 11 KiB
[ebuild     U ~] net-fs/openafs-1.6.17::gentoo [1.6.16::gentoo] USE="kerberos modules pam -doc" 0 KiB

Total: 2 packages (2 upgrades), Size of downloads: 11 KiB

Would you like to merge these packages? [Yes/No]
>>> Verifying ebuild manifests
>>> Running pre-merge checks for net-fs/openafs-kernel-1.6.17
 * Determining the location of the kernel source code
 * Found kernel source directory:
 *     /usr/src/linux
 * Found kernel object directory:
 *     /lib/modules/4.1.15-gentoo-r1/build
 * Found sources for kernel version:
 *     4.1.15-gentoo-r1
>>> Emerging (1 of 2) net-fs/openafs-kernel-1.6.17::gentoo
>>> Failed to emerge net-fs/openafs-kernel-1.6.17, Log file:
>>>  '/tmp/portage/net-fs/openafs-kernel-1.6.17/temp/build.log'
>>> Jobs: 0 of 2 complete, 1 failed                 Load avg: 0.00, 0.01, 0.05
 * openafs-1.6.17-src.tar.bz2 SHA256 SHA512 WHIRLPOOL size ;-) ...       [ ok ]
>>> Downloading ''
--2016-03-23 10:26:11--
Resolving 2001:620:0:8::20,
Connecting to|2001:620:0:8::20|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2016-03-23 10:26:11 ERROR 404: Not Found.

>>> Downloading ''
pathconf: Permission denied
--2016-03-23 10:26:11--
           => ‘/usr/portage/distfiles/openafs-patches-20160321.tar.xz’
Resolving 2001:620:0:8::20,
Connecting to|2001:620:0:8::20|:21... connected.
Logging in as anonymous ... Logged in!
==> SYST ... done.    ==> PWD ... done.
==> TYPE I ... done.  ==> CWD (1) /mirror/gentoo/distfiles ... done.
==> SIZE openafs-patches-20160321.tar.xz ... done.

==> EPSV ... done.    ==> RETR openafs-patches-20160321.tar.xz ...
No such file ‘openafs-patches-20160321.tar.xz’.

>>> Downloading ''
--2016-03-23 10:26:11--
Resolving 2001:470:ea4a:1:5054:ff:fec7:86e4,
Connecting to|2001:470:ea4a:1:5054:ff:fec7:86e4|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10940 (11K) [application/x-xz]
Saving to: ‘/usr/portage/distfiles/openafs-patches-20160321.tar.xz’

     0K ..........                                            100% 16.6M=0.001s

2016-03-23 10:26:12 (16.6 MB/s) - ‘/usr/portage/distfiles/openafs-patches-20160321.tar.xz’ saved [10940/10940]

!!! Fetched file: openafs-patches-20160321.tar.xz VERIFY FAILED!
!!! Reason: Filesize does not match recorded size
!!! Got:      10940
!!! Expected: 10932
Refetching... File renamed to '/usr/portage/distfiles/openafs-patches-20160321.tar.xz._checksum_failure_.BsnI0n'

!!! Couldn't download 'openafs-patches-20160321.tar.xz'. Aborting.
 * Fetch failed for 'net-fs/openafs-kernel-1.6.17', Log file:
 *  '/tmp/portage/net-fs/openafs-kernel-1.6.17/temp/build.log'

 * Messages for package net-fs/openafs-kernel-1.6.17:

 * Fetch failed for 'net-fs/openafs-kernel-1.6.17', Log file:
 *  '/tmp/portage/net-fs/openafs-kernel-1.6.17/temp/build.log'
Comment 5 Adam Feldman gentoo-dev 2016-03-23 10:41:08 UTC
Sorry about that, had conflicting local files.  Just updated the manifest.
Comment 6 Adam Feldman gentoo-dev 2016-03-25 05:01:57 UTC
Requesting stablization for =net-fs/openafs{,-kernel}-1.6.17 for amd64, sparc, and x86 so we can close drop all old affected versions.
Comment 7 Agostino Sarubbo gentoo-dev 2016-03-26 15:51:46 UTC
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2016-03-26 15:52:19 UTC
x86 stable
Comment 9 Agostino Sarubbo gentoo-dev 2016-03-26 15:52:51 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 10 Andrew Savchenko gentoo-dev 2016-03-26 19:17:04 UTC
Cleanup done.
Comment 11 Aaron Bauman (RETIRED) gentoo-dev 2016-06-30 11:05:48 UTC
GLSA Vote: No
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2016-06-30 11:08:47 UTC
CVE-2016-2860 (
  The newEntry function in ptserver/ptprocs.c in OpenAFS before 1.6.17 allows
  remote authenticated users from foreign Kerberos realms to bypass intended
  access restrictions and create arbitrary groups as administrators by
  leveraging mishandling of the creator ID.

CVE-2015-8312 (
  Off-by-one error in afs_pioctl.c in OpenAFS before 1.6.16 might allow local
  users to cause a denial of service (memory overwrite and system crash) via a
  pioctl with an input buffer size of 4096 bytes.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2016-06-30 11:09:21 UTC
CVE-2016-4536 (
  The client in OpenAFS before 1.6.17 does not properly initialize the (1)
  AFSStoreStatus, (2) AFSStoreVolumeStatus, (3) VldbListByAttributes, and (4)
  ListAddrByAttributes structures, which might allow remote attackers to
  obtain sensitive memory information by leveraging access to RPC call