Bug 1155396 (CVE-2019-18603) - VUL-0: CVE-2019-18603: openafs: information leakage upon certain error conditions
Summary: VUL-0: CVE-2019-18603: openafs: information leakage upon certain error condit...
Status: RESOLVED FIXED
Alias: CVE-2019-18603
Product: openSUSE Distribution
Classification: openSUSE
Component: Basesystem (show other bugs)
Version: Leap 15.1
Hardware: Other Other
: P3 - Medium : Minor (vote)
Target Milestone: ---
Assignee: Christof Hanke
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/246032/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-10-30 07:07 UTC by Alexander Bergmann
Modified: 2019-12-09 07:43 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2019-10-30 07:07:01 UTC 
CVE-2019-18603

OpenAFS before 1.6.24 and 1.8.x before 1.8.5 is prone to information leakage
upon certain error conditions because uninitialized RPC output variables are
sent over the network to a peer.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-18603
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-18603.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18603
https://openafs.org/pages/security/OPENAFS-SA-2019-001.txt
Comment 1 Christof Hanke 2019-11-04 13:51:41 UTC 
The upstream security-fixed version is already accepted in openSUSE:Factory.
Somehow I can't figure out how to get that into LEAP 15.1
Normal submission tells me to use the maintenance workflow 
and this one says:

hanke@dijon:/srv/OBS/home:hauky:branches:OBS_Maintained:openafs/openafs.openSUSE_Leap_15.1_Update> osc maintenancerequest  --incident=1155396  openSUSE:Factory openafs openSUSE:Leap:15.1:Update
Using target project 'openSUSE:Maintenance:1155396'
Server returned an error: HTTP Error 404: Not Found
openSUSE:Maintenance:1155396

So, what to do ?
This would also address Bugs #1155395 and 1155394
Comment 2 Christof Hanke 2019-11-13 07:36:32 UTC 
This is a bit daft. 
I tried to push it to LEAP 15.1, failed and asked for a help.
After getting no help for a week, I untook this ticket just to get it back ??

Same applies to tickets  1155395 and  1155394.
Comment 3 Marcus Meissner 2019-11-13 16:32:55 UTC 
can you just run "osc sr" in this home:hauky:branches:OBS_Maintained:openafs/openafs.openSUSE_Leap_15.1_Update

directory?

It should do the right thing.
Comment 4 Christof Hanke 2019-11-14 01:25:45 UTC 
Nope, this fails with:
"""

leaper wrote about 1 hour ago

home:hauky:branches:OBS_Maintained:openafs/openafs.openSUSE_Leap_15.1_Update@8866294ee88d8c6ff4549c763e138157 -> openSUSE:Leap:15.1:Update/openafs

expected origin is 'openSUSE:Factory' (changed)
"""


See https://build.opensuse.org/request/show/748508
Comment 5 Christof Hanke 2019-11-14 01:35:17 UTC 
Sorry, my bad...
https://build.opensuse.org/request/show/748510

seems to work.
Comment 6 Christof Hanke 2019-12-09 07:43:50 UTC 
Maitenance request to upgrade to openafs-1.8.5 for Leap 15.1 accepted
https://build.opensuse.org/request/show/748510