El 30/09/15 a las 17:26, Santiago Ruano Rincón escribió: > El 30/07/15 a las 12:45, Benjamin Kaduk escribió: ... > > I expect to be able to backport the patches and produce a debdiff, but I > > am not sure that I will be able to build binary packages or do runtime > > testing, since I don't currently have a squeeze environment. Thank you > > for the link to the procedures; I will take a look and do what I can. > > > > -Ben > > Hi, > > I've backported the patches and prepared a test package. You could find > it at: > > deb https://people.debian.org/~santiago/debian santiago-squeeze-lts > > It'd be great if some users give them a try. The debdiff is also > attached. > > Cheers, > > Santiago Hi again, Please, find attached a new version of the debdiff, that includes fixes for the two most recent CVEs. Packages are also available at my personal repository. I will uploaded them in a couple of days unless I get negative feedback. Best, Santiago
diff -u openafs-1.4.12.1+dfsg/debian/changelog openafs-1.4.12.1+dfsg/debian/changelog
--- openafs-1.4.12.1+dfsg/debian/changelog
+++ openafs-1.4.12.1+dfsg/debian/changelog
@@ -1,3 +1,20 @@
+openafs (1.4.12.1+dfsg-4+squeeze4~2) santiago-squeeze-lts; urgency=medium
+
+ * NOT RELEASE YET
+ * Non-maintainer upload by the Squeeze LTS Team.
+ * OPENAFS-SA-2015-001: vos: Clear nvldbentry before sending on the wire
+ (CVE-2015-3282).
+ * OPENAFS-SA-2015-002: bos: Use crypt for commands where spoofing could be a
+ risk (CVE-2015-3283).
+ * OPENAFS-SA-2015-004: afs: Use correct output buffer for FSCmd pioctl
+ (CVE-2015-3285).
+ * OPENAFS-SA-2015-006: vlserver: Disable regex volume name processing in
+ ListAttributesN2 (CVE-2015-6587).
+ * OPENAFS-SA-2015-007 "Tattletale": Rx ACK packets leak plaintext of
+ previous packets (CVE-2015-7762, CVE-2015-7763).
+
+ -- Santiago Ruano Rincón <santiago@debian.org> Tue, 10 Nov 2015 09:31:00 +0100
+
openafs (1.4.12.1+dfsg-4+squeeze3) squeeze-security; urgency=high
* Apply upstream security patches:
diff -u openafs-1.4.12.1+dfsg/src/rx/rx.c openafs-1.4.12.1+dfsg/src/rx/rx.c
--- openafs-1.4.12.1+dfsg/src/rx/rx.c
+++ openafs-1.4.12.1+dfsg/src/rx/rx.c
@@ -4642,6 +4642,9 @@
int reason; Reason an acknowledge was prompted
*/
+#define RX_ZEROS 1024
+static char rx_zeros[RX_ZEROS];
+
struct rx_packet *
rxi_SendAck(register struct rx_call *call,
register struct rx_packet *optionalPacket, int serial, int reason,
@@ -4760,6 +4763,11 @@
ap->nAcks = offset;
p->length = rx_AckDataSize(offset) + 4 * sizeof(afs_int32);
+ /* Must zero the 3 octets that rx_AckDataSize skips at the end of the
+ * ACK list.
