Security bugs "DSA-2168-1 openafs -- several vulnerabilities"

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Hello,

I have made debdiff between openafs_1.4.12.1+dfsg-4.dsc (Debian Squeeze fixed patch.) and
Ubuntu lucid openafs_1.4.12+dfsg-3.dsc.

I have choose this packages because this was the last "fixed" for debian stable and the reason why i take Ubuntu openafs_1.4.12+dfsg-3.dsc is that i using that on our machines.

I hope this will help

Niklas, thank you for preparing a debdiff, however there are several problems:
1. it is a debdiff going the wrong way (eg, it doesn't add the patches to lucid, but takes them away from squeeze)
2. the debdiff is the complete differences between lucid and squeeze. Since these versions do not sure the same base + Debian version, a debdiff specific to Lucid is needed. Please see https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details.

NAK, marking Incomplete, assigning Niklas and unsubscribing ubuntu-reviewers and ubuntu-security-sponsors. Please mark this back to NEW and resubscribe ubuntu-security-sponsors after uploading an updated debdiff. Thanks!

Natty is not affected.

Merge from debian package.
    - CVE-2011-0430: update ticket5 from heimdal. Avoids a double-free which
    basically allows an arbitrary attack against any krb5-aware Rx service by
    exploiting when the double-free occurs in asn1 payloads which came from the wire.
    - CVE-2011-0431: Use correct type of error in flock code.

Got the diff originally from Debian. I've compared the diffs of "openafs_1.4.12.1+dfsg-4.diff.gz" and "openafs_1.4.12.1+dfsg-3.diff.gz".

Tried to manually patch "openafs-1.4.12+dfsg"-source with the patch and all changes were applied successfully.
Tried to build .deb package with pbuilder and it was built without problems.
No testing other than to build the package has been performed.

This debdiff takes the CVE-related changes from debian package "openafs_1.4.12.1+dfsg-4" and applies to Ubuntu's "openafs-1.4.12+dfsg".

One note: I did not succeed to set "XSBC-Original-Maintainer"-field in debian/control. I left the maintainer field untouched. Hope this is ok with you.
---
Christian

Although I'm not on the security team, I've reviewed your debdiff and there still seem to be a couple of problems, both of which can be picked up from https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging
*) The first, and less important, is the version. From that table it should be 1.4.12.1+dfsg-3ubuntu0.1
*) The second is the distro target, which should be "lucid-security" rather than "lucid"

Finally, it should have the maintainer field set properly. There's a tool "update-maintainer" in the ubuntu-dev-tools package which should do this automatically for you. Did that not work?

Actually the version number must be 1.4.12.1+dfsg-3+ubuntu0.1 (note the second +). This is needed for all kernel module packages that build with module-assistant, because of
https://bugs.launchpad.net/ubuntu/+source/openafs/+bug/660360/comments/6

In the interest of time, I have made the requested changes. Comparing with Debian, the patch looks good. I'll upload this to the security queue and publish it when it is done.

This bug was fixed in the package openafs - 1.4.12+dfsg-3+ubuntu0.1

---------------
openafs (1.4.12+dfsg-3+ubuntu0.1) lucid-security; urgency=low

  * SECURITY UPDATE: update ticket5 from heimdal. Avoids a double-free which
    basically allows an arbitrary attack against any krb5-aware Rx service by
    exploiting when the double-free occurs in asn1 payloads which came from
    the wire. Patch thanks to Debian.
    - CVE-2011-0430:
  * SECURITY UPDATE: Use correct type of error in flock code. Patch thanks to
    Debian.
    - CVE-2011-0431
    - LP: #723121
 -- Christian Biamont <email address hidden> Fri, 19 Aug 2011 11:06:14 +0200