OpenAFS Security Advisory 2013-0002 Topic: Buffer overflow in OpenAFS ptserver CVE-2013-1795 Issued: 21 Feb 2013 Last Updated: 21 Feb 2013 Affected: OpenAFS servers before version 1.6.2 An attacker can crash an OpenAFS ptserver by sending an IdToName RPC with a large payload. SUMMARY ======= The ptserver accepts a list of unbounded size from the IdToName RPC. The length of this list is then used to determine the size of a number of other internal datastructures. If the length is sufficiently large then we may hit an integer overflow when calculating the size to pass to malloc, and allocate data structures of insufficient length, allowing heap memory to be overwritten. IMPACT ====== An unauthenticated attacker can crash an OpenAFS ptserver AFFECTED SOFTWARE ================= All releases of OpenAFS prior to 1.6.2 FIXES ===== The OpenAFS project recommends that administrators upgrade to OpenAFS 1.6.2 or later. For those sites unable, or unwilling, to upgrade a patch which resolves this issue is included below. This patch should apply to both OpenAFS 1.6.1 and OpenAFS 1.4.14 The latest stable OpenAFS release is always available from http://www.openafs.org/release/latest.html This announcement, and code patches related to it, may be found on the OpenAFS security advisory page at http://www.openafs.org/security/ ACKNOWLEDGEMENTS ================ This issue was identified, and the fix provided, by Nickolai Zeldovich