Debians sikkerhedsbulletin

DSA-1271-1 openafs -- designfejl

Rapporteret den:
20. mar 2007
Berørte pakker:
openafs
Sårbar:
Ja
Referencer i sikkerhedsdatabaser:
I Mitres CVE-ordbog: CVE-2007-1507.
Yderligere oplysninger:

En designfejl er fundet i OpenAFS, et distribueret filsystem der virker på tværs af platforme, og som er indeholdt i Debian.

OpenAFS har af historiske grunde aktiveret setuid-filesystemsunderstøttelse i den lokale celle. Men med dens eksisterende protokol, kan OpenAFS kun anvende kryptering, og derfor integritetsbeskyttelse, hvis brugeren er autentificeret. Uautentificeret adgang medfører ikke integritetsbeskyttelse. Det praktiske resultat heraf er, at det var muligt for en angriber med viden om AFS at fremstille et AFS FetchStatus-kald og lade en binær fil vise sig for en AFS-klient som værende setuid. Hvis angriberen dernæst kunne sørge for at filen blev kørt, ville vedkommende kunne opnå rettighedsforøgelse.

OpenAFS 1.3.81-3sarge2 ændrer standardvirkemåden til at deaktivere setuid-filer globalt, deriblandt den lokale celle. Det er vigtigt at bemærke, at denne ændring vil træde i kraft før AFS-kernemodulet, bygget fra pakken openafs-modules-source, er blevet genopbygget og indlæst i din kerne. Som en midlertidig løsning, indtil kernemodulet kan genindlæses, kan setuid-understøttelse manuelt slås fra i den lokale celle ved at køre følgende kommando som root

fs setcell -cell <localcell> -nosuid

Efter anvendelse af denne opdatering, hvis du er sikker på at der ikke er en sikkerhedsrisiko ved at en angriber forfalske AFS-filserversvar, kan den genaktivere setuid-status selektivt med følgende kommando, men det bør ikke gøre på maskiner der er synlige på internettet

fs setcell -cell <localcell> -suid

I den stabile distribution (sarge), er dette problem rettet i version 1.3.81-3sarge2.

I den ustabile distribution (sid) og den kommende stabile distribution (etch), vil dette problem blive rettet i version 1.4.2-6.

Vi anbefaler at du opgraderer din openafs-pakke.

Rettet i:

Debian GNU/Linux 3.1 (stable)