+ */
+ rx_packetwrite(p, rx_AckDataSize(offset) - 3, 3, rx_zeros);
+
/* these are new for AFS 3.3 */
templ = rxi_AdjustMaxMTU(call->conn->peer->ifMTU, rx_maxReceiveSize);
templ = htonl(templ);
@@ -4778,6 +4786,8 @@
rx_packetwrite(p, rx_AckDataSize(offset) + 3 * sizeof(afs_int32),
sizeof(afs_int32), &templ);
+ p->length = rx_AckDataSize(offset) + 4 * sizeof(afs_int32);
+
p->header.serviceId = call->conn->serviceId;
p->header.cid = (call->conn->cid | call->channel);
p->header.callNumber = *call->callNumber;
only in patch2:
unchanged:
--- openafs-1.4.12.1+dfsg.orig/src/bozo/bos.c
+++ openafs-1.4.12.1+dfsg/src/bozo/bos.c
@@ -285,7 +285,7 @@
afs_int32 flag;
register char *tp;
- tconn = GetConn(as, 0);
+ tconn = GetConn(as, 1);
tp = as->parms[1].items->data;
if (strcmp(tp, "on") == 0)
flag = 0; /* auth req.: noauthflag is false */
@@ -354,7 +354,7 @@
register struct rx_connection *tconn;
register afs_int32 flags;
- tconn = GetConn(as, 0);
+ tconn = GetConn(as, 1);
flags = 0;
if (as->parms[1].items)
flags |= BOZO_PRUNEBAK;
@@ -376,7 +376,7 @@
register struct rx_connection *tconn;
register afs_int32 code;
- tconn = GetConn(as, 0);
+ tconn = GetConn(as, 1);
code = BOZO_Exec(tconn, as->parms[1].items->data);
if (code)
printf("bos: failed to execute command (%s)\n", em(code));
@@ -442,7 +442,7 @@
register struct cmd_item *ti;
register struct rx_connection *tconn;
- tconn = GetConn(as, 0);
+ tconn = GetConn(as, 1);
if (!as->parms[1].items) {
printf("bos: no files to uninstall\n");
return 1;
@@ -503,7 +503,7 @@
struct rx_call *tcall;
char destDir[256];
- tconn = GetConn(as, 0);
+ tconn = GetConn(as, 1);
if (!as->parms[1].items) {
printf("bos: no files to install\n");
return 1;
@@ -555,7 +555,7 @@
register afs_int32 code;
register struct cmd_item *ti;
- tconn = GetConn(as, 0);
+ tconn = GetConn(as, 1);
if (as->parms[1].items == 0) {
code = BOZO_ShutdownAll(tconn);
if (code)
@@ -662,7 +662,7 @@
struct rx_connection *tconn;
count = 0;
- tconn = GetConn(as, 0);
+ tconn = GetConn(as, 1);
if (as->parms[2].items) {
count++;
type = 1;
@@ -699,7 +699,7 @@
register afs_int32 code;
register struct cmd_item *ti;
- tconn = GetConn(as, 0);
+ tconn = GetConn(as, 1);
if (as->parms[1].items == 0) {
code = BOZO_StartupAll(tconn);
if (code)
@@ -722,7 +722,7 @@
register afs_int32 code;
register struct cmd_item *ti;
- tconn = GetConn(as, 0);
+ tconn = GetConn(as, 1);
if (as->parms[2].items) {
/* this is really a rebozo command */
if (as->parms[1].items) {
@@ -766,7 +766,7 @@
register struct rx_connection *tconn;
register afs_int32 code;
- tconn = GetConn(as, 0);
+ tconn = GetConn(as, 1);
code = BOZO_SetCellName(tconn, as->parms[1].items->data);
if (code)
printf("bos: failed to set cell (%s)\n", em(code));
@@ -781,7 +781,7 @@
register struct cmd_item *ti;
char name[MAXHOSTCHARS];
- tconn = GetConn(as, 0);
+ tconn = GetConn(as, 1);
for (ti = as->parms[1].items; ti; ti = ti->next) {
if (as->parms[2].items) {
if (strlen(ti->data) > MAXHOSTCHARS - 3) {
@@ -807,7 +807,7 @@
register afs_int32 code;
register struct cmd_item *ti;
- tconn = GetConn(as, 0);
+ tconn = GetConn(as, 1);
for (ti = as->parms[1].items; ti; ti = ti->next) {
code = BOZO_DeleteCellHost(tconn, ti->data);
if (code)
@@ -924,7 +924,7 @@
afs_int32 temp;
register struct cmd_item *ti;
- tconn = GetConn(as, 0);
+ tconn = GetConn(as, 1);
for (ti = as->parms[1].items; ti; ti = ti->next) {
temp = atoi(ti->data);
code = BOZO_DeleteKey(tconn, temp);
@@ -985,7 +985,7 @@
register struct cmd_item *ti;
failed = 0;
- tconn = GetConn(as, 0);
+ tconn = GetConn(as, 1);
for (ti = as->parms[1].items; ti; ti = ti->next) {
code = BOZO_AddSUser(tconn, ti->data);
if (code) {
@@ -1005,7 +1005,7 @@
int failed;
failed = 0;
- tconn = GetConn(as, 0);
+ tconn = GetConn(as, 1);
for (ti = as->parms[1].items; ti; ti = ti->next) {
code = BOZO_DeleteSUser(tconn, ti->data);
if (code) {
@@ -1104,7 +1104,7 @@
register int i;
char *type, *name, *notifier = NONOTIFIER;
- tconn = GetConn(as, 0);
+ tconn = GetConn(as, 1);
for (i = 0; i < 6; i++)
parms[i] = "";
