Ubuntu
openafs package

OpenAFS Security Advisories 2013-0003 and 2013-0004

Bug #1204195 reported by Jeffrey Hutzelman
272
This bug affects 2 people
Affects Status Importance Assigned to Milestone
openafs (Ubuntu)
Fix Released
Critical
Unassigned
Lucid
Fix Released
Critical
Unassigned
Precise
Fix Released
Critical
Unassigned
Quantal
Fix Released
Critical
Unassigned
Raring
Fix Released
Critical
Unassigned
Saucy
Fix Released
Critical
Unassigned

Bug Description

The following OpenAFS security issues were reported to the distros mailing list on July 16, 2013, and are due for public release tomorrow, Wednesday, July 24, 2013:

OpenAFS Security Advisory 2013-0003
Topic: Brute force DES attack permits compromise of AFS cell
       CVE-2013-4134

OpenAFS Security Advisory 2013-0004
Topic: vos -encrypt doesn't encrypt connection data
       CVE-2013-4135

The upstream releases that fix these problems are 1.4.15 and 1.6.5, due to be released tomorrow. For saucy, you will want 1.6.5-1 from Debian. For precise, quantal, and raring, upstream has provided a sequence of patches (which I will attach) which should apply to the existing releases. For lucid, upstream has provided a sequence of patches which may or may not apply cleanly, or I can provide the patch sequence which was applied for Debian squeeze (which runs a substantially similar version).

Tags: patch
Revision history for this message
Jeffrey Hutzelman (jhutz) wrote :

These patches are from upstream and should apply cleanly to 1.6.4, and only slightly less cleanly to other 1.6.x versions. Patches 0001 through 0010 address OPENAFS-SA-2013-0003. Patch 0012 addresses OPENAFS-SA-2013-0004. You probably don't need patch 0011, which is about bumping the version number.

Changed in openafs (Ubuntu):
status: New → Confirmed
Revision history for this message
Luke Faraone (lfaraone) wrote :

I'll prepare debdiffs for the relevant releases.

Changed in openafs (Ubuntu Precise):
assignee: nobody → Luke Faraone (lfaraone)
Changed in openafs (Ubuntu Quantal):
assignee: nobody → Luke Faraone (lfaraone)
Changed in openafs (Ubuntu Raring):
assignee: nobody → Luke Faraone (lfaraone)
Changed in openafs (Ubuntu Saucy):
assignee: nobody → Luke Faraone (lfaraone)
Jeffrey Hutzelman (jhutz)
Changed in openafs (Ubuntu Precise):
status: New → Confirmed
Changed in openafs (Ubuntu Raring):
status: New → Confirmed
Changed in openafs (Ubuntu Quantal):
status: New → Confirmed
Luke Faraone (lfaraone)
Changed in openafs (Ubuntu Lucid):
status: New → Confirmed
assignee: nobody → Luke Faraone (lfaraone)
Revision history for this message
Luke Faraone (lfaraone) wrote :
Revision history for this message
Luke Faraone (lfaraone) wrote :
Revision history for this message
Luke Faraone (lfaraone) wrote :
Revision history for this message
Luke Faraone (lfaraone) wrote :
Revision history for this message
Luke Faraone (lfaraone) wrote :

The patches above were adapted from a prerelease series distributed by individuals involved in OpenAFS upstream.

Changed in openafs (Ubuntu Lucid):
assignee: Luke Faraone (lfaraone) → nobody
Changed in openafs (Ubuntu Precise):
assignee: Luke Faraone (lfaraone) → nobody
Changed in openafs (Ubuntu Quantal):
assignee: Luke Faraone (lfaraone) → nobody
Changed in openafs (Ubuntu Raring):
assignee: Luke Faraone (lfaraone) → nobody
Changed in openafs (Ubuntu Saucy):
assignee: Luke Faraone (lfaraone) → nobody
Revision history for this message
Luke Faraone (lfaraone) wrote :

This can be fixed via a normal sync in saucy.

Changed in openafs (Ubuntu Saucy):
importance: Undecided → Critical
Changed in openafs (Ubuntu Raring):
importance: Undecided → Critical
Changed in openafs (Ubuntu Quantal):
importance: Undecided → Critical
Changed in openafs (Ubuntu Precise):
importance: Undecided → Critical
Changed in openafs (Ubuntu Lucid):
importance: Undecided → Critical
Changed in openafs (Ubuntu Saucy):
status: Confirmed → New
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in openafs (Ubuntu):
status: New → Confirmed
Jeffrey Hutzelman (jhutz)
information type: Private Security → Public Security
Revision history for this message
Luke Faraone (lfaraone) wrote :

Updated debdiff for quantal.

We previously had strange behaviour where our patches in debian/patches/ were also getting rolled into debian/patches/debian-changes.

The issue turned out to be an erroneous debian/source/options setting which told dpkg to force-collapse changes into one patch. Annoyingly, this option was silently ignored on precise, but implemented in quantal, so it worked when I tested locally but failed on sbuild.