Kildekode:
http://security.debian.org/pool/updates/main/o/openafs/openafs_1.3.81-3sarge2.dsc
http://security.debian.org/pool/updates/main/o/openafs/openafs_1.3.81-3sarge2.diff.gz
http://security.debian.org/pool/updates/main/o/openafs/openafs_1.3.81.orig.tar.gz
Arkitekturuafhængig komponent:
http://security.debian.org/pool/updates/main/o/openafs/openafs-modules-source_1.3.81-3sarge2_all.deb
Alpha:
http://security.debian.org/pool/updates/main/o/openafs/openafs-fileserver_1.3.81-3sarge2_alpha.deb
http://security.debian.org/pool/updates/main/o/openafs/openafs-client_1.3.81-3sarge2_alpha.deb
http://security.debian.org/pool/updates/main/o/openafs/openafs-kpasswd_1.3.81-3sarge2_alpha.deb
http://security.debian.org/pool/updates/main/o/openafs/openafs-dbserver_1.3.81-3sarge2_alpha.deb
http://security.debian.org/pool/updates/main/o/openafs/libpam-openafs-kaserver_1.3.81-3sarge2_alpha.deb
http://security.debian.org/pool/updates/main/o/openafs/libopenafs-dev_1.3.81-3sarge2_alpha.deb
AMD64:
http://security.debian.org/pool/updates/main/o/openafs/libpam-openafs-kaserver_1.3.81-3sarge2_amd64.deb
http://security.debian.org/pool/updates/main/o/openafs/libopenafs-dev_1.3.81-3sarge2_amd64.deb
http://security.debian.org/pool/updates/main/o/openafs/openafs-client_1.3.81-3sarge2_amd64.deb
http://security.debian.org/pool/updates/main/o/openafs/openafs-kpasswd_1.3.81-3sarge2_amd64.deb
http://security.debian.org/pool/updates/main/o/openafs/openafs-dbserver_1.3.81-3sarge2_amd64.deb
http://security.debian.org/pool/updates/main/o/openafs/openafs-fileserver_1.3.81-3sarge2_amd64.deb
HP Precision:
http://security.debian.org/pool/updates/main/o/openafs/libpam-openafs-kaserver_1.3.81-3sarge2_hppa.deb
http://security.debian.org/pool/updates/main/o/openafs/openafs-fileserver_1.3.81-3sarge2_hppa.deb
http://security.debian.org/pool/updates/main/o/openafs/openafs-client_1.3.81-3sarge2_hppa.deb
http://security.debian.org/pool/updates/main/o/openafs/openafs-dbserver_1.3.81-3sarge2_hppa.deb
http://security.debian.org/pool/updates/main/o/openafs/openafs-kpasswd_1.3.81-3sarge2_hppa.deb
http://security.debian.org/pool/updates/main/o/openafs/libopenafs-dev_1.3.81-3sarge2_hppa.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/o/openafs/openafs-kpasswd_1.3.81-3sarge2_i386.deb
http://security.debian.org/pool/updates/main/o/openafs/openafs-dbserver_1.3.81-3sarge2_i386.deb
http://security.debian.org/pool/updates/main/o/openafs/openafs-client_1.3.81-3sarge2_i386.deb
http://security.debian.org/pool/updates/main/o/openafs/openafs-fileserver_1.3.81-3sarge2_i386.deb
http://security.debian.org/pool/updates/main/o/openafs/libpam-openafs-kaserver_1.3.81-3sarge2_i386.deb
http://security.debian.org/pool/updates/main/o/openafs/libopenafs-dev_1.3.81-3sarge2_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/o/openafs/openafs-client_1.3.81-3sarge2_ia64.deb
http://security.debian.org/pool/updates/main/o/openafs/libopenafs-dev_1.3.81-3sarge2_ia64.deb
http://security.debian.org/pool/updates/main/o/openafs/openafs-fileserver_1.3.81-3sarge2_ia64.deb
http://security.debian.org/pool/updates/main/o/openafs/libpam-openafs-kaserver_1.3.81-3sarge2_ia64.deb
http://security.debian.org/pool/updates/main/o/openafs/openafs-dbserver_1.3.81-3sarge2_ia64.deb
http://security.debian.org/pool/updates/main/o/openafs/openafs-kpasswd_1.3.81-3sarge2_ia64.deb
PowerPC:
http://security.debian.org/pool/updates/main/o/openafs/openafs-kpasswd_1.3.81-3sarge2_powerpc.deb
http://security.debian.org/pool/updates/main/o/openafs/openafs-dbserver_1.3.81-3sarge2_powerpc.deb
http://security.debian.org/pool/updates/main/o/openafs/libopenafs-dev_1.3.81-3sarge2_powerpc.deb
http://security.debian.org/pool/updates/main/o/openafs/openafs-fileserver_1.3.81-3sarge2_powerpc.deb
http://security.debian.org/pool/updates/main/o/openafs/libpam-openafs-kaserver_1.3.81-3sarge2_powerpc.deb
http://security.debian.org/pool/updates/main/o/openafs/openafs-client_1.3.81-3sarge2_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/o/openafs/openafs-kpasswd_1.3.81-3sarge2_s390.deb
http://security.debian.org/pool/updates/main/o/openafs/openafs-client_1.3.81-3sarge2_s390.deb
http://security.debian.org/pool/updates/main/o/openafs/libpam-openafs-kaserver_1.3.81-3sarge2_s390.deb
http://security.debian.org/pool/updates/main/o/openafs/openafs-fileserver_1.3.81-3sarge2_s390.deb
http://security.debian.org/pool/updates/main/o/openafs/libopenafs-dev_1.3.81-3sarge2_s390.deb
http://security.debian.org/pool/updates/main/o/openafs/openafs-dbserver_1.3.81-3sarge2_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/o/openafs/openafs-client_1.3.81-3sarge2_sparc.deb
http://security.debian.org/pool/updates/main/o/openafs/libpam-openafs-kaserver_1.3.81-3sarge2_sparc.deb
http://security.debian.org/pool/updates/main/o/openafs/openafs-fileserver_1.3.81-3sarge2_sparc.deb
http://security.debian.org/pool/updates/main/o/openafs/libopenafs-dev_1.3.81-3sarge2_sparc.deb
http://security.debian.org/pool/updates/main/o/openafs/openafs-dbserver_1.3.81-3sarge2_sparc.deb
http://security.debian.org/pool/updates/main/o/openafs/openafs-kpasswd_1.3.81-3sarge2_sparc.deb

MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.