Accepting request 635311 from home:hauky:branches:filesystems_GA

- update to security-release 1.8.2

OBS-URL: https://build.opensuse.org/request/show/635311
OBS-URL: https://build.opensuse.org/package/show/filesystems/openafs?expand=0&rev=26

ChangeLog

@@ -1,63 +1,536 @@
-commit e819a011a9842e640d54a4e6ccc70d1935c39827
-Author: Stephan Wiesand <stephan.wiesand@desy.de>
-Date:   Fri Aug 24 16:15:32 2018 +0200
+commit a33cb937ba5dc4c60c9dc7ac61d9796f0a96755f
+Author: Benjamin Kaduk <kaduk@mit.edu>
+Date:   Mon Sep 10 22:18:34 2018 -0500
 
-    Update NEWS for 1.8.1.1
+    Make OpenAFS 1.8.2
     
-    Release notes for the OpenAFS 1.8.1.1 release
+    Update version strings for the 1.8.2 release.
     
-    Change-Id: I94e0d52c22ca1f7ddfab0f12538a3e32136a3846
-    Reviewed-on: https://gerrit.openafs.org/13297
-    Tested-by: BuildBot <buildbot@rampaginggeek.com>
-    Reviewed-by: Marcio Brito Barbosa <mbarbosa@sinenomine.net>
-    Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
-    Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
+    Change-Id: I90e59f3a8c930d80eab46b405050e11ea2fc2fe1
 
-commit 9128c17c5e3e3df0ab87d1298078cdeadd9c4ce7
-Author: Stephan Wiesand <stephan.wiesand@desy.de>
-Date:   Fri Aug 24 16:19:07 2018 +0200
+commit aecb8aef7074910838d639d75f46e5515baffc35
+Author: Benjamin Kaduk <kaduk@mit.edu>
+Date:   Mon Sep 10 20:26:20 2018 -0500
 
-    Make OpenAFS 1.8.1.1
+    Update NEWS for 1.8.2
     
-    Update configure version strings for 1.8.1.1. Note that macos kext
-    can be of form XXXX.YY[.ZZ[(d|a|b|fc)NNN]] where d dev, a alpha,
-    b beta, f final candidate so we have no way to represent 1.8.1.1.
-    Switch to 1.8.2 dev 1 for macOS.
+    Release notes for the OpenAFS 1.8.2 security release.
     
-    Change-Id: I9a8e9a2f0e2c70599d4c9c95eb8828f31aa35731
-    Reviewed-on: https://gerrit.openafs.org/13298
-    Tested-by: Michael Meffie <mmeffie@sinenomine.net>
-    Tested-by: BuildBot <buildbot@rampaginggeek.com>
-    Reviewed-by: Marcio Brito Barbosa <mbarbosa@sinenomine.net>
-    Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
-    Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
+    Change-Id: If447b08cc3b3901da22eeb92a2e75bf2ab476633
 
-commit 554176bd236d772d670df9bdd2496facd5a4209a
-Author: Joe Gorse <jhgorse@gmail.com>
-Date:   Mon Jul 2 20:36:04 2018 +0000
+commit 90601818205aeefd1cf99b8766a7bfd03bf9b96a
+Author: Benjamin Kaduk <kaduk@mit.edu>
+Date:   Tue Sep 11 10:51:01 2018 -0500
 
-    LINUX: Update to Linux struct iattr->ia_ctime to timespec64 with 4.18
+    Fix typos in audit format strings
     
-    With 4.18+ Linux kernels we see a transition to 64-bit time stamps by
-    default.
+    Commit 9ebff4c6caa8b499d999cfd515d4d45eb3179769 introduced audit
+    framework support for several butc-related data types, but had
+    a typo ('$d' for '%d') in a couple of places, that was not reported
+    by compiler format-string checking.  Fix the typo to properly print
+    all the auditable data.
     
