Bug 18034

Summary: openafs new security issues CVE-2016-2860 and CVE-2016-4536
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, sysadmin-bugs, tarazed25, tmb, wilcal.int
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/680601/
Whiteboard: has_procedure mga5-32-ok MGA5-64-OK advisory
Source RPM: openafs-1.6.15-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-03-18 17:54:18 CET 
Upstream has issued advisories on March 16:
http://www.openafs.org/pages/security/OPENAFS-SA-2016-001.txt
http://www.openafs.org/pages/security/OPENAFS-SA-2016-002.txt

The issues are fixed in version 1.6.17.

Updated packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated openafs packages fix security vulnerabilities:

In OpenAFS before 1.6.17, users from foreign Kerberos realms can create groups
as if they were administrators (CVE-2016-2860).

In OpenAFS before 1.6.17, information leakage over the network due to
uninitialized memory (OPENAFS-SA-2016-002).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2860
http://www.openafs.org/pages/security/OPENAFS-SA-2016-001.txt
http://www.openafs.org/pages/security/OPENAFS-SA-2016-002.txt
http://dl.openafs.org/dl/1.6.16/RELNOTES-1.6.16
http://dl.openafs.org/dl/1.6.16/RELNOTES-1.6.17
https://lists.openafs.org/pipermail/openafs-announce/2015/000495.html
https://lists.openafs.org/pipermail/openafs-announce/2016/000496.html
========================

Updated packages in core/updates_testing:
========================
openafs-1.6.17-1.mga5
openafs-client-1.6.17-1.mga5
openafs-server-1.6.17-1.mga5
libopenafs1-1.6.17-1.mga5
libopenafs-devel-1.6.17-1.mga5
libopenafs-static-devel-1.6.17-1.mga5
dkms-libafs-1.6.17-1.mga5
openafs-doc-1.6.17-1.mga5

from openafs-1.6.17-1.mga5.src.rpm
Comment 1 David Walser 2016-03-18 17:54:46 CET 
Test procedure:
https://wiki.mageia.org/en/Installing_OpenAFS_Client

Whiteboard: (none) => has_procedure

Comment 2 Thomas Backlund 2016-03-18 21:28:04 CET 
also remember to test that dkms-libafs builds against kernel-4.4.6 in testing

CC: (none) => tmb

Comment 3 William Kenney 2016-03-20 17:49:36 CET 
In VirtualBox, M5, KDE, 32-bit

Package(s) under test:
openafs dkms-libafs

default install of kernel-desktop586-latest, kernel-desktop586-devel-latest
openafs & dkms-libafs

[root@localhost wilcal]# uname -a
Linux localhost 4.1.15-desktop586-2.mga5 #1 SMP Wed Jan 20 17:06:34 UTC 2016 i686 i686 i686 GNU/Linux
[root@localhost wilcal]# urpmi kernel-desktop586-latest
Package kernel-desktop586-latest-4.1.15-2.mga5.i586 is already installed
[root@localhost wilcal]# urpmi kernel-desktop586-devel-latest
Package kernel-desktop586-devel-latest-4.1.15-2.mga5.i586 is already installed
[root@localhost wilcal]# urpmi openafs
Package openafs-1.6.15-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi dkms-libafs
Package dkms-libafs-1.6.15-1.mga5.noarch is already installed

System compiles and boots to a working desktop. Common apps work.
Screen dimensions are correct.

install kernel-desktop586-latest, kernel-desktop586-devel-latest
openafs & dkms-libafs from updates_testing

[[root@localhost wilcal]# uname -a
Linux localhost 4.4.6-desktop586-1.mga5 #1 SMP Wed Mar 16 20:11:36 UTC 2016 i686 i686 i686 GNU/Linux
[root@localhost wilcal]# urpmi kernel-desktop586-latest
Package kernel-desktop586-latest-4.4.6-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi kernel-desktop586-devel-latest
Package kernel-desktop586-devel-latest-4.4.6-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi openafs
Package openafs-1.6.17-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi dkms-libafs
Package dkms-libafs-1.6.17-1.mga5.noarch is already installed

System compiles and boots to a working desktop. Common apps work.
Screen dimensions are correct.

