OpenAFS Security Advisories 2013-001 and 2013-002

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

The bug status was "In progress" because I was working on the fix, at the request of the Security team.

I will change the status back to "triaged" and subscribe the ubuntu-security-sponsors team when the fix is ready to be sponsored.

For the current development release of Ubuntu, you want to sync 1.6.2-1 from Debian experimental.

For quantal, precise, and oneiric, you want 1.6.1-3 as uploaded to Debian unstable. I'm not sure if there are any Ubuntu-specific changes that need to be preserved in the patch you're carrying.

For lucid, you want either the package or the patch from the stable-security 1.4.12.1+dfsg-4+squeeze1 package.

Raring requires additional changes for kernel 3.8 support in the client (bug 1145560). I’ve packaged these here:

http://web.mit.edu/andersk/Public/openafs/openafs_1.6.2-1+ubuntu1.dsc
http://web.mit.edu/andersk/Public/openafs/openafs_1.6.2-1+ubuntu1.debian.tar.xz
http://web.mit.edu/andersk/Public/openafs/openafs_1.6.2.orig.tar.xz

Debdiff from experimental 1.6.2-1:

http://web.mit.edu/andersk/Public/openafs/openafs_1.6.2-1_1+ubuntu1.debdiff

> kernel 3.8 support in the client (bug 1145560)
Er, bug 1098843.

The attachment "Patch for quantal-security" of this bug report has been identified as being a patch in the form of a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-sponsors team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

Anders: Re your update for Raring, I've changed the direct-to-source changes in the debdiff into a patch and have uploaded the package to Raring.

This patch corrects the problem on precise

Raring needs this additional patch to fix a --no-copy-dt-needed-entries related FTBFS:
  http://gerrit.openafs.org/9387
(Luke has already included something equivalent in 1.6.2-1+ubuntu2.)

Thanks for your patches! Unfortunately, I can't process them at this time due to the following:
- the quantal debdiff patches the files inline which it is a source format v3 (quilt) package. When redoing this patch, be sure to include DEP-3 comments (the information that would have been in these is missing from debian/changelog)
- the quantal debdiff does not use the correct version. It should be 1.6.1-2ubuntu2.1
- the quantal debdiff does not use the format as prescribed by https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging
- the precise debdiff is based on a package in precise-proposed. This should be based on what is currently in -security or -updates (see https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging)
- the precise debdiff patches debian/patches/debian-changes. This is a source format v3 (quilt) package so the security updates should be in their own patches. When redoing this patch, be sure to include DEP-3 comments (the information that would have been in these is missing from debian/changelog)
- the precise debdiff has the wrong version-- it should have been 1.6.1-1ubuntu0.2 with precise-proposed as 1.6.1-1ubuntu0.1, but precise-proposed' version of 1.6.1-1+ubuntu0.1 was mistakenly accepted. Unfortunately, if we are basing on the precise-proposed package, we have to use 1.6.1-1+ubuntu0.2
- the precise debdiff does not use the format as prescribed by https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging
- the precise debdiff is based on a package in precise-proposed. This should be based on what is currently in -security or -updates (see https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging)
- the oneiric debdiff patches debian/patches/debian-changes. This is a source format v3 (quilt) package so the security updates should be in their own patches. When redoing this patch, be sure to include DEP-3 comments (the information that would have been in these is missing from debian/changelog)
- the oneiric debdiff has the wrong version-- it should be 1.6.0-1ubuntu0.1
- the oneiric debdiff does not use the format as prescribed by https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging

The Lucid package is patchless, so the inline patches are fine. The debdiff didn't have the correct debian/changelog formatting, but I adjusted it. It would have been nice to have commit URLs (ie, what would have been in the DEP-3 comments), but I've uploaded it after verify the commits against upstream.

Unsubscribing ubuntu-security-sponsors for now. Please resubscribe after updating the oneiric-quantal debdiffs. Thanks!

Jamie,

Thanks for your review.

On Fri, Mar 08, 2013 at 10:43:51PM -0000, Jamie Strandboge wrote:
> Thanks for your patches! Unfortunately, I can't process them at this time due to the following:
> - the oneiric debdiff does not use the format as prescribed by https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging
> - the precise debdiff does not use the format as prescribed by https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging
> - the quantal debdiff does not use the format as prescribed by https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging
> - the oneiric debdiff patches debian/patches/debian-changes. This is a source format v3 (quilt) package so the security updates should be in their own patches. When redoing this patch, be sure to include DEP-3 comments (the information that would have been in these is missing from debian/changelog)
> - the precise debdiff patches debian/patches/debian-changes. This is a source format v3 (quilt) package so the security updates should be in their own patches. When redoing this patch, be sure to include DEP-3 comments (the information that would have been in these is missing from debian/changelog)
> - the quantal debdiff patches the files inline which it is a source format v3 (quilt) package. When redoing this patch, be sure to include DEP-3 comments (the information that would have been in these is missing from debian/changelog)

I'll address these concerns in a reupload.