-    current_kernel_time() returns the 32-bit struct timespec.
-    current_kernel_time64() returns the 64-bit struct timespec64.
+    (cherry picked from commit d5816fd6cd1876760a985a817dbbb3940cf3bddb)
     
-    struct iattr->ia_ctime expects struct timespec64 as of 4.18+.
+    Change-Id: Iaea64ab0fe422381c298d94eff201c3525bd00c2
 
-    Timestamps greater than 31-bit rollover after 2147483647 or
-    January 19, 2038 03:14:07 UTC. This is the same approach taken by
-    the Linux developers for converting between timepsec64 and timespec.
+commit ed217df4b23e111d4b12e7236bdf6f8ab5575952
+Author: Benjamin Kaduk <kaduk@mit.edu>
+Date:   Sun Sep 9 10:44:38 2018 -0500
 
-    Reviewed-on: https://gerrit.openafs.org/13241
-    Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
-    Tested-by: BuildBot <buildbot@rampaginggeek.com>
-    Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
-    (cherry picked from commit 0bc5c15029cf7e720731f1415fcf9dc972d57ef4)
+    OPENAFS-SA-2018-001 backup: use authenticated connection to butc
     
-    Change-Id: I16f93fd54dd45fe64f0c6fd499bf3adca978e9b1
-    Reviewed-on: https://gerrit.openafs.org/13268
-    Tested-by: BuildBot <buildbot@rampaginggeek.com>
-    Reviewed-by: Mark Vitale <mvitale@sinenomine.net>
-    Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
+    Use the standard routine to pick a client security object, instead of
+    always assuming rxnull.  Respect -localauth as well as being able to
+    use the current user's tokens, but also provide a -nobutcauth argument
+    to fall back to the historical rxnull behavior (but only for the connections
+    to butc; vldb and budb connections are not affected).
+    
+    (cherry picked from commit 345ee34236c08a0a2fb3fff016edfa18c7af4b0a)
+    
+    Change-Id: I1e5e0e38d4003020db5875609db08194f7684bb7
+
+commit 1b199eeafad6420982380ce5e858f00c528cfd13
+Author: Benjamin Kaduk <kaduk@mit.edu>
+Date:   Thu Sep 6 18:50:39 2018 -0500
+
+    OPENAFS-SA-2018-001 butc: require authenticated connections with -localauth
+    
+    The butc -localauth option is available to use the cell-wide key to
+    authenticate to the vlserver and buserver, which in normal deployments
+    will require incoming connections to be authenticated as a superuser.
+    In such cases, the cell-wide key is also available for use in
+    authenticating incoming connections to the butc, which would otherwise
+    have been completely unauthenticated.
+    
+    Because of the security hazards of allowing unauthenticaed inbound
+    RPCs, especially ones that manipulate backup information and are allowed
+    to initiate outboud RPCs authenticated as the superuser, default to
+    not allowing unauthenticated inbound RPCs at all.  Provide an opt-out
+    command-line argument for deployments that require this functionality
+    and have configured their network environment (firewall/etc.) appropriately.
+    
+    Change-Id: Ia6349757a4c6d59d1853df1a844e210d32c14feb
+
+commit 6f8c0c8134de1b5358ec56878e350aeab31aa3cd
+Author: Benjamin Kaduk <kaduk@mit.edu>
+Date:   Sun Sep 9 11:49:03 2018 -0500
+
+    OPENAFS-SA-2018-001 Add auditing to butc server RPC implementations
+    
+    Make the actual implementations into helper functions, with the RPC
+    stubs calling the helpers and doing the auditing on the results, akin
+    to most other server programs in the tree.  This relies on support for
+    some additional types having been added to the audit framework.
+    
+    (cherry picked from commit c43169fd36348783b1a5a55c5bb05317e86eef82)
+    
+    Change-Id: Ia90c355bfded24820ae3b5c014e948e28eac6356
+