CC: (none) => wilcal.int

Comment 4 William Kenney 2016-03-20 18:43:18 CET 
In VirtualBox, M5, KDE, 64-bit

Package(s) under test:
openafs dkms-libafs

default install of kernel-desktop-latest, kernel-desktop-devel-latest,
openafs & dkms-libafs

[root@localhost wilcal]# uname -a
Linux localhost 4.1.15-desktop-2.mga5 #1 SMP Wed Jan 20 17:05:51 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
[root@localhost wilcal]# urpmi kernel-desktop-latest
Package kernel-desktop-latest-4.1.15-2.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi kernel-desktop-devel-latest
Package kernel-desktop-devel-latest-4.1.15-2.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi openafs
Package openafs-1.6.15-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi dkms-libafs
Package dkms-libafs-1.6.15-1.mga5.noarch is already installed

System compiles and boots to a working desktop. Common apps work.
Screen dimensions are correct.

install kernel-desktop-latest, kernel-desktop-devel-latest,
openafs & dkms-libafs from updates_testing

[root@localhost wilcal]# uname -a
Linux localhost 4.4.6-desktop-1.mga5 #1 SMP Wed Mar 16 20:11:06 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
[root@localhost wilcal]# urpmi kernel-desktop-latest
Package kernel-desktop-latest-4.4.6-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi kernel-desktop-devel-latest
Package kernel-desktop-devel-latest-4.4.6-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi openafs
Package openafs-1.6.17-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi dkms-libafs
Package dkms-libafs-1.6.17-1.mga5.noarch is already installed

System compiles and boots to a working desktop. Common apps work.
Screen dimensions are correct.
Comment 5 Len Lawrence 2016-03-20 19:12:01 CET 
x86_64  4.4.6-desktop-1.mga5

Installed the packages before update then installed the new packages from update testing.  Ran through the setup instructions but could not start the client server.  The messages indicated that there was no libafs module to load.

Uninstalled dkms-libafs and reinstalled "manually" and watched dkms fail:
Building module:
cleaning build area....(bad exit status: 2)
SMP=SP; eval `grep CONFIG_SMP /boot/config-4.4.6-desktop-1.mga5`; [ -n "$CONFIG_SMP" ] && SMP=MP; ./configure --with-linux-kernel-headers=/lib/modules/4.4.6-desktop-1.mga5/build; make MPS=$SMP; mv src/libafs/MODLOAD-*/libafs.ko ...................................(bad exit status: 1)

Error! Bad return status for module build on kernel: 4.4.6-desktop-1.mga5 (x86_64)
Consult the make.log in the build directory
/var/lib/dkms/libafs/1.6.17-1.mga5/build/ for more information.

Error! Could not locate libafs.ko.xz for module libafs in the DKMS tree.
You must run a dkms build for kernel 4.4.6-desktop-1.mga5 (x86_64) first.
warning: %post(dkms-libafs-1.6.17-1.mga5.noarch) scriptlet failed, exit status 4
ERROR: 'script' failed for dkms-libafs-1.6.17-1.mga5
      2/2: openafs               #############################################

DKMS make.log for libafs-1.6.17-1.mga5 for kernel 4.4.6-desktop-1.mga5 (x86_64)
Sun 20 Mar 17:50:22 GMT 2016
mv: cannot stat âsrc/libafs/MODLOAD-*/libafs.koâ: No such file or directory

Tried the reinstallation twice and it failed the same way for both.

Help!

CC: (none) => tarazed25

Comment 6 Len Lawrence 2016-03-20 19:20:03 CET 
And surely the dkms build of the kernel is done automatically when the kernel is installed?
Comment 7 claire robinson 2016-03-21 10:39:22 CET 
Check you have kernel-*-devel-latest installed for the new kernel Len.
Comment 8 Len Lawrence 2016-03-21 11:59:12 CET 
Yes.  That's what puzzles me.  I had performed all the checks as outlined in the test procedure and found that everything matched up.
/boot/config-4.4.6-desktop-1.mga5 is there and looks OK to me.
And there is no libafs.ko in /var/lib/dkms/libafs/1.6.17-1.mga5/build/src/libafs/MODLOAD-4.4.6-desktop-1.mga5-MP.
I think the ./configure command is referring to the Makefile in
/lib/modules/4.4.6-desktop-1.mga5/build and that this is passed on to make in the next step.  So the module is failing to build at that stage.
All the links and paths I have traced are in line with 4.4.6-1.