for (i = 0, ti = as->parms[3].items; (ti && i < 6); ti = ti->next, i++) {
@@ -1134,7 +1134,7 @@
register struct cmd_item *ti;
code = 0;
- tconn = GetConn(as, 0);
+ tconn = GetConn(as, 1);
for (ti = as->parms[1].items; ti; ti = ti->next) {
code = BOZO_DeleteBnode(tconn, ti->data);
if (code) {
@@ -1156,7 +1156,7 @@
register struct cmd_item *ti;
code = 0;
- tconn = GetConn(as, 0);
+ tconn = GetConn(as, 1);
for (ti = as->parms[1].items; ti; ti = ti->next) {
code = BOZO_SetStatus(tconn, ti->data, BSTAT_NORMAL);
if (code)
@@ -1174,7 +1174,7 @@
register struct cmd_item *ti;
code = 0;
- tconn = GetConn(as, 0);
+ tconn = GetConn(as, 1);
for (ti = as->parms[1].items; ti; ti = ti->next) {
code = BOZO_SetStatus(tconn, ti->data, BSTAT_SHUTDOWN);
if (code)
@@ -1410,7 +1410,7 @@
int error;
printf("Fetching log file '%s'...\n", as->parms[1].items->data);
- tconn = GetConn(as, 0);
+ tconn = GetConn(as, 1);
tcall = rx_NewCall(tconn);
code = StartBOZO_GetLog(tcall, as->parms[1].items->data);
if (code) {
@@ -1456,7 +1456,7 @@
memset(&mrafsParm, 0, sizeof(mrafsParm));
/* parm 0 is machine name, 1 is partition, 2 is volume, 3 is -all flag */
- tconn = GetConn(as, 0);
+ tconn = GetConn(as, 1);
/* Find out whether fileserver is running MR-AFS (has a scanner instance) */
/* XXX this should really be done some other way, potentially by RPC */
@@ -1855,7 +1855,7 @@
register struct rx_connection *tconn;
afs_int32 code, val;
- tconn = GetConn(as, 0);
+ tconn = GetConn(as, 1);
util_GetInt32(as->parms[1].items->data, &val);
code = BOZO_SetRestrictedMode(tconn, val);
if (code)
only in patch2:
unchanged:
--- openafs-1.4.12.1+dfsg.orig/src/afs/afs_pioctl.c
+++ openafs-1.4.12.1+dfsg/src/afs/afs_pioctl.c
@@ -3850,8 +3850,7 @@
if (tc) {
RX_AFS_GUNLOCK();
code =
- RXAFS_FsCmd(tc->id, Fid, Inputs,
- (struct FsCmdOutputs *)aout);
+ RXAFS_FsCmd(tc->id, Fid, Inputs, Outputs);
RX_AFS_GLOCK();
} else
code = -1;
only in patch2:
unchanged:
--- openafs-1.4.12.1+dfsg.orig/src/volser/vos.c
+++ openafs-1.4.12.1+dfsg/src/volser/vos.c
@@ -5411,6 +5411,8 @@
struct rx_connection *aconn;
char c, dc;
+ memset(&storeEntry, 0, sizeof(struct nvldbentry));
+
server = GetServer(as->parms[0].items->data);
if (!server) {
fprintf(STDERR, "vos: host '%s' not found in host table\n",
only in patch2:
unchanged:
--- openafs-1.4.12.1+dfsg.orig/src/volser/vsprocs.c
+++ openafs-1.4.12.1+dfsg/src/volser/vsprocs.c
@@ -683,6 +683,8 @@
aconn = (struct rx_connection *)0;
error = 0;
+ memset(&storeEntry, 0, sizeof(struct nvldbentry));
+
init_volintInfo(&tstatus);
tstatus.maxquota = aquota;
@@ -809,6 +811,8 @@
afs_int32 vcode;
struct nvldbentry entry, storeEntry; /*the new vldb entry */
+ memset(&storeEntry, 0, sizeof(struct nvldbentry));
+
aconn = (struct rx_connection *)0;
error = 0;
@@ -867,6 +871,8 @@
afs_int32 avoltype = -1, vtype;
int notondisk = 0, notinvldb = 0;
+ memset(&storeEntry, 0, sizeof(struct nvldbentry));
+
/* Find and read bhe VLDB entry for this volume */
code = ubik_VL_SetLock(cstruct, 0, avolid, avoltype, VLOP_DELETE);
if (code) {
@@ -7166,6 +7172,8 @@
{
int i, count;
+ memset(new, 0, sizeof(struct nvldbentry));
+
/*copy all the fields */
strcpy(new->name, old->name);
/* new->volumeType = old->volumeType;*/
only in patch2:
unchanged:
--- openafs-1.4.12.1+dfsg.orig/src/vlserver/vlprocs.c
+++ openafs-1.4.12.1+dfsg/src/vlserver/vlprocs.c
@@ -1394,11 +1394,10 @@
struct nvldbentry *Vldbentry = 0, *VldbentryFirst = 0, *VldbentryLast = 0;
afs_int32 blockindex = 0, count = 0, k, match, matchindex;
int serverindex = -1; /* no server found */
- int findserver = 0, findpartition = 0, findflag = 0, findname = 0;
+ int findserver = 0, findpartition = 0, findflag = 0;
char *t;
int pollcount = 0;
int namematchRWBK, namematchRO, thismatch, matchtype;
- char volumename[VL_MAXNAMELEN];
#ifdef HAVE_POSIX_REGEX
regex_t re;
int need_regfree = 0;
@@ -1444,8 +1443,7 @@
}
/* Search each entry in the database and return all entries
- * that match the request. It checks volumename (with
- * wildcarding), entry flags, server, and partition.
