Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

[SECURITY] [DSA 1271-1] New openafs packages fix remote privilege escalation bug
From: Noah Meyerhans <noahm () debian org>
Date: Tue, 20 Mar 2007 21:21:12 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1271-1                security () debian org
http://www.debian.org/security/                         Noah Meyerhans
March 20, 2007
- ------------------------------------------------------------------------

Package        : openafs
Vulnerability  : design error
Problem type   : remote
Debian-specific: no
CVE Id(s)      : CVE-2007-1507

A design error has been identified in the OpenAFS, a cross-platform
distributed filesystem included with Debian.

OpenAFS historically has enabled setuid filesystem support for the local
cell.  However, with its existing protocol, OpenAFS can only use
encryption, and therefore integrity protection, if the user is
authenticated.  Unauthenticated access doesn't do integrity protection.
The practical result is that it's possible for an attacker with
knowledge of AFS to forge an AFS FetchStatus call and make an arbitrary
binary file appear to an AFS client host to be setuid.  If they can then
arrange for that binary to be executed, they will be able to achieve
privilege escalation.

OpenAFS 1.3.81-3sarge2 changes the default behavior to disable setuid
files globally, including the local cell.  It is important to note that
this change will not take effect until the AFS kernel module, built from
the openafs-modules-source package, is rebuilt and loaded into your
kernel.  As a temporary workaround until the kernel module can be
reloaded, setuid support can be manually disabled for the local cell by
running the following command as root

      fs setcell -cell <localcell> -nosuid

Following the application of this update, if you are certain there is
no security risk of an attacker forging AFS fileserver responses, you
can re-enable setuid status selectively with the following command,
however this should not be done on sites that are visible to the
Internet

      fs setcell -cell <localcell> -suid

For the stable distribution (sarge), this problem has been fixed in
version 1.3.81-3sarge2.  For the unstable distribution (sid) and the
upcoming stable distribution (etch), this problem will be fixed in
version 1.4.2-6.

We recommend that you upgrade your openafs package.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian 3.1 (stable)
- -------------------

Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/o/openafs/openafs_1.3.81-3sarge2.dsc
    Size/MD5 checksum:      851 45351031494d87ff12f1bf08d14533f9
  http://security.debian.org/pool/updates/main/o/openafs/openafs_1.3.81-3sarge2.diff.gz
    Size/MD5 checksum:   262444 5804a2d738b2ec24f4055489c6287dca
  http://security.debian.org/pool/updates/main/o/openafs/openafs_1.3.81.orig.tar.gz
    Size/MD5 checksum: 13455346 d754e92f7a0cd9824991c850e001884c

Architecture independent packages:

  http://security.debian.org/pool/updates/main/o/openafs/openafs-modules-source_1.3.81-3sarge2_all.deb
    Size/MD5 checksum:  4491356 e71b35c9862df561b51b67a3c90fafc9

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/o/openafs/openafs-fileserver_1.3.81-3sarge2_alpha.deb
    Size/MD5 checksum:  1111578 026440f88e9a4929dfe1c1eb7b5da586
  http://security.debian.org/pool/updates/main/o/openafs/openafs-client_1.3.81-3sarge2_alpha.deb
    Size/MD5 checksum:  2227596 e5517039ed51c445dbc02fb13be3e952
  http://security.debian.org/pool/updates/main/o/openafs/openafs-kpasswd_1.3.81-3sarge2_alpha.deb
    Size/MD5 checksum:   306552 b7afabee0f80a4bf00ab42eb84f165c2
  http://security.debian.org/pool/updates/main/o/openafs/openafs-dbserver_1.3.81-3sarge2_alpha.deb
    Size/MD5 checksum:   693726 76ce60f5f960fb68301d15653dea0873
  http://security.debian.org/pool/updates/main/o/openafs/libpam-openafs-kaserver_1.3.81-3sarge2_alpha.deb
    Size/MD5 checksum:   269148 928b0eab345fe24ec067dfe46540fce6
  http://security.debian.org/pool/updates/main/o/openafs/libopenafs-dev_1.3.81-3sarge2_alpha.deb
    Size/MD5 checksum:  1878670 e75770cead20c34ba5f27f56d13689e9

