Upstream openafs has published a security release From NEWS file: OpenAFS 1.8.13 All client platforms * Fix OPENAFS-SA-2024-001: theft of credentials in Unix client PAGs (CVE-2024-10394) Local users can bypass the PAG throttling mechanism in Unix clients and create a PAG using an existing id number and thereby gain access to any credentials in that PAG. * Fix OPENAFS-SA-2024-003: buffer overflows in XDR responses (CVE-2024-10397) A malicious server can return more data than the preallocated buffer holds and cause a buffer overflow, which can crash the OpenAFS cache manager and other client utilities, and possibly result in arbitrary code execution. All platforms * Fix OPENAFS-SA-2024-002: unsafe memory access in ACL processing (CVE-2024-10396) Authenticated users can provide malformed ACLs to the fileserver's StoreACL RPC, causing the fileserver to crash, possibly expose the contents of uninitialized memory, and possibly store garbage data in the audit log. Malicious servers or network MITM can provide malformed ACLs to clients, possibly causing the process to crash and possibly storing the contents of uninitialized memory in ACLs stored on the server. Reproducible: Always I have created an updated ebuild with the associated gentoo specific patches and will be creating a PR for it.
I've submitted a PR for the 1.8.13 release. https://github.com/gentoo/gentoo/pull/39306 Notes: The gentoo packaging for openafs needs some TLC. The above pull request was done with the minimum required changes to the prior packages in order to bring the package up to date with the latest upstream branch. Prior versions of the ebuilds pulled a tar file with the gentoo patches and associated files. I've placed these directly into the files directory. Patches: The xxxx-compiler-settings.patch was replaced with an upstream patch (it's been merged into upstream master, but hasn't made it into 1.8.x yet). The xxxx-gssapi-configure.patch is no longer applicable. The gssapi support wasn't meant for 1.8.x and the autoconf test for it was removed. The xxxx-docbook2pdf.patch needed to be updated to increase the hash_extra value. Files: The README.gentoo is way outdated and needs work. The systemd/openafs-client.service file has been updated to sync up with the upstream version of the service unit (there was some work done to address a problem if the openafs client wasn't stopped properly then later restarted). The openRC init scripts probably need some work as well. QA checks: There are some QA complaints about implicit function declarations in the configure log. The QA reports in this case are flagging Linux kernel functions that were being tested for.
I've pushed an update to the PR that addresses some of the feedback. However I am getting a build problem that I'm investigating when updating to EAPI 8. I'm getting unresolved symbols at various places within the build that I'm trying to track down and figure the reason behind it (I believe the problem is within libtool somewhere, but I'm not quite sure exactly where yet.)