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "Upstream patches for OpenAFS 1.6.x" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Revision history for this message
Luke Faraone (lfaraone) wrote :

The previous debdiff omitted a security fix previously shipped in the package.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openafs - 1.6.2-1+ubuntu2.1

---------------
openafs (1.6.2-1+ubuntu2.1) raring-security; urgency=low

  * SECURITY UPDATE: Brute force DES attack permits compromise of AFS cell.
    - 0001-Add-rxkad-server-hook-function-to-decrypt-more-types.patch
    - 0002-New-optional-rxkad-functionality-for-decypting-krb5-.patch
    - 0003-Integrate-keytab-based-decryption-into-afsconf_Build.patch
    - 0004-Derive-DES-fcrypt-session-key-from-other-key-types.patch
    - 0005-Move-akimpersonate-to-libauth.patch
    - 0006-Clean-up-akimpersonate-and-use-for-server-to-server.patch
    - 0007-auth-Do-not-always-fallback-to-noauth.patch
    - 0008-Avoid-calling-afsconf_GetLatestKey-directly.patch
    - 0009-Reload-rxkad.keytab-on-CellServDB-modification.patch
    - 0010-Add-support-for-deriving-DES-keys-to-klog.krb5.patch
    - 0011 skipped because it was a version bump
    - 0012-ubik-Fix-encryption-selection-in-ugen.patch
    - Thanks to Chaskiel Grundman, Alexander Chernyakhovsky, Ben Kaduk,
        Andrew Deason, and Michael Meffie for the above patch series.
    - swap-libs.patch: Resolve FTBFS with newer toolchains. Thanks to Anders
        Kaseorg.
    - OPENAFS-SA-2013-003
    - OPENAFS-SA-2013-004
    - CVE-2013-4134
    - CVE-2013-4135
    - LP: #1204195
 -- Luke Faraone <email address hidden> Tue, 23 Jul 2013 21:25:03 -0400

Changed in openafs (Ubuntu Raring):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openafs - 1.6.1-2+ubuntu2.1

---------------
openafs (1.6.1-2+ubuntu2.1) quantal-security; urgency=high

  * SECURITY UPDATE: Brute force DES attack permits compromise of AFS cell.
    vos -encrypt doesn't encrypt connection data.
    Buffer overflows which could cause a serverside denial of service.
    - openafs-sa-2013-001.patch: Fix fileserver buffer overflow when parsing
      client-supplied ACL entries and protect against client parsing of
      bad ACL entries. Thanks to Nickolai Zeldovich.
    - openafs-sa-2013-002.patch: Fix ptserver buffer overflow via integer
      overflow in the IdToName RPC. Thanks to Nickolai Zeldovich
    - 0001-Add-rxkad-server-hook-function-to-decrypt-more-types.patch
    - 0002-New-optional-rxkad-functionality-for-decypting-krb5-.patch
    - 0003-Integrate-keytab-based-decryption-into-afsconf_Build.patch
    - 0004-Derive-DES-fcrypt-session-key-from-other-key-types.patch
    - 0005-Move-akimpersonate-to-libauth.patch
    - 0006-Clean-up-akimpersonate-and-use-for-server-to-server.patch
    - 0007-auth-Do-not-always-fallback-to-noauth.patch
    - 0008-Avoid-calling-afsconf_GetLatestKey-directly.patch
    - 0009-Reload-rxkad.keytab-on-CellServDB-modification.patch
    - 0010-Add-support-for-deriving-DES-keys-to-klog.krb5.patch
    - 0011 skipped because it was a version bump
    - 0012-ubik-Fix-encryption-selection-in-ugen.patch
    - Thanks to Chaskiel Grundman, Alexander Chernyakhovsky, Ben Kaduk,
        Andrew Deason, and Michael Meffie for the above patch series.
    - swap-libs.patch: Resolve FTBFS with newer toolchains. Thanks to Anders
        Kaseorg.
    - OPENAFS-SA-2013-001
    - OPENAFS-SA-2013-002
    - OPENAFS-SA-2013-003
    - OPENAFS-SA-2013-004
    - CVE-2013-1794
    - CVE-2013-1795
    - CVE-2013-4134
    - CVE-2013-4135
    - LP: #1145560
    - LP: #1204195
  * Remove debian/source/options, which previously force-collaped the above
    patches into one debian/patches/debian-changes and caused confusing patch
    failures later. Thanks to Colin Watson for help with debugging and to
    Seth Arnold for identifying the failure.
 -- Luke Faraone <email address hidden> Wed, 24 Jul 2013 11:16:48 -0400

Changed in openafs (Ubuntu Quantal):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openafs - 1.6.1-1+ubuntu0.2