> - the oneiric debdiff has the wrong version-- it should be 1.6.0-1ubuntu0.1
> - the quantal debdiff does not use the correct version. It should be 1.6.1-2ubuntu2.1
> - the precise debdiff has the wrong version-- it should have been 1.6.1-1ubuntu0.2 with precise-proposed as 1.6.1-1ubuntu0.1, but precise-proposed' version of 1.6.1-1+ubuntu0.1 was mistakenly accepted. Unfortunately, if we are basing on the precise-proposed package, we have to use 1.6.1-1+ubuntu0.2

I'll increment the precise version, but it wasn't mistakingly accepted, see below:

In <https://bugs.launchpad.net/ubuntu/+source/openafs/+bug/356861/comments/1>, ~broder wrote:
> Be careful choosing version numbers for this. The normal mechanism for
> an Ubuntu security version number will result in kernel modules with a
> lower version than the current modules.

> - the precise debdiff is based on a package in precise-proposed. This should be based on what is currently in -security or -updates (see https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging)

I had previously gotten approval to base off of what is in -proposed. In
any case, -proposed will move to -updates on Monday.

> The Lucid package is patchless, so the inline patches are fine. The
> debdiff didn't have the correct debian/changelog formatting, but I
> adjusted it. It would have been nice to have commit URLs (ie, what would
> have been in the DEP-3 comments), but I've uploaded it after verify the
> commits against upstream.
>
> Unsubscribing ubuntu-security-sponsors for now. Please resubscribe after
> updating the oneiric-quantal debdiffs. Thanks!

Thanks,

Luke

As far as basing the debdiffs on -proposed, I requested that to avoid having to
redo the SRU. It's verified and will be released on Monday. With my ubuntu-
sru hat on, I'd ask you to take security fixes with the pending SRU included.
If it's needed, I'll release the SRU over the weekend, but we prefer to avoid
doing that.

ScottK did ask me, and I agreed, that these updates could be based on -proposed. My apologies for not communicating that fact.

I understand the bit about precise-proposed; Scott contacted me. I meant to simply say that even if the rest were right, I couldn't process it until -proposed was went to -updates. As for the versioning, to be clear, precise has to be what you have now cause of what is in -proposed. However, what is in -proposed did not need that version. Oneiric and Quantal also do not need the '+' - it is non-standard. I wouldn't have NAK'd on the versions alone-- I would have just fixed them and uploaded, but the quilt patching needed to be redone, so I mentioned it all.

The ‘+’ may not be standard, but it’s necessary for openafs, for the following subtle reason.

If you create a binary module package with
  apt-get install module-assistant openafs-modules-source
  m-a build openafs
then the resulting package is versioned as
  openafs-modules-3.2.0-38-generic_1.6.1-1+3.2.0-38.61_amd64.deb
(A site with many OpenAFS client systems might throw this binary module package into an apt repository so that it doesn’t need to be rebuilt on every system.)

Now if you were to upgrade from 1.6.1-1 to 1.6.1-1ubuntu0.1 and do the same thing, you’d get
  openafs-modules-3.2.0-38-generic_1.6.1-1ubuntu0.1+3.2.0-38.61_amd64.deb
As you can check with dpkg --compare-versions, this is a _smaller_ version number!

That’s why the openafs package has been getting updates versioned like 1.6.1-1+ubuntu0.1 instead of 1.6.1-1ubuntu0.1, at least when someone has been around to point this problem out.

This bug was fixed in the package openafs - 1.4.12+dfsg-3+ubuntu0.2

---------------
openafs (1.4.12+dfsg-3+ubuntu0.2) lucid-security; urgency=low

  * SECURITY UPDATE: Fix fileserver buffer overflow when parsing
    client-supplied ACL entries and protect against client parsing of bad ACL
    entries.
    - OPENAFS-SA-2013-001
    - CVE-2013-1794
    - LP: #114556
  * SECURITY UPDATE: Fix ptserver buffer overflow via integer overflow in the
    IdToName RPC
    - OPENAFS-SA-2013-002
    - CVE-2013-1795
    - LP: #1145560
 -- Luke Faraone <email address hidden> Tue, 05 Mar 2013 02:23:07 -0500

What happened with the updates for Oneric, Precise and Quantal (especially Precise)?

The package in -proposed has been moved to -updates.

