|
Message-ID: <87d2eeyili.fsf@windlord.stanford.edu> Date: Wed, 11 Jun 2014 19:20:09 -0700 From: Russ Allbery <eagle@...ie.org> To: oss-security@...ts.openwall.com Cc: openafs-gatekeepers@...nafs.org Subject: CVE request: OpenAFS 1.6.8 TMAY fileserver crashes New code introduced in OpenAFS 1.6.8 does not properly zero fields in the host structure in the OpenAFS fileserver, leading to some variables in the host structure being left initialized from recycled heap memory. While no mechanism for exploitation is currently known, the affected file server provides a network service and this sort of problem tends to be exploitable with sufficient effort. Below is the public disclosure of this issue to one of the OpenAFS mailing lists. OpenAFS 1.6.7 is not affected. I don't believe any stable distribution is affected, but Debian unstable, testing, and wheezy-backports are affected. The upstream stable fix is at: http://gerrit.openafs.org/#change,11283 which reverts the newly-added code in its entirety. (A more thorough fix that eliminates a fragile way of initializing structures is being worked on for the master branch.) An OpenAFS 1.6.9 release with this fix is expected in the near future. Could we get a CVE assigned to this problem, please? Here is the original report: | From: Andrew Deason <adeason@...enomine.net> | To: release-team@...nafs.org | Subject: [OpenAFS release-team] 1.6.8 TMAY fileserver crashes | Date: Wed, 11 Jun 2014 16:05:14 -0500 | | This change is broken: <http://gerrit.openafs.org/10759> | | Briefly, 'host' structures are allocated without clearing all of the | contents to '0'. Only part of the structure is cleared, according to the | HOST_TO_ZERO macro. Unfortunately I put the new tmay_ fields right below | the 'index' field for some reason, so this means they aren't zeroed and | can contain garbage. This means we can easily segfault in the fileserver | when we try to access the pointers in there. | | This makes it very easy to crash the fileserver, so it seems like we | may want to issue a new release quickly, or at least alert the community | that this issue exists and warn against using 1.6.8 fileservers. Options | are: | | (1) Fix the bug. This is easy to fix in a few ways; Mark Vitale is | writing a fix right now (while I notify you guys) and should be | submitting it shortly. | | (2) Rip out the TMAY caching stuff. It's not urgently pressing. | | I don't know if people favor one or the other, or if this is urgent | enough to warrant a single-issue 1.6.9 release. | | And lastly, of course, this was purely a mistake (my mistake) and I am | sorry. This didn't need to go into 1.6 so soon, or at all. (And it still | doesn't, if the release team feels it is better to just rip this out | completely.) | | -- | Andrew Deason | adeason@...enomine.net -- Russ Allbery (eagle@...ie.org) <http://www.eyrie.org/~eagle/>
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.