Topic: Solaris grouplist modifications for PAGs can panic or overwrite memory CVE-2015-3286 Issued: 29-July-2015 Last Update: 29-July-2015 Affected: OpenAFS versions through 1.6.12 A local user joining a PAG could overflow the buffer allocated to store the group list and overwrite kernel memory. SUMMARY ======= A fixed size buffer was used to store the group list in the kernel, but beginning with Solaris 10, the kernel would allow more groups than would fit in this list. IMPACT ====== As groups are encoded as 32 bit integers, groups at the end of the group list could be pushed into arbitrary memory. Additionally, attempts to return an error could deadlock the kernel. AFFECTED SOFTWARE ================= The Solaris kernel extension in versions through 1.6.12 is vulnerable FIXES ===== The OpenAFS project recommends that administrators of fileservers upgrade to OpenAFS version 1.6.13 or newer. For those sites unable, or unwilling, to upgrade a patch which resolves this issue is available directly from: http://www.openafs.org/security/openafs-sa-2015-005.patch The latest stable OpenAFS release is always available from http://www.openafs.org/release/latest.html This announcement and code patches related to it may be found on the OpenAFS security advisory page at: http://www.openafs.org/security/ The main OpenAFS web page is at: http://www.openafs.org/