Long overdue import of 1.3.81-3sarge2, released via stable-security in

March 2007.

diff --git a/debian/changelog b/debian/changelog
index 402df65812ec0f2135b35f7435e1ce5d320aa4e7..6842216f982b37ca763363c0d50d7bb9c8efd95f 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,17 @@
-openafs (1.3.81-3sarge1) testing-proposed-updates; urgency=medium
+openafs (1.3.81-3sarge2) stable-security; urgency=high
 
+  * Non-maintainer upload by the Security Team.
+  * Apply upstream patch to disable setuid status on all cells by default.
+    Prior versions of AFS defaulted to honoring setuid bits in the local
+    cell, but since unauthenticated file access in AFS is unencrypted, an
+    attacker could forge packets from an AFS file server to synthesize a
+    setuid binary in AFS.  (CVE-2007-1507, OPENAFS-SA-2007-001)
+
+ -- Noah Meyerhans <noahm@debian.org>  Mon, 19 Mar 2007 15:56:43 -0400
+
+openafs (1.3.81-3sarge1) unstable; urgency=high
+
+  [ Russ Allbery ]
   * libpam-openafs-kaserver: Fix compilation so that the PAM module isn't
     missing symbols and therefore unusable.  (Closes: #308844)
   * In the init script, handle modules named either with or without the

diff --git a/debian/openafs-client.NEWS b/debian/openafs-client.NEWS
new file mode 100644 (file)
index 0000000..9fd7ea9
--- /dev/null
+++ b/debian/openafs-client.NEWS
@@ -0,0 +1,24 @@
+openafs (1.3.81-3sarge2) stable-security; urgency=high
+
+  As of this release of the OpenAFS kernel module, all cells, including
+  the local cell, have setuid support turned off by default due to the
+  possibility of an attacker forging AFS fileserver responses to create a
+  fake setuid binary.  Prior releases enabled setuid support for the local
+  cell.  Those binaries will now run with normal permissions by default.
+
+  This security fix will only take effect once you've installed a kernel
+  module from openafs-modules-source 1.4.2-6 or later.  Doing so is highly
+  recommended.  In the meantime, you can disable setuid support by
+  running:
+
+      fs setcell -cell <localcell> -nosuid
+
+  as root (where <localcell> is your local cell, the one listed in
+  /etc/openafs/ThisCell).
+
+  If you are certain there is no security risk of an attacker forging AFS
+  fileserver responses, you can enable setuid status selectively using the
+  fs setcell command.
+
+ -- Russ Allbery <rra@debian.org>  Sun, 11 Mar 2007 22:28:07 -0700
+

diff --git a/debian/rules b/debian/rules
index 6a82ff305f5785a51eaedbded0b7d2bcdfb3ea81..e5c81f329c14bda8832a2b128fdf0112f490ebf6 100755 (executable)
--- a/debian/rules
+++ b/debian/rules
@@ -122,6 +122,8 @@ binary-indep: build install binary-source
 #      dh_installmanpages
        dh_installinfo
        dh_installchangelogs   
+       install -m 644 debian/openafs-client.NEWS \
+           debian/$(srcpkg)/usr/share/doc/$(srcpkg)/NEWS.Debian
        dh_link
        dh_compress
        dh_fixperms

diff --git a/src/afs/afs_cell.c b/src/afs/afs_cell.c
index 3a783bfebb549385396cfc9360abc07f1692337a..0955e2f899558bf3a8e23359e93b1163689d0ff6 100644 (file)
--- a/src/afs/afs_cell.c
+++ b/src/afs/afs_cell.c
@@ -708,8 +708,7 @@ afs_NewCell(char *acellName, afs_int32 * acellHosts, int aflags,
        tc->vlport = AFS_VLPORT;
        RWLOCK_INIT(&tc->lock, "cell lock");
        newc = 1;
-       if (afs_thiscell && !strcmp(acellName, afs_thiscell))
-           aflags &= ~CNoSUID;
+       aflags |= CNoSUID;
     }
     ObtainWriteLock(&tc->lock, 688);