+ * that match the request. It checks entry flags, server, and partition.
*/
else {
/* Get the server index for matching server address */
@@ -1459,21 +1457,9 @@
findpartition = ((attributes->Mask & VLLIST_PARTITION) ? 1 : 0);
findflag = ((attributes->Mask & VLLIST_FLAG) ? 1 : 0);
if (name && (strcmp(name, ".*") != 0) && (strcmp(name, "") != 0)) {
- sprintf(volumename, "^%s$", name);
-#ifdef HAVE_POSIX_REGEX
- if (regcomp(&re, volumename, REG_NOSUB) != 0) {
- errorcode = VL_BADNAME;
- goto done;
- }
- need_regfree = 1;
-#else
- t = (char *)re_comp(volumename);
- if (t) {
- errorcode = VL_BADNAME;
- goto done;
- }
-#endif
- findname = 1;
+ /* regex-matching code has been disabled for security reasons. */
+ errorcode = VL_BADNAME;
+ goto done;
}
/* Read each entry and see if it is the one we want */
@@ -1501,38 +1487,12 @@
if (tentry.serverFlags[k] & VLSF_RWVOL) {
/* Does the name match the RW name */
if (tentry.flags & VLF_RWEXISTS) {
- if (findname) {
- sprintf(volumename, "%s", tentry.name);
-#ifdef HAVE_POSIX_REGEX
- if (regexec(&re, volumename, 0, NULL, 0) == 0) {
- thismatch = VLSF_RWVOL;
- }
-#else
- if (re_exec(volumename)) {
- thismatch = VLSF_RWVOL;
- }
-#endif
- } else {
- thismatch = VLSF_RWVOL;
- }
+ thismatch = VLSF_RWVOL;
}
/* Does the name match the BK name */
if (!thismatch && (tentry.flags & VLF_BACKEXISTS)) {
- if (findname) {
- sprintf(volumename, "%s.backup", tentry.name);
-#ifdef HAVE_POSIX_REGEX
- if (regexec(&re, volumename, 0, NULL, 0) == 0) {
- thismatch = VLSF_BACKVOL;
- }
-#else
- if (re_exec(volumename)) {
- thismatch = VLSF_BACKVOL;
- }
-#endif
- } else {
- thismatch = VLSF_BACKVOL;
- }
+ thismatch = VLSF_BACKVOL;
}
namematchRWBK = (thismatch ? 1 : 2);
@@ -1544,25 +1504,7 @@
*/
else {
if (tentry.flags & VLF_ROEXISTS) {
- if (findname) {
- if (namematchRO) {
- thismatch =
- ((namematchRO == 1) ? VLSF_ROVOL : 0);
- } else {
- sprintf(volumename, "%s.readonly",
- tentry.name);
-#ifdef HAVE_POSIX_REGEX
- if (regexec(&re, volumename, 0, NULL, 0) == 0) {
- thismatch = VLSF_ROVOL;
- }
-#else
- if (re_exec(volumename))
- thismatch = VLSF_ROVOL;
-#endif
- }
- } else {
- thismatch = VLSF_ROVOL;
- }
+ thismatch = VLSF_ROVOL;
}
namematchRO = (thismatch ? 1 : 2);
}
Attachment:
signature.asc
Description: Digital signature