Hardy is EOL

This bug was fixed in the package openafs - 1.6.1-2+ubuntu2.1

---------------
openafs (1.6.1-2+ubuntu2.1) quantal-security; urgency=high

  * SECURITY UPDATE: Brute force DES attack permits compromise of AFS cell.
    vos -encrypt doesn't encrypt connection data.
    Buffer overflows which could cause a serverside denial of service.
    - openafs-sa-2013-001.patch: Fix fileserver buffer overflow when parsing
      client-supplied ACL entries and protect against client parsing of
      bad ACL entries. Thanks to Nickolai Zeldovich.
    - openafs-sa-2013-002.patch: Fix ptserver buffer overflow via integer
      overflow in the IdToName RPC. Thanks to Nickolai Zeldovich
    - 0001-Add-rxkad-server-hook-function-to-decrypt-more-types.patch
    - 0002-New-optional-rxkad-functionality-for-decypting-krb5-.patch
    - 0003-Integrate-keytab-based-decryption-into-afsconf_Build.patch
    - 0004-Derive-DES-fcrypt-session-key-from-other-key-types.patch
    - 0005-Move-akimpersonate-to-libauth.patch
    - 0006-Clean-up-akimpersonate-and-use-for-server-to-server.patch
    - 0007-auth-Do-not-always-fallback-to-noauth.patch
    - 0008-Avoid-calling-afsconf_GetLatestKey-directly.patch
    - 0009-Reload-rxkad.keytab-on-CellServDB-modification.patch
    - 0010-Add-support-for-deriving-DES-keys-to-klog.krb5.patch
    - 0011 skipped because it was a version bump
    - 0012-ubik-Fix-encryption-selection-in-ugen.patch
    - Thanks to Chaskiel Grundman, Alexander Chernyakhovsky, Ben Kaduk,
        Andrew Deason, and Michael Meffie for the above patch series.
    - swap-libs.patch: Resolve FTBFS with newer toolchains. Thanks to Anders
        Kaseorg.
    - OPENAFS-SA-2013-001
    - OPENAFS-SA-2013-002
    - OPENAFS-SA-2013-003
    - OPENAFS-SA-2013-004
    - CVE-2013-1794
    - CVE-2013-1795
    - CVE-2013-4134
    - CVE-2013-4135
    - LP: #1145560
    - LP: #1204195
  * Remove debian/source/options, which previously force-collaped the above
    patches into one debian/patches/debian-changes and caused confusing patch
    failures later. Thanks to Colin Watson for help with debugging and to
    Seth Arnold for identifying the failure.
 -- Luke Faraone <email address hidden> Wed, 24 Jul 2013 11:16:48 -0400

This bug was fixed in the package openafs - 1.6.1-1+ubuntu0.2

---------------
openafs (1.6.1-1+ubuntu0.2) precise-security; urgency=low

  * SECURITY UPDATE: Brute force DES attack permits compromise of AFS cell.
    vos -encrypt doesn't encrypt connection data.
    Buffer overflows which could cause a serverside denial of service.
    - openafs-sa-2013-001.patch: Fix fileserver buffer overflow when parsing
      client-supplied ACL entries and protect against client parsing of
      bad ACL entries. Thanks to Nickolai Zeldovich.
    - openafs-sa-2013-002.patch: Fix ptserver buffer overflow via integer
      overflow in the IdToName RPC. Thanks to Nickolai Zeldovich
    - 0001-Add-rxkad-server-hook-function-to-decrypt-more-types.patch
    - 0002-New-optional-rxkad-functionality-for-decypting-krb5-.patch
    - 0003-Integrate-keytab-based-decryption-into-afsconf_Build.patch
    - 0004-Derive-DES-fcrypt-session-key-from-other-key-types.patch
    - 0005-Move-akimpersonate-to-libauth.patch
    - 0006-Clean-up-akimpersonate-and-use-for-server-to-server.patch
    - 0007-auth-Do-not-always-fallback-to-noauth.patch
    - 0008-Avoid-calling-afsconf_GetLatestKey-directly.patch
    - 0009-Reload-rxkad.keytab-on-CellServDB-modification.patch
    - 0010-Add-support-for-deriving-DES-keys-to-klog.krb5.patch
    - 0011 skipped because it was a version bump
    - 0012-ubik-Fix-encryption-selection-in-ugen.patch
    - Thanks to Chaskiel Grundman, Alexander Chernyakhovsky, Ben Kaduk,
        Andrew Deason, and Michael Meffie for the above patch series.
    - swap-libs.patch: Resolve FTBFS with newer toolchains. Thanks to Anders
        Kaseorg.
    - OPENAFS-SA-2013-001
    - OPENAFS-SA-2013-002
    - OPENAFS-SA-2013-003
    - OPENAFS-SA-2013-004
    - CVE-2013-1794
    - CVE-2013-1795
    - CVE-2013-4134
    - CVE-2013-4135
    - LP: #1145560
    - LP: #1204195
 -- Luke Faraone <email address hidden> Tue, 23 Jul 2013 21:11:02 -0400

Thanks Luke!