+commit 41d2dd569a365465ac47da3cd39eceba4beaeaf3
+Author: Benjamin Kaduk <kaduk@mit.edu>
+Date:   Sat Sep 8 19:42:36 2018 -0500
+
+    OPENAFS-SA-2018-001 audit: support butc types
+    
+    Add support for several complex butc types to enable butc auditing.
+    
+    Change-Id: I6aedd933cf5330cda40aae6f33827ae65409df32
+
+commit 7eb650a6edd96e3c7e68f170945ddcdac8b67975
+Author: Benjamin Kaduk <kaduk@mit.edu>
+Date:   Sat Sep 8 20:35:25 2018 -0500
+
+    OPENAFS-SA-2018-001 butc: remove dummy osi_audit() routine
+    
+    This local stub was present in the original IBM import and is unused.
+    It will conflict with the real audit code once we start adding auditing
+    to the TC_ RPCs, so remove it now.
+    
+    (cherry picked from commit 50216dbbc30ed94f89bdd0e964f4891e87f28c0b)
+    
+    Change-Id: I63db513bb107ef47da77f13b27cdf5d24b4a24b4
+
+commit 2cf5cfa8561047e855fed9ab35d1a041e309e39a
+Author: Mark Vitale <mvitale@sinenomine.net>
+Date:   Fri Jul 6 03:14:19 2018 -0400
+
+    OPENAFS-SA-2018-003 rxgen: prevent unbounded input arrays
+    
+    RPCs with unbounded arrays as inputs are susceptible to remote
+    denial-of-service (DOS) attacks.  A malicious client may submit an RPC
+    request with an arbitrarily large array, forcing the server to expend
+    large amounts of network bandwidth, cpu cycles, and heap memory to
+    unmarshal the input.
+    
+    Instead, issue an error message and stop rxgen when it detects an RPC
+    defined with an unbounded input array.  Thus we will detect the problem
+    at build time and prevent any future unbounded input arrays.
+    
+    (cherry picked from commit a4c1d5c48deca2ebf78b1c90310b6d56b3d48af6)
+    
+    Change-Id: I4c60c4776d7f02ea9790b76b49e7325d9c55f31d
+
+commit fe41fa565be6e325da75f3e9b8fbdac2c521b027
+Author: Mark Vitale <mvitale@sinenomine.net>
+Date:   Fri Jul 6 03:21:26 2018 -0400
+
+    OPENAFS-SA-2018-003 volser: prevent unbounded input to various AFSVol* RPCs
+    
+    Several AFSVol* RPCs are defined with an unbounded XDR "string" as
+    input.
+    
+    RPCs with unbounded arrays as inputs are susceptible to remote
+    denial-of-service (DOS) attacks.  A malicious client may submit an
+    AFSVol* request with an arbitrarily large string, forcing the volserver
+    to expend large amounts of network bandwidth, cpu cycles, and heap
+    memory to unmarshal the input.
+    
+    Instead, give each input "string" an appropriate size.
+    Volume names are inherently capped to 32 octets (including trailing NUL)
+    by the protocol, but there is less clearly a hard limit on partition names.
+    The Vol_PartitionInfo{,64} functions accept a partition name as input and
+    also return a partition name in the output structure; the output values
+    have wire-protocol limits, so larger values could not be retrieved by clients,
+    but for denial-of-service purposes, a more generic PATH_MAX-like value seems
+    appropriate.  We have several varying sources of such a limit in the tree, but
+    pick 4k as the least-restrictive.
+    
+    [kaduk@mit.edu: use a larger limit for pathnames and expand on PATH_MAX in
+    commit message]
+    
+    (cherry picked from commit 8b92d015ccdfcb70c7acfc38e330a0475a1fbe28)
+    
+    Change-Id: Ifa591dfd861688d4d7eb43145b29a1739c6e0f6f
+
+commit fac3749f0d180e0ca229326c0e8568a60e17d3e9
+Author: Mark Vitale <mvitale@sinenomine.net>
+Date:   Fri Jul 6 01:09:53 2018 -0400
+
+    OPENAFS-SA-2018-003 volser: prevent unbounded input to AFSVolForwardMultiple
+    
+    AFSVolForwardMultiple is defined with an input parameter that is defined
+    to XDR as an unbounded array of replica structs:
+      typedef replica manyDests<>;
+    
+    RPCs with unbounded arrays as inputs are susceptible to remote
+    denial-of-service (DOS) attacks.  A malicious client may submit an
+    AFSVolForwardMultiple request with an arbitrarily large array, forcing
+    the volserver to expend large amounts of network bandwidth, cpu cycles,
+    and heap memory to unmarshal the input.
+    
+    Even though AFSVolForwardMultiple requires superuser authorization, this
+    attack is exploitable by non-authorized actors because XDR unmarshalling
+    happens long before any authorization checks can occur.
+    
+    Add a bounding constant (NMAXNSERVERS 13) to the manyDests input array.
+    This constant is derived from the current OpenAFS vldb implementation, which
+    is limited to 13 replica sites for a given volume by the layout (size) of the
+    serverNumber, serverPartition, and serverFlags fields.
+    
+    [kaduk@mit.edu: explain why this constant is used]
+    
+    (cherry picked from commit 97b0ee4d9c9d069e78af2e046c7987aa4d3f9844)
+    
+    Change-Id: I49945ce1fd5979eadf6d5b310dc6d8c68f6f8dc7
+
+commit 87f199c14199afa29f75bb336383564f0fb4548a
+Author: Mark Vitale <mvitale@sinenomine.net>
+Date:   Thu Jul 5 23:51:37 2018 -0400
+
+    OPENAFS-SA-2018-003 budb: prevent unbounded input to BUDB_SaveText
+    
+    BUDB_SaveText is defined with an input parameter that is defined to XDR
+    as an unbounded array of chars:
+       typedef char charListT<>;
+    
+    RPCs with unbounded arrays as inputs are susceptible to remote
+    denial-of-service (DOS) attacks.  A malicious client may submit a
+    BUDB_SaveText request with an arbitrarily large array, forcing the budb
+    server to expend large amounts of network bandwidth, cpu cycles, and
+    heap memory to unmarshal the input.
+    
+    Modify the XDR definition of charListT so it is bounded.  This typedef
+    is shared (as an OUT parameter) by BUDB_GetText and BUDB_DumpDB, but
+    fortunately all in-tree callers of the client routines specify the same
+    maximum length of 1024.
+    
+    Note: However, SBUDB_SaveText server implementation seems to allow for up to
+    BLOCK_DATA_SIZE (2040) = BLOCKSIZE (2048) - sizeof(struct blockHeader)
+    (8), and it's unknown if any out-of-tree callers exist.  Since we do not need a
+    tight bound in order to avoid the DoS, use a somewhat higher maximum of
+    4096 bytes to leave a safety margin.
+    
+    [kaduk@mit.edu: bump the margin to 4096; adjust commit message to match]
+    
+    (cherry picked from commit 124445c0c47994f5e2efef30e86337c3c8ebc93f)
+    
+    Change-Id: Ic34f8f9e7484b7503a223509d5d61b72e1298b35
+
+commit 4218dc0a2db75c740d1d31966e672f85ad7999bd
+Author: Mark Vitale <mvitale@sinenomine.net>
+Date:   Thu Jul 5 21:11:30 2018 -0400
+
+    OPENAFS-SA-2018-003 vlserver: prevent unbounded input to VL_RegisterAddrs
+    
+    VL_RegisterAddrs is defined with an input argument of type bulkaddrs,
+    which is defined to XDR as an unbounded array of afs_uint32 (IPv4 addresses):
+      typedef afs_uint32 bulkaddrs<>
+    
+    The <> with no value instructs rxgen to build client and server stubs
+    that allow for a maximum size of "~0u" or 0xFFFFFFFF.
+    
+    Ostensibly the bulkaddrs array is unbounded to allow it to be shared
+    among VL_RegisterAddrs, VL_GetAddrs, and VL_GetAddrsU.  The VL_GetAddrs*
+    RPCs use bulkaddrs as an output array with a maximum size of MAXSERVERID
+    (254). VL_RegisterAddrss uses bulkaddrs as an input array, with a
+    nominal size of VL_MAXIPADDRS_PERMH (16).
+    
