Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 719136 (CVE-2019-18601, CVE-2019-18602, CVE-2019-18603) - <net-fs/openafs-1.8.6: Multiple vulnerabilities (CVE-2019-{18601,18602,18603})
Summary: <net-fs/openafs-1.8.6: Multiple vulnerabilities (CVE-2019-{18601,18602,18603})
Status: RESOLVED FIXED
Alias: CVE-2019-18601, CVE-2019-18602, CVE-2019-18603
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-04-23 23:49 UTC by Sam James
Modified: 2021-02-20 19:40 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-04-23 23:49:06 UTC
1) CVE-2019-18601

Description:
"OpenAFS before 1.6.24 and 1.8.x before 1.8.5 is prone to denial of service from unserialized data access because remote attackers can make a series of VOTE_Debug RPC calls to crash a database server within the SVOTE_Debug RPC handler."

Advisory: https://openafs.org/pages/security/OPENAFS-SA-2019-003.txt

2) CVE-2019-18602

Description:
"OpenAFS before 1.6.24 and 1.8.x before 1.8.5 is prone to an information disclosure vulnerability because uninitialized scalars are sent over the network to a peer."

Advisory: https://openafs.org/pages/security/OPENAFS-SA-2019-002.txt

3) CVE-2019-18603

Description:
"OpenAFS before 1.6.24 and 1.8.x before 1.8.5 is prone to information leakage upon certain error conditions because uninitialized RPC output variables are sent over the network to a peer."

Advisory: https://openafs.org/pages/security/OPENAFS-SA-2019-001.txt
Comment 1 Sam James archtester gentoo-dev Security 2020-04-23 23:49:32 UTC
@maintainer(s), please create an appropriate ebuild
Comment 2 Sam James archtester gentoo-dev Security 2020-05-22 07:19:17 UTC
@maintainer(s), please bump this
Comment 3 Sam James archtester gentoo-dev Security 2020-07-27 04:48:37 UTC
ping
Comment 4 Sam James archtester gentoo-dev Security 2020-08-20 11:03:58 UTC
This may be last-rited if there is no response. Please tell us what your plans are.
Comment 5 Andrew Savchenko gentoo-dev 2020-08-21 19:09:17 UTC
(In reply to Sam James from comment #4)
> This may be last-rited if there is no response. Please tell us what your
> plans are.

It's on my list, but OpenAFS updates are quite time consuming so I can't give you a time estimate. Patches are welcome. I will update 1.8.x branch only.
Comment 6 Sam James archtester gentoo-dev Security 2020-08-23 14:56:47 UTC
(In reply to Andrew Savchenko from comment #5)
> (In reply to Sam James from comment #4)
> > This may be last-rited if there is no response. Please tell us what your
> > plans are.
> 
> It's on my list, but OpenAFS updates are quite time consuming so I can't
> give you a time estimate. Patches are welcome. I will update 1.8.x branch
> only.

This might help: https://bugs.gentoo.org/736160#c2
Comment 7 Larry the Git Cow gentoo-dev 2020-09-13 09:48:12 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d9e3fbc9f8f1990ab161537c1e0ce3658489f20d

commit d9e3fbc9f8f1990ab161537c1e0ce3658489f20d
Author:     Andrew Savchenko <bircoph@gentoo.org>
AuthorDate: 2020-09-13 09:40:58 +0000
Commit:     Andrew Savchenko <bircoph@gentoo.org>
CommitDate: 2020-09-13 09:47:49 +0000

    net-fs/openafs: update to 1.8.6
    
    - Version bump to 1.8.6, this fixes many bugs,
    - including CVE-2019-1860{1..3}.
    - Update to the latest upstream stable 1_8_x branch, which fixes
      more bugs and bring kernel 5.9 support.
    - Migrate to tmpfiles eclass.
    - Fix build with USE=tsm.
    - Fix systemd unit files, thanks Adrian <adrian@planetcoding.net>
      for suggestion.
    - Fix doxygen dep.
    
    Bug: https://bugs.gentoo.org/719136
    Closes: https://bugs.gentoo.org/680944
    Closes: https://bugs.gentoo.org/686488
    Closes: https://bugs.gentoo.org/706738
    Closes: https://bugs.gentoo.org/736160
    Closes: https://bugs.gentoo.org/740630
    Package-Manager: Portage-3.0.6, Repoman-3.0.1
    Signed-off-by: Andrew Savchenko <bircoph@gentoo.org>

 net-fs/openafs/Manifest             |   3 +
 net-fs/openafs/openafs-1.8.6.ebuild | 343 ++++++++++++++++++++++++++++++++++++
 2 files changed, 346 insertions(+)
Comment 8 Sam James archtester gentoo-dev Security 2020-09-14 00:49:37 UTC
Tell us when ready to stable.
Comment 9 NATTkA bot gentoo-dev 2020-09-14 01:17:43 UTC
Sanity check failed:

> net-fs/openafs-1.8.6
>   depend amd64 stable profile default/linux/amd64/17.0 (28 total)
>     app-backup/tsm
>   depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (2 total)
>     app-backup/tsm
>   rdepend amd64 stable profile default/linux/amd64/17.0 (28 total)
>     app-backup/tsm
>   rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (2 total)
>     app-backup/tsm
Comment 10 Sam James archtester gentoo-dev Security 2020-09-25 20:49:18 UTC
Ready?
Comment 11 Andrew Savchenko gentoo-dev 2020-09-29 07:31:29 UTC
(In reply to Sam James from comment #10)
> Ready?

