El 30/09/15 a las 17:26, Santiago Ruano Rincón escribió: > El 30/07/15 a las 12:45, Benjamin Kaduk escribió: ... > > I expect to be able to backport the patches and produce a debdiff, but I > > am not sure that I will be able to build binary packages or do runtime > > testing, since I don't currently have a squeeze environment. Thank you > > for the link to the procedures; I will take a look and do what I can. > > > > -Ben > > Hi, > > I've backported the patches and prepared a test package. You could find > it at: > > deb https://people.debian.org/~santiago/debian santiago-squeeze-lts > > It'd be great if some users give them a try. The debdiff is also > attached. > > Cheers, > > Santiago Hi again, Please, find attached a new version of the debdiff, that includes fixes for the two most recent CVEs. Packages are also available at my personal repository. I will uploaded them in a couple of days unless I get negative feedback. Best, Santiago
diff -u openafs-1.4.12.1+dfsg/debian/changelog openafs-1.4.12.1+dfsg/debian/changelog --- openafs-1.4.12.1+dfsg/debian/changelog +++ openafs-1.4.12.1+dfsg/debian/changelog @@ -1,3 +1,20 @@ +openafs (1.4.12.1+dfsg-4+squeeze4~2) santiago-squeeze-lts; urgency=medium + + * NOT RELEASE YET + * Non-maintainer upload by the Squeeze LTS Team. + * OPENAFS-SA-2015-001: vos: Clear nvldbentry before sending on the wire + (CVE-2015-3282). + * OPENAFS-SA-2015-002: bos: Use crypt for commands where spoofing could be a + risk (CVE-2015-3283). + * OPENAFS-SA-2015-004: afs: Use correct output buffer for FSCmd pioctl + (CVE-2015-3285). + * OPENAFS-SA-2015-006: vlserver: Disable regex volume name processing in + ListAttributesN2 (CVE-2015-6587). + * OPENAFS-SA-2015-007 "Tattletale": Rx ACK packets leak plaintext of + previous packets (CVE-2015-7762, CVE-2015-7763). + + -- Santiago Ruano Rincón <santiago@debian.org> Tue, 10 Nov 2015 09:31:00 +0100 + openafs (1.4.12.1+dfsg-4+squeeze3) squeeze-security; urgency=high * Apply upstream security patches: diff -u openafs-1.4.12.1+dfsg/src/rx/rx.c openafs-1.4.12.1+dfsg/src/rx/rx.c --- openafs-1.4.12.1+dfsg/src/rx/rx.c +++ openafs-1.4.12.1+dfsg/src/rx/rx.c @@ -4642,6 +4642,9 @@ int reason; Reason an acknowledge was prompted */ +#define RX_ZEROS 1024 +static char rx_zeros[RX_ZEROS]; + struct rx_packet * rxi_SendAck(register struct rx_call *call, register struct rx_packet *optionalPacket, int serial, int reason, @@ -4760,6 +4763,11 @@ ap->nAcks = offset; p->length = rx_AckDataSize(offset) + 4 * sizeof(afs_int32); + /* Must zero the 3 octets that rx_AckDataSize skips at the end of the + * ACK list. + */ + rx_packetwrite(p, rx_AckDataSize(offset) - 3, 3, rx_zeros); + /* these are new for AFS 3.3 */ templ = rxi_AdjustMaxMTU(call->conn->peer->ifMTU, rx_maxReceiveSize); templ = htonl(templ); @@ -4778,6 +4786,8 @@ rx_packetwrite(p, rx_AckDataSize(offset) + 3 * sizeof(afs_int32), sizeof(afs_int32), &templ); + p->length = rx_AckDataSize(offset) + 4 * sizeof(afs_int32); + p->header.serviceId = call->conn->serviceId; p->header.cid = (call->conn->cid | call->channel); p->header.callNumber = *call->callNumber; only in patch2: unchanged: --- openafs-1.4.12.1+dfsg.orig/src/bozo/bos.c +++ openafs-1.4.12.1+dfsg/src/bozo/bos.c @@ -285,7 +285,7 @@ afs_int32 flag; register char *tp; - tconn = GetConn(as, 0); + tconn = GetConn(as, 1); tp = as->parms[1].items->data; if (strcmp(tp, "on") == 0) flag = 0; /* auth req.: noauthflag is false */ @@ -354,7 +354,7 @@ register struct rx_connection *tconn; register afs_int32 flags; - tconn = GetConn(as, 0); + tconn = GetConn(as, 1); flags = 0; if (as->parms[1].items) flags |= BOZO_PRUNEBAK; @@ -376,7 +376,7 @@ register struct rx_connection *tconn; register afs_int32 code; - tconn = GetConn(as, 0); + tconn = GetConn(as, 1); code = BOZO_Exec(tconn, as->parms[1].items->data); if (code) printf("bos: failed to execute command (%s)\n", em(code)); @@ -442,7 +442,7 @@ register struct cmd_item *ti; register struct rx_connection *tconn; - tconn = GetConn(as, 0); + tconn = GetConn(as, 1); if (!as->parms[1].items) { printf("bos: no files to uninstall\n"); return 1; @@ -503,7 +503,7 @@ struct rx_call *tcall; char destDir[256]; - tconn = GetConn(as, 0); + tconn = GetConn(as, 1); if (!as->parms[1].items) { printf("bos: no files to install\n"); return 1; @@ -555,7 +555,7 @@ register afs_int32 code; register struct cmd_item *ti; - tconn = GetConn(as, 0); + tconn = GetConn(as, 1); if (as->parms[1].items == 0) { code = BOZO_ShutdownAll(tconn); if (code) @@ -662,7 +662,7 @@ struct rx_connection *tconn; count = 0; - tconn = GetConn(as, 0); + tconn = GetConn(as, 1); if (as->parms[2].items) { count++; type = 1; @@ -699,7 +699,7 @@ register afs_int32 code; register struct cmd_item *ti; - tconn = GetConn(as, 0); + tconn = GetConn(as, 1); if (as->parms[1].items == 0) { code = BOZO_StartupAll(tconn); if (code) @@ -722,7 +722,7 @@ register afs_int32 code; register struct cmd_item *ti; - tconn = GetConn(as, 0); + tconn = GetConn(as, 1); if (as->parms[2].items) { /* this is really a rebozo command */ if (as->parms[1].items) { @@ -766,7 +766,7 @@ register struct rx_connection *tconn; register afs_int32 code; - tconn = GetConn(as, 0); + tconn = GetConn(as, 1); code = BOZO_SetCellName(tconn, as->parms[1].items->data); if (code) printf("bos: failed to set cell (%s)\n", em(code)); @@ -781,7 +781,7 @@ register struct cmd_item *ti; char name[MAXHOSTCHARS]; - tconn = GetConn(as, 0); + tconn = GetConn(as, 1); for (ti = as->parms[1].items; ti; ti = ti->next) { if (as->parms[2].items) { if (strlen(ti->data) > MAXHOSTCHARS - 3) { @@ -807,7 +807,7 @@ register afs_int32 code; register struct cmd_item *ti; - tconn = GetConn(as, 0); + tconn = GetConn(as, 1); for (ti = as->parms[1].items; ti; ti = ti->next) { code = BOZO_DeleteCellHost(tconn, ti->data); if (code) @@ -924,7 +924,7 @@ afs_int32 temp; register struct cmd_item *ti; - tconn = GetConn(as, 0); + tconn = GetConn(as, 1); for (ti = as->parms[1].items; ti; ti = ti->next) { temp = atoi(ti->data); code = BOZO_DeleteKey(tconn, temp); @@ -985,7 +985,7 @@ register struct cmd_item *ti; failed = 0; - tconn = GetConn(as, 0); + tconn = GetConn(as, 1); for (ti = as->parms[1].items; ti; ti = ti->next) { code = BOZO_AddSUser(tconn, ti->data); if (code) { @@ -1005,7 +1005,7 @@ int failed; failed = 0; - tconn = GetConn(as, 0); + tconn = GetConn(as, 1); for (ti = as->parms[1].items; ti; ti = ti->next) { code = BOZO_DeleteSUser(tconn, ti->data); if (code) { @@ -1104,7 +1104,7 @@ register int i; char *type, *name, *notifier = NONOTIFIER; - tconn = GetConn(as, 0); + tconn = GetConn(as, 1); for (i = 0; i < 6; i++) parms[i] = ""; for (i = 0, ti = as->parms[3].items; (ti && i < 6); ti = ti->next, i++) { @@ -1134,7 +1134,7 @@ register struct cmd_item *ti; code = 0; - tconn = GetConn(as, 0); + tconn = GetConn(as, 1); for (ti = as->parms[1].items; ti; ti = ti->next) { code = BOZO_DeleteBnode(tconn, ti->data); if (code) { @@ -1156,7 +1156,7 @@ register struct cmd_item *ti; code = 0; - tconn = GetConn(as, 0); + tconn = GetConn(as, 1); for (ti = as->parms[1].items; ti; ti = ti->next) { code = BOZO_SetStatus(tconn, ti->data, BSTAT_NORMAL); if (code) @@ -1174,7 +1174,7 @@ register struct cmd_item *ti; code = 0; - tconn = GetConn(as, 0); + tconn = GetConn(as, 1); for (ti = as->parms[1].items; ti; ti = ti->next) { code = BOZO_SetStatus(tconn, ti->data, BSTAT_SHUTDOWN); if (code) @@ -1410,7 +1410,7 @@ int error; printf("Fetching log file '%s'...\n", as->parms[1].items->data); - tconn = GetConn(as, 0); + tconn = GetConn(as, 1); tcall = rx_NewCall(tconn); code = StartBOZO_GetLog(tcall, as->parms[1].items->data); if (code) { @@ -1456,7 +1456,7 @@ memset(&mrafsParm, 0, sizeof(mrafsParm)); /* parm 0 is machine name, 1 is partition, 2 is volume, 3 is -all flag */ - tconn = GetConn(as, 0); + tconn = GetConn(as, 1); /* Find out whether fileserver is running MR-AFS (has a scanner instance) */ /* XXX this should really be done some other way, potentially by RPC */ @@ -1855,7 +1855,7 @@ register struct rx_connection *tconn; afs_int32 code, val; - tconn = GetConn(as, 0); + tconn = GetConn(as, 1); util_GetInt32(as->parms[1].items->data, &val); code = BOZO_SetRestrictedMode(tconn, val); if (code) only in patch2: unchanged: --- openafs-1.4.12.1+dfsg.orig/src/afs/afs_pioctl.c +++ openafs-1.4.12.1+dfsg/src/afs/afs_pioctl.c @@ -3850,8 +3850,7 @@ if (tc) { RX_AFS_GUNLOCK(); code = - RXAFS_FsCmd(tc->id, Fid, Inputs, - (struct FsCmdOutputs *)aout); + RXAFS_FsCmd(tc->id, Fid, Inputs, Outputs); RX_AFS_GLOCK(); } else code = -1; only in patch2: unchanged: --- openafs-1.4.12.1+dfsg.orig/src/volser/vos.c +++ openafs-1.4.12.1+dfsg/src/volser/vos.c @@ -5411,6 +5411,8 @@ struct rx_connection *aconn; char c, dc; + memset(&storeEntry, 0, sizeof(struct nvldbentry)); + server = GetServer(as->parms[0].items->data); if (!server) { fprintf(STDERR, "vos: host '%s' not found in host table\n", only in patch2: unchanged: --- openafs-1.4.12.1+dfsg.orig/src/volser/vsprocs.c +++ openafs-1.4.12.1+dfsg/src/volser/vsprocs.c @@ -683,6 +683,8 @@ aconn = (struct rx_connection *)0; error = 0; + memset(&storeEntry, 0, sizeof(struct nvldbentry)); + init_volintInfo(&tstatus); tstatus.maxquota = aquota; @@ -809,6 +811,8 @@ afs_int32 vcode; struct nvldbentry entry, storeEntry; /*the new vldb entry */ + memset(&storeEntry, 0, sizeof(struct nvldbentry)); + aconn = (struct rx_connection *)0; error = 0; @@ -867,6 +871,8 @@ afs_int32 avoltype = -1, vtype; int notondisk = 0, notinvldb = 0; + memset(&storeEntry, 0, sizeof(struct nvldbentry)); + /* Find and read bhe VLDB entry for this volume */ code = ubik_VL_SetLock(cstruct, 0, avolid, avoltype, VLOP_DELETE); if (code) { @@ -7166,6 +7172,8 @@ { int i, count; + memset(new, 