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/o/openafs/libpam-openafs-kaserver_1.3.81-3sarge2_amd64.deb
    Size/MD5 checksum:   229812 ed52b06bdb86dc060a430efad6e5c1a2
  http://security.debian.org/pool/updates/main/o/openafs/libopenafs-dev_1.3.81-3sarge2_amd64.deb
    Size/MD5 checksum:  1442080 1a037eab6cf0e2701c127c85c06386ae
  http://security.debian.org/pool/updates/main/o/openafs/openafs-client_1.3.81-3sarge2_amd64.deb
    Size/MD5 checksum:  1833326 f95cb03cff5282ee9acc5489ab0821b9
  http://security.debian.org/pool/updates/main/o/openafs/openafs-kpasswd_1.3.81-3sarge2_amd64.deb
    Size/MD5 checksum:   246488 67f3c4fc899fd29353bf4c7a46e8976d
  http://security.debian.org/pool/updates/main/o/openafs/openafs-dbserver_1.3.81-3sarge2_amd64.deb
    Size/MD5 checksum:   555870 5996c7f12878a0202c036b30280fbc3f
  http://security.debian.org/pool/updates/main/o/openafs/openafs-fileserver_1.3.81-3sarge2_amd64.deb
    Size/MD5 checksum:   884258 d57b751026bfd2b05aca393f55e83d1c

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/o/openafs/libpam-openafs-kaserver_1.3.81-3sarge2_hppa.deb
    Size/MD5 checksum:   250140 60ce4a5b1fe0c079d31e77f7d025c702
  http://security.debian.org/pool/updates/main/o/openafs/openafs-fileserver_1.3.81-3sarge2_hppa.deb
    Size/MD5 checksum:   919068 9ca7af6733d9e2f5601b8159016619a1
  http://security.debian.org/pool/updates/main/o/openafs/openafs-client_1.3.81-3sarge2_hppa.deb
    Size/MD5 checksum:  1827790 256160195fcb04f911baa870aca98956
  http://security.debian.org/pool/updates/main/o/openafs/openafs-dbserver_1.3.81-3sarge2_hppa.deb
    Size/MD5 checksum:   555916 374b8b31f343785ff8d2e671e7e73eab
  http://security.debian.org/pool/updates/main/o/openafs/openafs-kpasswd_1.3.81-3sarge2_hppa.deb
    Size/MD5 checksum:   248664 b3a8d024c19de251e2e190e54fe5cc10
  http://security.debian.org/pool/updates/main/o/openafs/libopenafs-dev_1.3.81-3sarge2_hppa.deb
    Size/MD5 checksum:  1507594 2b07da638f4c0d3acbca303dcf2c3414

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/o/openafs/openafs-kpasswd_1.3.81-3sarge2_i386.deb
    Size/MD5 checksum:   205962 11e4dfaf88f70f36cf9d25d9c18998aa
  http://security.debian.org/pool/updates/main/o/openafs/openafs-dbserver_1.3.81-3sarge2_i386.deb
    Size/MD5 checksum:   467028 752c5b703fa2f013ddd21817d82749f4
  http://security.debian.org/pool/updates/main/o/openafs/openafs-client_1.3.81-3sarge2_i386.deb
    Size/MD5 checksum:  1549640 05dba8404a3d8257e06b612cf07efc74
  http://security.debian.org/pool/updates/main/o/openafs/openafs-fileserver_1.3.81-3sarge2_i386.deb
    Size/MD5 checksum:   783268 86567fbce7562f935b17a7e760bb9fbc
  http://security.debian.org/pool/updates/main/o/openafs/libpam-openafs-kaserver_1.3.81-3sarge2_i386.deb
    Size/MD5 checksum:   217288 5008556d2e73108e1c3db41643df22b3
  http://security.debian.org/pool/updates/main/o/openafs/libopenafs-dev_1.3.81-3sarge2_i386.deb
    Size/MD5 checksum:  1260276 d57b49ef1af6ca9c0b1b35066ecb20dd

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/o/openafs/openafs-client_1.3.81-3sarge2_ia64.deb
    Size/MD5 checksum:  2591976 3f9a094d54d6e8c2dbec0f20f26acdc2
  http://security.debian.org/pool/updates/main/o/openafs/libopenafs-dev_1.3.81-3sarge2_ia64.deb
    Size/MD5 checksum:  1841346 3f696ba4ea1e97b4c2bdd4c8cbd0bf33
  http://security.debian.org/pool/updates/main/o/openafs/openafs-fileserver_1.3.81-3sarge2_ia64.deb
    Size/MD5 checksum:  1277708 e5fd2c145c6d5c9a401629bc595b531a
  http://security.debian.org/pool/updates/main/o/openafs/libpam-openafs-kaserver_1.3.81-3sarge2_ia64.deb
    Size/MD5 checksum:   310238 dfd2d50fd6750ac5a4e7ddcdd3ddd532
  http://security.debian.org/pool/updates/main/o/openafs/openafs-dbserver_1.3.81-3sarge2_ia64.deb
    Size/MD5 checksum:   767784 ddea6844bb5d1b686ac77e216cb254cc
  http://security.debian.org/pool/updates/main/o/openafs/openafs-kpasswd_1.3.81-3sarge2_ia64.deb
    Size/MD5 checksum:   350246 7098128a63c0031b4776888544f44a0c