+    However, RPCs with unbounded array inputs are susceptible to remote
+    denial-of-service attacks.  That is, a malicious client may send a
+    VL_RegisterAddrs request with an arbitrarily long array, forcing the
+    vlserver to expend large amounts of network bandwidth, cpu cycles, and
+    heap memory to unmarshal the argument.  Even though VL_RegisterAddrs
+    requires superuser authorization, this attack is exploitable by
+    non-authorized actors because XDR unmarshalling happens long before any
+    authorization checks can occur.
+    
+    Because all uses of the type that our implementation support have fixed
+    bounds on valid data (whether input or output), apply an arbitrary
+    implementation limit (larger than any valid structure would be), to
+    prevent this class of attacks in the XDR decoder.
+    
+    [kaduk@mit.edu: limit the bulkaddrs type instead of introducing a new type]
+    
+    (cherry picked from commit 7629209219bbea3f127b33be06ac427ebc3a559e)
+    
+    Change-Id: I1726a834eb98b7e06285bac78a74e20bbedb9ce8
+
+commit 418b2ab56c60e44375df31a3a8f77461d577a5ff
+Author: Benjamin Kaduk <kaduk@mit.edu>
+Date:   Thu Aug 30 10:38:56 2018 -0500
+
+    OPENAFS-SA-2018-002 butc: Initialize OUT scalar value
+    
+    In STC_ReadLabel, the interaction with the tape device is
+    synchronous, so there is no need to allocate a task ID for status
+    monitoring.  However, we do need to initialize the output value,
+    to avoid writing stack garbage on the wire.
+    
+    (cherry picked from commit f5a80115f8f7f9418287547f0fc7fdb13d936f00)
+    
+    Change-Id: I3f5ea1cfff0d04adb49cdca7b05ac869665660e5
+
+commit 0ee86cc3f986365df9de21ede5735cc1f40db7e5
+Author: Mark Vitale <mvitale@sinenomine.net>
+Date:   Tue Jun 26 06:01:16 2018 -0400
+
+    OPENAFS-SA-2018-002 ubik: prevent VOTE_Debug, VOTE_XDebug information leak
+    
+    VOTE_Debug and VOTE_XDebug (udebug) both leave a single field
+    uninitialized if there is no current transaction.  This leaks the memory
+    contents of the ubik server over the wire.
+    
+    struct ubik_debug
+    - 4 bytes in member writeTrans
+    
+    In common code to both RPCs, ensure that writeTrans is always
+    initialized.
+    
+    [kaduk@mit.edu: switch to memset]
+    
+    (cherry picked from commit 7a7c1f751cdb06c0d95339c999b2c035c2d2168b)
+    
+    Change-Id: I2759989bf1a5190f9f03621218224c47094a88b7
+
+commit c912830e9c82d91bccf85018ef1e6a75edc410c4
+Author: Mark Vitale <mvitale@sinenomine.net>
+Date:   Tue Jun 26 05:26:21 2018 -0400
+
+    OPENAFS-SA-2018-002 kaserver: prevent KAM_ListEntry information leak
+    
+    KAM_ListEntry (kas list) does not initialize its output correctly.  It
+    leaks kaserver memory contents over the wire:
+    
+    struct kaindex
+    - up to 64 bytes for member name
+    - up to 64 bytes for member instance
+    
+    Initialize the buffer.
+    
+    [kaduk@mit.edu: move initialization to top of server routine]
+    
+    (cherry picked from commit b604ee7add7be416bf20973422a041e913d20761)
+    
+    Change-Id: Ic40bb2d5af409399c11a378340ba92174e26112f
+
+commit 43b3efd4f8cd3227b2b24ff673adeb834f6a3f0b
+Author: Mark Vitale <mvitale@sinenomine.net>
+Date:   Tue Jun 26 05:12:32 2018 -0400
+
+    OPENAFS-SA-2018-002 butc: prevent TC_DumpStatus, TC_ScanStatus information leaks
+    
+    TC_ScanStatus (backup status) and TC_GetStatus (internal backup status
+    watcher) do not initialize their output buffers.  They leak memory
+    contents over the wire:
+    
+    struct tciStatusS
+    - up to 64 bytes in member taskName (TC_MAXNAMELEN 64)
+    - up to 64 bytes in member volumeName  "