So what I would like to do is ".... run a dkms build for kernel 4.4.6-desktop-1.mga5 (x86_64)" again, manually, but don't know how to do that.
Comment 9 claire robinson 2016-03-21 12:30:39 CET 
I can't really do much until I'm home again but check with

# dkms status

You sometimes find with kernel modules that installing removing kernels during testing doesn't remove them in the correct sequence and affects builds on the next update. See bug 10771
Comment 10 Len Lawrence 2016-03-21 13:40:12 CET 
# dkms status
libafs, 1.6.17-1.mga5: added 
virtualbox, 5.0.16-1.mga5, 4.4.5-desktop-1.mga5, x86_64: installed 
virtualbox, 5.0.16-1.mga5, 4.4.6-desktop-1.mga5, x86_64: installed 
virtualbox, 5.0.16-1.mga5, 4.1.15-tmb-desktop-2.mga5, x86_64: installed 
xtables-addons, 2.10-1.mga5, 4.1.15-2.mga5, x86_64: installed 
xtables-addons, 2.10-1.mga5, 4.4.4-desktop-1.mga5, x86_64: installed 
xtables-addons, 2.10-1.mga5, 4.4.5-desktop-1.mga5, x86_64: installed 
xtables-addons, 2.10-1.mga5, 4.4.6-desktop-1.mga5, x86_64: installed 
xtables-addons, 2.10-1.mga5, 4.1.15-desktop-2.mga5, x86_64: installed 
xtables-addons, 2.10-1.mga5, 4.1.15-tmb-desktop-2.mga5, x86_64: installed 
vboxadditions, 5.0.16-1.mga5, 4.1.15-2.mga5, x86_64: installed 
vboxadditions, 5.0.16-1.mga5, 4.4.5-desktop-1.mga5, x86_64: installed 
vboxadditions, 5.0.16-1.mga5, 4.4.6-desktop-1.mga5, x86_64: installed 
vboxadditions, 5.0.16-1.mga5, 4.1.15-desktop-2.mga5, x86_64: installed 
vboxadditions, 5.0.16-1.mga5, 4.1.15-tmb-desktop-2.mga5, x86_64: installed
Comment 11 Len Lawrence 2016-03-21 13:44:53 CET 
There were a lot more entries.  Should I for a start just remove some of the older kernels?  Not likely to be used again.
Comment 12 Len Lawrence 2016-03-22 11:29:44 CET 
Started removing old kernel modules manually.  At some stage there was a prompt about removing orphaned packages which I agreed to and that removed 141 old packages.  Removed openafs and reinstalled it and it still fell over at the dkms build stage.

Error! Could not locate libafs.ko.xz for module libafs in the DKMS tree.
You must run a dkms build for kernel 4.4.6-desktop-1.mga5 (x86_64) first.
warning: %post(dkms-libafs-1.6.17-1.mga5.noarch) scriptlet failed, exit status 4
ERROR: 'script' failed for dkms-libafs-1.6.17-1.mga5

Not much choice but to remove the running kernel and reinstall it.  The system is broken in other ways.  There are no nvidia tools installed for instance.
Comment 13 Len Lawrence 2016-03-22 14:28:25 CET 
Spring-cleaned the system and discovered that the nvidia driver had not been running, probably for some time.  nouveau had slipped in somehow.  Reverted to kernel 4.1.15-desktop-2 and reinstalled openafs.  Thelibafs module rebuilt cleanly.  Ran the update and again openafs installed properly.  About to run through the test procedure.
Comment 14 Len Lawrence 2016-03-22 15:38:44 CET 
The tests ran OK, more or less.  The report is a bit lengthy....

Having already installed the components and started the setup earlier some parts
of the sequence could be skipped but I did find a couple of package mismatches and repaired them.

# [ ! -d  /afs/ ] && mkdir /afs/ || echo "/afs/ already exists"
/afs/ already exists

Defined cachesize in /etc/sysconfig/openafs:
# cat openafs
# OpenAFS Client Configuration
AFSD_ARGS="-dynroot -fakestat -afsdb"
# OpenAFS Server Configuration
BOSSERVER_ARGS=
CACHESIZE=512000

