Re: [OpenAFS] Microsoft Security Bulletin MS10-020 (KB980232) vs OpenAFS

Wed, 09 Jun 2010 07:02:35 -0700 

Unfortunately, you have it wrong.  OpenAFS does support the query
and it returns a security descriptor that is the equivalent of
saying that all files are owned by no one.  This is what the OpenAFS
client has done for years.

Your choices are:

 1. Do not install the MS10-020 hot fix

 2. Accept the fact that some applications that are themselves buggy
    will crash with the hot fix installed.  You can always get the
    application vendors to fix their applications.

 3. File bug reports with Microsoft and convince them to issue a
    revised hot fix that accepts security descriptors that state
    that files are owned by no one.

Jeffrey Altman


On 6/9/2010 8:51 AM, Dave B wrote:
> So, it sounds like we get to choose between..
> 
> • many applications crashing due to failure to support the query
> • many applications terminating due to the null security descriptor
> being returned
> 
> Out of curiosity, why can't a not null security descriptor be returned?
> 
> On Wed, 2010-05-26 at 16:12 -0500, Jeffrey Altman wrote:
>> FYI.  During the April 2010 Windows Update cycle a hot fix to the SMB
>> redirector was pushed to Windows machines around the world. 
>> http://www.microsoft.com/technet/security/bulletin/MS10-020.mspx?pubDate=2010-04-13
>>
>> What this fix does is add a validation operation on the data structures
>> returned when an application issues the GetSecurityInfo() API. 
>> Experience has shown that failure to support this query causes many
>> applications to crash.  Therefore, the AFS SMB Server returns a null
>> security descriptor.  This descriptor is not considered valid by the new
>> SMB validation code and the error STATUS_INVALID_NETWORK_RESPONSE is
>> returned to the application.  The failure of the API to complete results
>> in the termination of many applications.
>>
>> The Windows TCL implementation is known to call this API.
>>
>> The hot fix is labeled "critical" because without the validator
>> arbitrary data structures can be passed to the application that issues
>> the query.
>>
>> There is no known fix for the problem that we can apply to OpenAFS at
>> the current time.
>>
>> Jeffrey Altman
>>
>>

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to