+    
+    Initialize the buffers.
+    
+    [kaduk@mit.edu: move initialization to top of server routines]
+    
+    (cherry picked from commit be0142707ca54f3de99c4886530e7ac9f48dd61c)
+    
+    Change-Id: I7a97ad1dbab004938085b401929d4925d80ff3b2
+
+commit b7e53b9e9706d63215a1804ed9eca30d69461f03
+Author: Mark Vitale <mvitale@sinenomine.net>
+Date:   Tue Jun 26 05:00:25 2018 -0400
+
+    OPENAFS-SA-2018-002 butc: prevent TC_ReadLabel information leak
+    
+    TC_ReadLabel (backup readlabel) does not initialize its output buffer
+    completely.  It leaks butc memory contents over the wire:
+    
+    struct tc_tapeLabel
+    - up to 32 bytes from member afsname (TC_MAXTAPELEN 32)
+    - up to 32 bytes from member pname (TC_MAXTAPELEN 32)
+    
+    Initialize the buffer.
+    
+    [kaduk@mit.edu: move initialization to the RPC stub]
+    
+    (cherry picked from commit 52f4d63148323e7d605f9194ff8c1549756e654b)
+    
+    Change-Id: Ia5d9dd649bdbd45c8b201f344bf55080a55e3392
+
+commit 6f26a945adeca87b669282eed0eaca3dca0a1423
+Author: Mark Vitale <mvitale@sinenomine.net>
+Date:   Tue Jun 26 04:39:44 2018 -0400
+
+    OPENAFS-SA-2018-002 budb: prevent BUDB_* information leaks
+    
+    The following budb RPCs do not initialize their output correctly.
+    This leaks buserver memory contents over the wire:
+    
+    BUDB_FindLatestDump (backup dump)
+    BUDB_FindDump (backup volrestore, diskrestore, volsetrestore)
+    BUDB_GetDumps (backup dumpinfo)
+    BUDB_FindLastTape (backup dump)
+    
+    struct budb_dumpEntry
+    - up to 32 bytes in member volumeSetName
+    - up to 256 bytes in member dumpPath
+    - up to 32 bytes in member name
+    - up to 32 bytes in member tape.tapeServer
+    - up to 32 bytes in member tape.format
+    - up to 256 bytes in member dumper.name
+    - up to 128 bytes in member dumper.instance
+    - up to 256 bytes in member dumper.cell
+    
+    Initialize the buffer in common routine FillDumpEntry.
+    
+    (cherry picked from commit e96771471134102d3879a0ac8b2c4ef9d91a61b8)
+    
+    Change-Id: I85ec8a21966386baa8243326072e5730726cba96
+
+commit a6557ffa64d8fab3526c4f89629dcbb965a27780
+Author: Mark Vitale <mvitale@sinenomine.net>
+Date:   Tue Jun 26 03:56:24 2018 -0400
+
+    OPENAFS-SA-2018-002 afs: prevent RXAFSCB_TellMeAboutYourself information leak
+    
+    RXAFSCB_TellMeAboutYourself does not completely initialize its output
+    buffers.  This leaks kernel memory over the wire:
+    
+    struct interfaceAddr
+    Unix cache manager (libafs)
+    - up to 124 bytes in array addr_in ((AFS_MAX_INTERFACE_ADDR 32 * 4) - 4))
+    - up to 124 bytes in array subnetmask   "
+    - up to 124 bytes in array mtu          "
+    
+    Windows cache manager
+    - 64 bytes in array addr_in ((AFS_MAX_INTERFACE_ADDR 32 - CM_MAXINTERFACE_ADDR 16)* 4)
+    - 64 bytes in array subnetmask  "
+    - 64 bytes in array mtu         "
+    
+    The following implementations of SRXAFSCB_TellMeAboutYourself are not susceptible:
+    - fsprobe
+    - libafscp
+    - xstat_fs_test
+    
+    Initialize the buffer.
+    
+    (cherry picked from commit 211b6d6a4307006da1467b3be46912a3a5d7b20b)
+    
+    Change-Id: I2fee5cc9c11ea42726c7c8f9a7d14eafee6142f0
+
+commit 3dea4adaa356b7eed40b6162c106c5e90690f5a1
+Author: Mark Vitale <mvitale@sinenomine.net>
+Date:   Tue Jun 26 03:47:41 2018 -0400
+
+    OPENAFS-SA-2018-002 afs: prevent RXAFSCB_GetLock information leak
+    
+    RXAFSCB_GetLock (cmdebug) does not correctly initialize its output.
+    This leaks kernel memory over the wire:
+    
+    struct AFSDBLock
+    - up to 14 bytes for member name (16 - '<cellname>\0')
