Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 11 Jun 2014 19:20:09 -0700
From: Russ Allbery <eagle@...ie.org>
To: oss-security@...ts.openwall.com
Cc: openafs-gatekeepers@...nafs.org
Subject: CVE request: OpenAFS 1.6.8 TMAY fileserver crashes

New code introduced in OpenAFS 1.6.8 does not properly zero fields in the
host structure in the OpenAFS fileserver, leading to some variables in the
host structure being left initialized from recycled heap memory.  While no
mechanism for exploitation is currently known, the affected file server
provides a network service and this sort of problem tends to be
exploitable with sufficient effort.

Below is the public disclosure of this issue to one of the OpenAFS mailing
lists.  OpenAFS 1.6.7 is not affected.  I don't believe any stable
distribution is affected, but Debian unstable, testing, and
wheezy-backports are affected.

The upstream stable fix is at:

    http://gerrit.openafs.org/#change,11283

which reverts the newly-added code in its entirety.  (A more thorough fix
that eliminates a fragile way of initializing structures is being worked
on for the master branch.)  An OpenAFS 1.6.9 release with this fix is
expected in the near future.

Could we get a CVE assigned to this problem, please?

Here is the original report:

| From: Andrew Deason <adeason@...enomine.net>
| To: release-team@...nafs.org
| Subject: [OpenAFS release-team] 1.6.8 TMAY fileserver crashes
| Date: Wed, 11 Jun 2014 16:05:14 -0500
| 
| This change is broken: <http://gerrit.openafs.org/10759>
| 
| Briefly, 'host' structures are allocated without clearing all of the
| contents to '0'. Only part of the structure is cleared, according to the
| HOST_TO_ZERO macro. Unfortunately I put the new tmay_ fields right below
| the 'index' field for some reason, so this means they aren't zeroed and
| can contain garbage. This means we can easily segfault in the fileserver
| when we try to access the pointers in there.
| 
| This makes it very easy to crash the fileserver, so it seems like we
| may want to issue a new release quickly, or at least alert the community
| that this issue exists and warn against using 1.6.8 fileservers. Options
| are:
| 
|  (1) Fix the bug. This is easy to fix in a few ways; Mark Vitale is
|  writing a fix right now (while I notify you guys) and should be
|  submitting it shortly.
| 
|  (2) Rip out the TMAY caching stuff. It's not urgently pressing.
| 
| I don't know if people favor one or the other, or if this is urgent
| enough to warrant a single-issue 1.6.9 release.
| 
| And lastly, of course, this was purely a mistake (my mistake) and I am
| sorry. This didn't need to go into 1.6 so soon, or at all. (And it still
| doesn't, if the release team feels it is better to just rip this out
| completely.)
| 
| -- 
| Andrew Deason
| adeason@...enomine.net

-- 
Russ Allbery (eagle@...ie.org)              <http://www.eyrie.org/~eagle/>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.