Ran these commands to add -nosettime to default afsd parameters:
# f=/etc/sysconfig/openafs
# sed < ${f} -e s/^AFSD_ARGS=/#AFSD_ARGS=/ -e s/^$/AFSD_ARGS="-dynroot -fakestat -afsdb -stat 2000 -dcache 800 -daemons 3 -volumes 70 -nosettime"/ > ${f}+
# mv -f ${f} /tmp/ && mv ${f}+ ${f}
# modprobe libafs && echo AFS kernel module loaded || echo Failed to load libafs
AFS kernel module loaded
Start AFS client cache manager:
# systemctl start openafs-client.service 
# systemctl status openafs-client.service
â openafs-client.service - OpenAFS Client Service
   Loaded: loaded (/usr/lib/systemd/system/openafs-client.service; enabled)
   Active: active (running) since Tue 2016-03-22 13:49:57 GMT; 12s ago
  Process: 10043 ExecStart=/sbin/afsd $AFSD_ARGS (code=exited, status=0/SUCCESS)
  Process: 10034 ExecStartPre=/sbin/modprobe libafs (code=exited, status=0/SUCCESS)
  Process: 10032 ExecStartPre=/bin/chmod 0644 /etc/openafs/CellServDB (code=exited, status=0/SUCCESS)
  Process: 10030 ExecStartPre=/bin/sed -n w/etc/openafs/CellServDB /etc/openafs/CellServDB.local /etc/openafs/CellServDB.dist (code=exited, status=0/SUCCESS)
 Main PID: 10051 (afsd)
   CGroup: /system.slice/openafs-client.service
           ââ10051 /sbin/afsd -dynroot -fakestat -afsdb -stat 2000 -dcache 80...

Mar 22 13:49:57 vega afsd[10043]: afsd: All AFS daemons started.
Mar 22 13:49:57 vega afsd[10043]: afsd: All AFS daemons started.

So far so good....

# df /afs/
Filesystem      Size  Used Avail Use% Mounted on
AFS             2.0T     0  2.0T   0% /afs

I guess that must be cloud storage?
Installed krb5-workstation-1.12.2-8.3.mga5
And this is where I got stuck -> "Edit /etc/krb5.conf and define for your Kerberos realm"
Know nothing about kerberos realms (?).
The rest of the test is to do with openafs in action.  All I can do is confirm that it all installs and starts up OK.
Back in userland here - i.e. not root.
Although, there was a response to the nl command.
$ nl /afs/grand.central.org/service/CellServDB | head -30
viz. a numbered listing of subscribers.

$ wc -l /afs/grand.central.org/service/CellServDB
667 /afs/grand.central.org/service/CellServDB
$ cd /afs/grand.central.org/
[lcl@vega grand.central.org]$ ls -l
total 18
drwxrwxrwx 3 root root 2048 Jun  2  2009 archive
drwxrwxrwx 2 root root 2048 May  6  2006 cvs
drwxrwxrwx 3 root root 2048 Mar 21  2003 doc
drwxrwxrwx 7 root root 2048 May  7  2006 local
drwxrwxrwx 2 root root 2048 Dec 11  2014 project
drwxrwxrwx 5 root root 2048 Jan 30  2007 service
drwxrwxrwx 2 root root 2048 Dec 31  2008 software
drwxrwxrwx 2 root root 2048 Aug 24  2007 user
drwxrwxrwx 2 root root 2048 Oct  5  2012 www

Check access control rights for directory service:
$ fs listacl service
Access list for service is
Normal rights:
  system:administrators rlidwka
  system:anyuser rl

Calling it a day and setting OK for 64-bits.
Len Lawrence 2016-03-22 15:39:03 CET

Whiteboard: has_procedure => has_procedure MGA5-64-OK

Comment 15 claire robinson 2016-03-24 22:50:22 CET 
Validating. Advisory todo.

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-64-OK => has_procedure mga5-32-ok MGA5-64-OK
CC: (none) => sysadmin-bugs

Dave Hodgins 2016-03-25 06:27:49 CET

CC: (none) => davidwhodgins
Whiteboard: has_procedure mga5-32-ok MGA5-64-OK => has_procedure mga5-32-ok MGA5-64-OK advisory

Comment 16 Mageia Robot 2016-03-25 07:39:46 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0121.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 17 David Walser 2016-05-05 17:24:10 CEST 
(In reply to David Walser from comment #0)
> http://www.openafs.org/pages/security/OPENAFS-SA-2016-002.txt

CVE request:
http://openwall.com/lists/oss-security/2016/05/05/17
Comment 18 David Walser 2016-05-06 14:04:34 CEST 
(In reply to David Walser from comment #17)
> (In reply to David Walser from comment #0)
> > http://www.openafs.org/pages/security/OPENAFS-SA-2016-002.txt
> 
> CVE request:
> http://openwall.com/lists/oss-security/2016/05/05/17

CVE-2016-4536:
http://openwall.com/lists/oss-security/2016/05/05/23

Summary: openafs new security issue CVE-2016-2860 => openafs new security issues CVE-2016-2860 and CVE-2016-4536

Comment 19 David Walser 2016-06-01 13:17:55 CEST 
CVE-2015-8312 was also fixed in this update:
http://lwn.net/Vulnerabilities/689249/