Yes. Please note that app-backup/tsm needs to be stable only on amd64:

amd64? ( tsm? ( app-backup/tsm ) )
Comment 12 Sam James archtester gentoo-dev Security 2020-09-29 11:21:21 UTC
(In reply to Andrew Savchenko from comment #11)
> (In reply to Sam James from comment #10)
> > Ready?
> 
> Yes. Please note that app-backup/tsm needs to be stable only on amd64:
> 
> amd64? ( tsm? ( app-backup/tsm ) )

Right - although Nattka didn't end up expanding it anyway.
Comment 13 Agostino Sarubbo gentoo-dev 2020-10-09 08:41:38 UTC
x86 stable
Comment 14 Agostino Sarubbo gentoo-dev 2020-10-09 15:23:35 UTC
amd64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 15 Andrew Savchenko gentoo-dev 2020-10-11 18:02:11 UTC
(In reply to Agostino Sarubbo from comment #14)
> Maintainer(s), please cleanup.

Simple cleanup is not possible here, since openafs-1.6.* removal implies openafs-kernel removal from the tree. While all its functionality is preserved within single unified openafs package (via USE="modules"), technically this is still a package removal and the last-rite procedure. So I'm going to mask (< openafs-1.8) and openafs-kernel, last-rite openafs-kernel and at least 30 days later finally remove it.

Security team, are you OK with this plan or should I follow some other procedure taking into account security implications?
Comment 16 Sam James archtester gentoo-dev Security 2020-10-11 18:19:31 UTC
(In reply to Andrew Savchenko from comment #15)
> (In reply to Agostino Sarubbo from comment #14)
> > Maintainer(s), please cleanup.
> 
> Simple cleanup is not possible here, since openafs-1.6.* removal implies
> openafs-kernel removal from the tree. While all its functionality is
> preserved within single unified openafs package (via USE="modules"),
> technically this is still a package removal and the last-rite procedure. So
> I'm going to mask (< openafs-1.8) and openafs-kernel, last-rite
> openafs-kernel and at least 30 days later finally remove it.
> 
> Security team, are you OK with this plan or should I follow some other
> procedure taking into account security implications?

Hey, that's fine with us. Just tag the bug / comment here as you go along, so it's easy to see what the current status us.

Thank you for checking!
Comment 17 Larry the Git Cow gentoo-dev 2020-10-11 19:07:15 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=77fc8845e127ea2f5f2e5ffa7cfb50ff4e17729b

commit 77fc8845e127ea2f5f2e5ffa7cfb50ff4e17729b
Author:     Andrew Savchenko <bircoph@gentoo.org>
AuthorDate: 2020-10-11 18:59:29 +0000
Commit:     Andrew Savchenko <bircoph@gentoo.org>
CommitDate: 2020-10-11 19:07:02 +0000

    profiles/packages.mask: mask net-fs/openafs-kernel and revdep for removal
    
    Use net-fs/openafs-1.8.*[modules] instead.
    
    Bug: https://bugs.gentoo.org/719136
    
    Signed-off-by: Andrew Savchenko <bircoph@gentoo.org>

 profiles/package.mask | 9 +++++++++
 1 file changed, 9 insertions(+)
Comment 18 Larry the Git Cow gentoo-dev 2020-11-29 19:14:37 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=07628bb2188c4ce09f32bd8263987a107b794ce5

commit 07628bb2188c4ce09f32bd8263987a107b794ce5
Author:     Andrew Savchenko <bircoph@gentoo.org>
AuthorDate: 2020-11-29 18:55:26 +0000
Commit:     Andrew Savchenko <bircoph@gentoo.org>
CommitDate: 2020-11-29 19:14:12 +0000

    net-fs/openafs-kernel: remove last rited and vulnerable package
    
    All functionality is peserved within net-fs/openafs[modules].
    
    Bug: https://bugs.gentoo.org/719136
    Closes: https://bugs.gentoo.org/703506
    Closes: https://bugs.gentoo.org/707928
    Closes: https://bugs.gentoo.org/724920
    
    Signed-off-by: Andrew Savchenko <bircoph@gentoo.org>

 net-fs/openafs-kernel/Manifest                     |   3 -
 net-fs/openafs-kernel/metadata.xml                 |  11 --
 .../openafs-kernel-1.6.22.1-r1.ebuild              | 134 ---------------------
 .../openafs-kernel-1.6.22.2-r1.ebuild              | 134 ---------------------
 4 files changed, 282 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c13a871446d8632c473fc7eed27fd33862895e54

commit c13a871446d8632c473fc7eed27fd33862895e54
Author:     Andrew Savchenko <bircoph@gentoo.org>
AuthorDate: 2020-11-29 18:47:00 +0000
Commit:     Andrew Savchenko <bircoph@gentoo.org>
CommitDate: 2020-11-29 19:14:07 +0000

    net-fs/openafs: remove old versions
    
    Bug: https://bugs.gentoo.org/719136
    Closes: https://bugs.gentoo.org/642542
    Package-Manager: Portage-3.0.10, Repoman-3.0.2
    Signed-off-by: Andrew Savchenko <bircoph@gentoo.org>

 net-fs/openafs/Manifest                |   5 -
 net-fs/openafs/openafs-1.6.22.1.ebuild | 222 ---------------------------------
 net-fs/openafs/openafs-1.6.22.2.ebuild | 222 ---------------------------------
 3 files changed, 449 deletions(-)
Comment 19 Thomas Deutschmann gentoo-dev Security 2021-02-20 19:40:29 UTC
GLSA Vote: No

Repository is clean, all done!