---------------
openafs (1.6.1-1+ubuntu0.2) precise-security; urgency=low

  * SECURITY UPDATE: Brute force DES attack permits compromise of AFS cell.
    vos -encrypt doesn't encrypt connection data.
    Buffer overflows which could cause a serverside denial of service.
    - openafs-sa-2013-001.patch: Fix fileserver buffer overflow when parsing
      client-supplied ACL entries and protect against client parsing of
      bad ACL entries. Thanks to Nickolai Zeldovich.
    - openafs-sa-2013-002.patch: Fix ptserver buffer overflow via integer
      overflow in the IdToName RPC. Thanks to Nickolai Zeldovich
    - 0001-Add-rxkad-server-hook-function-to-decrypt-more-types.patch
    - 0002-New-optional-rxkad-functionality-for-decypting-krb5-.patch
    - 0003-Integrate-keytab-based-decryption-into-afsconf_Build.patch
    - 0004-Derive-DES-fcrypt-session-key-from-other-key-types.patch
    - 0005-Move-akimpersonate-to-libauth.patch
    - 0006-Clean-up-akimpersonate-and-use-for-server-to-server.patch
    - 0007-auth-Do-not-always-fallback-to-noauth.patch
    - 0008-Avoid-calling-afsconf_GetLatestKey-directly.patch
    - 0009-Reload-rxkad.keytab-on-CellServDB-modification.patch
    - 0010-Add-support-for-deriving-DES-keys-to-klog.krb5.patch
    - 0011 skipped because it was a version bump
    - 0012-ubik-Fix-encryption-selection-in-ugen.patch
    - Thanks to Chaskiel Grundman, Alexander Chernyakhovsky, Ben Kaduk,
        Andrew Deason, and Michael Meffie for the above patch series.
    - swap-libs.patch: Resolve FTBFS with newer toolchains. Thanks to Anders
        Kaseorg.
    - OPENAFS-SA-2013-001
    - OPENAFS-SA-2013-002
    - OPENAFS-SA-2013-003
    - OPENAFS-SA-2013-004
    - CVE-2013-1794
    - CVE-2013-1795
    - CVE-2013-4134
    - CVE-2013-4135
    - LP: #1145560
    - LP: #1204195
 -- Luke Faraone <email address hidden> Tue, 23 Jul 2013 21:11:02 -0400

Changed in openafs (Ubuntu Precise):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openafs - 1.4.12+dfsg-3+ubuntu0.3

---------------
openafs (1.4.12+dfsg-3+ubuntu0.3) lucid-security; urgency=high

  * SECURITY UPDATE: Brute force DES attack permits compromise of AFS cell.
    vos -encrypt doesn't encrypt connection data.
    Buffer overflows which could cause a serverside denial of service.
    - Files changed:
        src/aklog/aklog_main.c
        src/aklog/klog.c
        src/auth/akimpersonate.c
        src/auth/akimpersonate.h
        src/auth/akimpersonate_v5gen.c
        src/auth/akimpersonate_v5gen.h
        src/auth/authcon.c
        src/auth/Makefile.in
        src/bozo/bosserver.c
        src/bozo/Makefile.in
        src/bucoord/Makefile.in
        src/budb/Makefile.in
        src/budb/server.c
        src/butc/Makefile.in
        src/cf/kerberos.m4
        src/config/Makefile.config.in
        src/fsprobe/Makefile.in
        src/kauth/Makefile.in
        src/libafsauthent/Makefile.in
        src/ptserver/Makefile.in
        src/ptserver/ptserver.c
        src/rxkad/Makefile.in
        src/rxkad/private_data.h
        src/rxkad/rxkad.p.h
        src/rxkad/rxkad_prototypes.h
        src/rxkad/rxkad_server.c
        src/rxkad/ticket5.c
        src/rxkad/ticket5_keytab.c
        src/scout/Makefile.in
        src/shlibafsauthent/Makefile.in
        src/shlibafsrpc/mapfile
        src/tbutc/Makefile.in
        src/tsm41/Makefile.in
        src/tviced/Makefile.in
        src/tvolser/Makefile.in
        src/update/Makefile.in
        src/update/server.c
        src/uss/Makefile.in
        src/util/dirpath.c
        src/util/dirpath.hin
        src/venus/Makefile.in
        src/viced/Makefile.in
        src/viced/viced.c
        src/vlserver/Makefile.in
        src/vlserver/vlserver.c
        src/volser/Makefile.in
        src/volser/volmain.c
    - Thanks to Chaskiel Grundman, Alexander Chernyakhovsky, and Ben Kaduk for
      the above fixes
    - OPENAFS-SA-2013-003
    - OPENAFS-SA-2013-004
    - CVE-2013-4134
    - CVE-2013-4135
    - LP: #1204195
 -- Luke Faraone <email address hidden> Wed, 24 Jul 2013 18:07:21 -0400

Changed in openafs (Ubuntu Lucid):
status: Confirmed → Fix Released
Luke Faraone (lfaraone)
Changed in openafs (Ubuntu Saucy):
status: Confirmed → Fix Committed
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thanks Luke!

Revision history for this message
Luke Faraone (lfaraone) wrote :

Patched in 1.6.5-1ubuntu1 which resolved the FTBFS that Debian's 1.6.5-1 introduced.

Changed in openafs (Ubuntu Saucy):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.