+    
+    Initialize the buffer.
+    
+    (cherry picked from commit b52eb11a08f2ad786238434141987da27b81e743)
+    
+    Change-Id: If84c5d9d805356cd56be77313149a931a948b4d5
+
+commit e19ad4cdde463d2bbb4b815525da992bd5fc2648
+Author: Mark Vitale <mvitale@sinenomine.net>
+Date:   Tue Jun 26 03:37:37 2018 -0400
+
+    OPENAFS-SA-2018-002 ptserver: prevent PR_ListEntries information leak
+    
+    PR_ListEntries (pts listentries) does not properly initialize its output
+    buffers.  This leaks ptserver memory over the wire:
+    
+    struct prlistentries
+    - up to 62 bytes for each entry name (PR_MAXNAMELEN 64 - 'a\0')
+    
+    Initialize the buffer, and remove the now redundant memset for the
+    reserved fields.
+    
+    (cherry picked from commit 9d1aeb5d761581a35bef2042e9116b96e9ae3bf5)
+    
+    Change-Id: I679c205502941891cbb34f10e648a6f9d83c3c60
+
+commit 2d22756de7af2c72b8aca6969825f8e921f01d6c
+Author: Mark Vitale <mvitale@sinenomine.net>
+Date:   Tue Jun 26 03:00:02 2018 -0400
+
+    OPENAFS-SA-2018-002 volser: prevent AFSVolMonitor information leak
+    
+    AFSVolMonitor (vos status) does not properly initialize its output
+    buffers.  This leaks information from volserver memory:
+    
+    struct transDebugInfo
+    - up to 29 bytes in member lastProcName (30-'\0')
+    - 16 bytes in members readNext, tranmitNext, lastSendTime,
+      lastReceiveTime
+    
+    Initialize the buffers.  This must be done on a per-buffer basis inside
+    the loop, since realloc is used to expand the storage if needed,
+    and there is not a standard realloc API to zero the newly allocated storage.
+    
+    [kaduk@mit.edu: update commit message]
+    
+    (cherry picked from commit 26924fd508b21bb6145e77dc31b6cd0923193b72)
+    
+    Change-Id: Id10aa1f4d0b8694f6d85468d743c2fc2a8102339
+
+commit 28edf734db08d3a8285e89d9d78aa21db726e4c7
+Author: Mark Vitale <mvitale@sinenomine.net>
+Date:   Tue Jun 26 02:33:05 2018 -0400
+
+    OPENAFS-SA-2018-002 volser: prevent AFSVolPartitionInfo(64) information leak
+    
+    AFSVolPartitionInfo and AFSVolPartitionInfo64 (vos partinfo) do not
+    properly initialize their reply buffers.  This leaks the contents of
+    volserver memory over the wire:
+    
+    AFSVolPartitionInfo (struct diskPartition)
+    - up to 24 bytes in member name (32-'/vicepa\0'))
+    - up to 12 bytes in member devName (32-'/vicepa/Lock/vicepa\0'))
+    
+    AFSVolPartitionInfo64 (struct diskPartition64)
+    - up to 248 bytes in member name (256-'/vicepa\0'))
+    - up to 236 bytes in member devName (256-'/vicepa/Lock/vicepa\0')
+    
+    Initialize the output buffers.
+    
+    [kaduk@mit.edu: move memset to top-level function scope of RPC handlers]
+    
+    (cherry picked from commit 76e62c1de868c2b2e3cc56a35474e15dc4cc1551)
+    
+    Change-Id: I041b91873a38a2af40f5b0a00b70cc87634f25c8
+
+commit c8c8682bb0e84ee5289fac3063119ae524773f61
+Author: Mark Vitale <mvitale@sinenomine.net>
+Date:   Mon Jun 25 18:03:12 2018 -0400
+
+    OPENAFS-SA-2018-002 ptserver: prevent PR_IDToName information leak
+    
+    SPR_IDToName does not completely initialize the return array of names,
+    and thus leaks information from ptserver memory:
+    
+    - up to 62 bytes per requested id (PR_MAXNAMELEN 64 - 'a\0')
+    
+    Use calloc to ensure that all memory sent on the wire is initialized,
+    preventing the information leak.
+    
+    [kaduk@mit.edu: switch to calloc; update commit message]
+    
+    (cherry picked from commit 70b0136d552a0077d3fae68f3aebacd985abd522)
+    
+    Change-Id: I787fc26ecb6fa64b17f8579198793903bc4eb16d

