Hi,
It's been brought to my attention that there may be people on this
list who don't read openafs-announce, and may have missed the recent
security advisories.
We recently released OpenAFS 1.4.9 (and 1.4.10, and 1.5.59) to
address a couple of security issues in the Unix cache manager (one
applies to any Unix cache manager with bulk stat enabled, the other
to any Linux cache manager). These issue have been present in OpenAFS
since 1.0
Abstracts are:
http://www.openafs.org/security/OPENAFS-SA-2009-001.txt
AFS's XDR data marshalling language permits the construction of
arrays with a size constrained by the interface definition. The XDR
decoding language will accept data from the server up to this maximum
size, which in some cases is stored into a buffer allocated by the
client. In several locations, the AFS client assumes that the server
will never return more data than requested, and so allocates a buffer
smaller than this maximum size. Whilst this causes no problems when
communicating with valid servers, an attacker can return more data
than expected, and overflow the client's buffer.
http://www.openafs.org/security/OPENAFS-SA-2009-002.txt
AFS may pass an error code obtained from the fileserver directly to
the Linux kernel, using a Linux mechanism that merges error codes and
pointers into a single value. However, this mechanism is unable to
distinguish certain error codes from pointers. When AFS returns a
code of this type to the kernel, the kernel treats it as a pointer
and attempts to dereference it. This causes a kernel panic, and
results in a denial of service attack.
I am not aware of a publicly available exploit for either issue at
present.
Cheers,
Simon.
_______________________________________________
OpenAFS-devel mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-devel