0, sizeof(struct nvldbentry)); + /*copy all the fields */ strcpy(new->name, old->name); /* new->volumeType = old->volumeType;*/ only in patch2: unchanged: --- openafs-1.4.12.1+dfsg.orig/src/vlserver/vlprocs.c +++ openafs-1.4.12.1+dfsg/src/vlserver/vlprocs.c @@ -1394,11 +1394,10 @@ struct nvldbentry *Vldbentry = 0, *VldbentryFirst = 0, *VldbentryLast = 0; afs_int32 blockindex = 0, count = 0, k, match, matchindex; int serverindex = -1; /* no server found */ - int findserver = 0, findpartition = 0, findflag = 0, findname = 0; + int findserver = 0, findpartition = 0, findflag = 0; char *t; int pollcount = 0; int namematchRWBK, namematchRO, thismatch, matchtype; - char volumename[VL_MAXNAMELEN]; #ifdef HAVE_POSIX_REGEX regex_t re; int need_regfree = 0; @@ -1444,8 +1443,7 @@ } /* Search each entry in the database and return all entries - * that match the request. It checks volumename (with - * wildcarding), entry flags, server, and partition. + * that match the request. It checks entry flags, server, and partition. */ else { /* Get the server index for matching server address */ @@ -1459,21 +1457,9 @@ findpartition = ((attributes->Mask & VLLIST_PARTITION) ? 1 : 0); findflag = ((attributes->Mask & VLLIST_FLAG) ? 1 : 0); if (name && (strcmp(name, ".*") != 0) && (strcmp(name, "") != 0)) { - sprintf(volumename, "^%s$", name); -#ifdef HAVE_POSIX_REGEX - if (regcomp(&re, volumename, REG_NOSUB) != 0) { - errorcode = VL_BADNAME; - goto done; - } - need_regfree = 1; -#else - t = (char *)re_comp(volumename); - if (t) { - errorcode = VL_BADNAME; - goto done; - } -#endif - findname = 1; + /* regex-matching code has been disabled for security reasons. */ + errorcode = VL_BADNAME; + goto done; } /* Read each entry and see if it is the one we want */ @@ -1501,38 +1487,12 @@ if (tentry.serverFlags[k] & VLSF_RWVOL) { /* Does the name match the RW name */ if (tentry.flags & VLF_RWEXISTS) { - if (findname) { - sprintf(volumename, "%s", tentry.name); -#ifdef HAVE_POSIX_REGEX - if (regexec(&re, volumename, 0, NULL, 0) == 0) { - thismatch = VLSF_RWVOL; - } -#else - if (re_exec(volumename)) { - thismatch = VLSF_RWVOL; - } -#endif - } else { - thismatch = VLSF_RWVOL; - } + thismatch = VLSF_RWVOL; } /* Does the name match the BK name */ if (!thismatch && (tentry.flags & VLF_BACKEXISTS)) { - if (findname) { - sprintf(volumename, "%s.backup", tentry.name); -#ifdef HAVE_POSIX_REGEX - if (regexec(&re, volumename, 0, NULL, 0) == 0) { - thismatch = VLSF_BACKVOL; - } -#else - if (re_exec(volumename)) { - thismatch = VLSF_BACKVOL; - } -#endif - } else { - thismatch = VLSF_BACKVOL; - } + thismatch = VLSF_BACKVOL; } namematchRWBK = (thismatch ? 1 : 2); @@ -1544,25 +1504,7 @@ */ else { if (tentry.flags & VLF_ROEXISTS) { - if (findname) { - if (namematchRO) { - thismatch = - ((namematchRO == 1) ? VLSF_ROVOL : 0); - } else { - sprintf(volumename, "%s.readonly", - tentry.name); -#ifdef HAVE_POSIX_REGEX - if (regexec(&re, volumename, 0, NULL, 0) == 0) { - thismatch = VLSF_ROVOL; - } -#else - if (re_exec(volumename)) - thismatch = VLSF_ROVOL; -#endif - } - } else { - thismatch = VLSF_ROVOL; - } + thismatch = VLSF_ROVOL; } namematchRO = (thismatch ? 1 : 2); }
Attachment:
signature.asc
Description: Digital signature