RELNOTES-1.8.1.1

@@ -1,10 +0,0 @@
-                       User-Visible OpenAFS Changes
-
-OpenAFS 1.8.1.1
-
-  Linux Clients
-
-    * Support for mainline kernel 4.18 and distribution kernels with backports
-      from it (13268)
-
-OpenAFS 1.8.1

RELNOTES-1.8.2

@@ -0,0 +1,34 @@
+                       User-Visible OpenAFS Changes
+
+OpenAFS 1.8.2
+
+  All platforms
+
+    * Fix OPENAFS-SA-2018-002: information leakage in RPC output variables
+      Various RPC routines did not always initialize all output fields,
+      exposing memory contents to network attackers.  The relevant RPCs include
+      an AFSCB_ RPC, so cache managers are affected as well as servers.
+
+  All server platforms
+
+    * Fix OPENAFS-SA-2018-003: denial of service due to excess resource consumption
+      Various RPCs were defined as allowing unbounded arrays as input, allowing
+      an unauthenticated attacker to cause excess memory allocation and tie up
+      network bandwidth by sending (or claiming to send) large input arrays.
+
+    * Fix OPENAFS-SA-2018-001: unauthenticated volume operations via butc
+      On systems using the in-tree backup system, the butc process was running
+      with administrative credentials, but accepted incoming RPCs over
+      unauthenticated connections; these incoming RPCs in turn triggered
+      outgoing RPCs using the administrative credentials.  Unauthenticated
+      attackers could construct volue dumps containing arbitrary contents
+      and cause these dumps to be restored and overwrite arbitrary volume
+      contents; afterward, the backup database could be restored to its
+      initial state, hiding evidence of the unauthorized changes.
+
+      Running butc with -localauth now requires authenticated incoming
+      connections, and the backup utility makes authenticated connections to
+      the butc.  Audit capabilities have been added to the butc RPC handlers.
+      Command-line arguments are provided to retain the (insecure) historical
+      behavior until all systems have been upgraded.
+

openafs-1.8.1.1-doc.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:e58a7a8845d05edcf253c80a63868b1d775685180e6c729338ef8bcba8bf0a92
-size 3845557

openafs-1.8.1.1-doc.tar.bz2.md5

@@ -1 +0,0 @@
-c1e98c186b97e0b10d539fc55fcc7225  openafs-1.8.1.1-doc.tar.bz2

openafs-1.8.1.1-doc.tar.bz2.sha256

@@ -1 +0,0 @@
-e58a7a8845d05edcf253c80a63868b1d775685180e6c729338ef8bcba8bf0a92  openafs-1.8.1.1-doc.tar.bz2

openafs-1.8.1.1-src.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:a305a94ead2288b9c360ba72470c8c2b8cb8ca405c90764f5aae9eee979af0ec
-size 15079776

openafs-1.8.1.1-src.tar.bz2.md5

@@ -1 +0,0 @@
-d5d7af01a8c5192005c4bf7c6f8979e2  openafs-1.8.1.1-src.tar.bz2

openafs-1.8.1.1-src.tar.bz2.sha256

@@ -1 +0,0 @@
-a305a94ead2288b9c360ba72470c8c2b8cb8ca405c90764f5aae9eee979af0ec  openafs-1.8.1.1-src.tar.bz2

openafs-1.8.2-doc.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b9b6ae396952b888192bc3e70d11b13779f8af16965ea8a003cb5f98abb7c826
+size 3801937

openafs-1.8.2-doc.tar.bz2.md5

@@ -0,0 +1 @@
+3661375b0925446416c09a97c605acbf  /home/kaduk/openafs/1.8.2/openafs-1.8.2-doc.tar.bz2

openafs-1.8.2-doc.tar.bz2.sha256

@@ -0,0 +1 @@
+b9b6ae396952b888192bc3e70d11b13779f8af16965ea8a003cb5f98abb7c826  openafs-1.8.2-doc.tar.bz2

openafs-1.8.2-src.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:25fd3e4261a72a2cbdd40367e5f981895d80c32aaf309a5842aecc739dd3138e
+size 15109003

openafs-1.8.2-src.tar.bz2.md5

@@ -0,0 +1 @@
+19f97a11b13e6da51a6dac56d1c42289  /home/kaduk/openafs/1.8.2/openafs-1.8.2-src.tar.bz2

openafs-1.8.2-src.tar.bz2.sha256

@@ -0,0 +1 @@
+25fd3e4261a72a2cbdd40367e5f981895d80c32aaf309a5842aecc739dd3138e  openafs-1.8.2-src.tar.bz2

openafs.changes

@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Wed Sep 12 10:41:43 UTC 2018 - christof.hanke@mpcdf.mpg.de
+
+- update to security-release 1.8.2
+
 -------------------------------------------------------------------
 Wed Sep 12 05:46:01 UTC 2018 - christof.hanke@mpcdf.mpg.de
 

openafs.spec

@@ -56,11 +56,11 @@
 
 # used for %setup only
 # leave upstream tar-balls untouched for integrity checks.
-%define upstream_version 1.8.1.1
+%define upstream_version 1.8.2
 
 Name:           openafs
 
-Version:        1.8.1.1
+Version:        1.8.2
 Release:        0
 Summary:        OpenAFS Distributed File System
 License:        IPL-1.0