New upstream packages available that fix CVE-2015-7762 and CVE-2015-7763. Reproducible: Always
rx/rx.c in OpenAFS before 1.6.15 and 1.7.x before 1.7.33 does not properly initialize the padding of a data structure when constructing an Rx acknowledgement (ACK) packet, which allows remote attackers to obtain sensitive information by (1) conducting a replay attack or (2) sniffing the network. CVEs: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7762 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7763 Upstream Advisory: https://www.openafs.org/pages/security/OPENAFS-SA-2015-007.txt Upstream Fix: https://www.openafs.org/dl/openafs/1.6.15/RELNOTES-1.6.15
openafs{,-kernel}-1.6.16 are in the tree now. Upstream also mentions that one more CVE is fixed in 1.6.16: * Avoid a potential denial of service issue, by fixing a bug in pioctl logic that allowed a local user to overrun a kernel buffer with a NUL byte (commit 2ef86372) (RT #132256) (CVE-2015-8312) Though I can't find this CVE in public area. Either it is not published yet or there is some typo in the number.
OpenAFS 1.6.17 (Security Release) All server platforms * Fix for OPENAFS-SA-2016-001: foreign users can create groups as if they were an administrator (RT #132822) (CVE-2016-2860) All client platforms * Fix for OPENAFS-SA-2016-002: information leakage from sending uninitialized memory over the network. Multiple call sites were vulnerable, with potential for leaking both kernel and userland stack data (RT #132847) Bumped to 1.6.17 in Gentoo repo in 8e33d4b5d5506a291ddcd93e2d060c1b0b450d00 and f7b023652efe0fd358a9d2f75b785ba6a985632e.
... [ebuild U ~] net-fs/openafs-kernel-1.6.17::gentoo [1.6.16::gentoo] 11 KiB [ebuild U ~] net-fs/openafs-1.6.17::gentoo [1.6.16::gentoo] USE="kerberos modules pam -doc" 0 KiB Total: 2 packages (2 upgrades), Size of downloads: 11 KiB Would you like to merge these packages? [Yes/No] >>> Verifying ebuild manifests >>> Running pre-merge checks for net-fs/openafs-kernel-1.6.17 * Determining the location of the kernel source code * Found kernel source directory: * /usr/src/linux * Found kernel object directory: * /lib/modules/4.1.15-gentoo-r1/build * Found sources for kernel version: * 4.1.15-gentoo-r1 >>> Emerging (1 of 2) net-fs/openafs-kernel-1.6.17::gentoo >>> Failed to emerge net-fs/openafs-kernel-1.6.17, Log file: >>> '/tmp/portage/net-fs/openafs-kernel-1.6.17/temp/build.log' >>> Jobs: 0 of 2 complete, 1 failed Load avg: 0.00, 0.01, 0.05 * openafs-1.6.17-src.tar.bz2 SHA256 SHA512 WHIRLPOOL size ;-) ... [ ok ] >>> Downloading 'http://mirror.switch.ch/ftp/mirror/gentoo/distfiles/openafs-patches-20160321.tar.xz' --2016-03-23 10:26:11-- http://mirror.switch.ch/ftp/mirror/gentoo/distfiles/openafs-patches-20160321.tar.xz Resolving mirror.switch.ch... 2001:620:0:8::20, 130.59.10.36 Connecting to mirror.switch.ch|2001:620:0:8::20|:80... connected. HTTP request sent, awaiting response... 404 Not Found 2016-03-23 10:26:11 ERROR 404: Not Found. >>> Downloading 'ftp://mirror.switch.ch/mirror/gentoo/distfiles/openafs-patches-20160321.tar.xz' pathconf: Permission denied --2016-03-23 10:26:11-- ftp://mirror.switch.ch/mirror/gentoo/distfiles/openafs-patches-20160321.tar.xz => ‘/usr/portage/distfiles/openafs-patches-20160321.tar.xz’ Resolving mirror.switch.ch... 2001:620:0:8::20, 130.59.10.36 Connecting to mirror.switch.ch|2001:620:0:8::20|:21... connected. Logging in as anonymous ... Logged in! ==> SYST ... done. ==> PWD ... done. ==> TYPE I ... done. ==> CWD (1) /mirror/gentoo/distfiles ... done. ==> SIZE openafs-patches-20160321.tar.xz ... done. ==> EPSV ... done. ==> RETR openafs-patches-20160321.tar.xz ... No such file ‘openafs-patches-20160321.tar.xz’. >>> Downloading 'https://dev.gentoo.org/~bircoph/afs/openafs-patches-20160321.tar.xz' --2016-03-23 10:26:11-- https://dev.gentoo.org/~bircoph/afs/openafs-patches-20160321.tar.xz Resolving dev.gentoo.org... 2001:470:ea4a:1:5054:ff:fec7:86e4, 140.211.166.183 Connecting to dev.gentoo.org|2001:470:ea4a:1:5054:ff:fec7:86e4|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 10940 (11K) [application/x-xz] Saving to: ‘/usr/portage/distfiles/openafs-patches-20160321.tar.xz’ 0K .......... 100% 16.6M=0.001s 2016-03-23 10:26:12 (16.6 MB/s) - ‘/usr/portage/distfiles/openafs-patches-20160321.tar.xz’ saved [10940/10940] !!! Fetched file: openafs-patches-20160321.tar.xz VERIFY FAILED! !!! Reason: Filesize does not match recorded size !!! Got: 10940 !!! Expected: 10932 Refetching... File renamed to '/usr/portage/distfiles/openafs-patches-20160321.tar.xz._checksum_failure_.BsnI0n' !!! Couldn't download 'openafs-patches-20160321.tar.xz'. Aborting. * Fetch failed for 'net-fs/openafs-kernel-1.6.17', Log file: * '/tmp/portage/net-fs/openafs-kernel-1.6.17/temp/build.log' * Messages for package net-fs/openafs-kernel-1.6.17: * Fetch failed for 'net-fs/openafs-kernel-1.6.17', Log file: * '/tmp/portage/net-fs/openafs-kernel-1.6.17/temp/build.log'
Sorry about that, had conflicting local files. Just updated the manifest.
Requesting stablization for =net-fs/openafs{,-kernel}-1.6.17 for amd64, sparc, and x86 so we can close drop all old affected versions.
amd64 stable
x86 stable
sparc stable. Maintainer(s), please cleanup. Security, please vote.
Cleanup done.
GLSA Vote: No
CVE-2016-2860 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2860): The newEntry function in ptserver/ptprocs.c in OpenAFS before 1.6.17 allows remote authenticated users from foreign Kerberos realms to bypass intended access restrictions and create arbitrary groups as administrators by leveraging mishandling of the creator ID. CVE-2015-8312 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8312): Off-by-one error in afs_pioctl.c in OpenAFS before 1.6.16 might allow local users to cause a denial of service (memory overwrite and system crash) via a pioctl with an input buffer size of 4096 bytes.
CVE-2016-4536 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4536): The client in OpenAFS before 1.6.17 does not properly initialize the (1) AFSStoreStatus, (2) AFSStoreVolumeStatus, (3) VldbListByAttributes, and (4) ListAddrByAttributes structures, which might allow remote attackers to obtain sensitive memory information by leveraging access to RPC call traffic.