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/o/openafs/openafs-kpasswd_1.3.81-3sarge2_powerpc.deb
    Size/MD5 checksum:   229680 adc0ee24b299a72a3080042526bdf335
  http://security.debian.org/pool/updates/main/o/openafs/openafs-dbserver_1.3.81-3sarge2_powerpc.deb
    Size/MD5 checksum:   517686 a7b07d334d079e32aee66bb05d80711e
  http://security.debian.org/pool/updates/main/o/openafs/libopenafs-dev_1.3.81-3sarge2_powerpc.deb
    Size/MD5 checksum:  1460156 d13af55e2d4f9a3d3a97495681f6b37b
  http://security.debian.org/pool/updates/main/o/openafs/openafs-fileserver_1.3.81-3sarge2_powerpc.deb
    Size/MD5 checksum:   852198 da3a7270c45eda7d0a72c5793af0435b
  http://security.debian.org/pool/updates/main/o/openafs/libpam-openafs-kaserver_1.3.81-3sarge2_powerpc.deb
    Size/MD5 checksum:   223486 6fcec53ed212b0950a680653cb2f829d
  http://security.debian.org/pool/updates/main/o/openafs/openafs-client_1.3.81-3sarge2_powerpc.deb
    Size/MD5 checksum:  1692132 9e26a7d34e736eb6150a616381619a7c

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/o/openafs/openafs-kpasswd_1.3.81-3sarge2_s390.deb
    Size/MD5 checksum:   212066 13397ac230bf12c3900a926a8b36fc31
  http://security.debian.org/pool/updates/main/o/openafs/openafs-client_1.3.81-3sarge2_s390.deb
    Size/MD5 checksum:  1536368 fab1b06025fb4b9db78b5358d832fd70
  http://security.debian.org/pool/updates/main/o/openafs/libpam-openafs-kaserver_1.3.81-3sarge2_s390.deb
    Size/MD5 checksum:   224796 72c0a37213a8844e9862691eda755a3f
  http://security.debian.org/pool/updates/main/o/openafs/openafs-fileserver_1.3.81-3sarge2_s390.deb
    Size/MD5 checksum:   762190 cc9f29f4e0a4c234d6a5d87237fb2c03
  http://security.debian.org/pool/updates/main/o/openafs/libopenafs-dev_1.3.81-3sarge2_s390.deb
    Size/MD5 checksum:  1383788 2405aec9aad97354db6427f55d8ab988
  http://security.debian.org/pool/updates/main/o/openafs/openafs-dbserver_1.3.81-3sarge2_s390.deb
    Size/MD5 checksum:   473242 13ecf61e03a031cce4171abbc3c9c045

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/o/openafs/openafs-client_1.3.81-3sarge2_sparc.deb
    Size/MD5 checksum:  1542604 506c656b335f86e815fca789b1dc0c8a
  http://security.debian.org/pool/updates/main/o/openafs/libpam-openafs-kaserver_1.3.81-3sarge2_sparc.deb
    Size/MD5 checksum:   215842 b393c0429c1dfc36dbef36cc4d43bf2b
  http://security.debian.org/pool/updates/main/o/openafs/openafs-fileserver_1.3.81-3sarge2_sparc.deb
    Size/MD5 checksum:   775060 6a99cdcce7a5c83428fc48c607f0a02c
  http://security.debian.org/pool/updates/main/o/openafs/libopenafs-dev_1.3.81-3sarge2_sparc.deb
    Size/MD5 checksum:  1331494 30b726724767f17b90738f8bdd4e8b9f
  http://security.debian.org/pool/updates/main/o/openafs/openafs-dbserver_1.3.81-3sarge2_sparc.deb
    Size/MD5 checksum:   459596 c4b83804dd1ca1179af4919130ff0b0e
  http://security.debian.org/pool/updates/main/o/openafs/openafs-kpasswd_1.3.81-3sarge2_sparc.deb
    Size/MD5 checksum:   209508 0f73ab95372029f340702812b5928248


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce () lists debian org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGAEHPYrVLjBFATsMRAhKOAJ4sGiX8Qmx///0PCY5heJX8sgeyEwCcDpJq
pBKNfJP5cKHbdlI1Vfw0HXY=
=x+xg
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • [SECURITY] [DSA 1271-1] New openafs packages fix remote privilege escalation bug Noah Meyerhans (Mar 22)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]