FYI. The EGI security team has found a vulnerability in the client. It's a trivial buffer overflow issue that is exercised when a kXR_waitresp message is malformed in a particular way. Discovered by the dCache guys. Lukasz -------- Forwarded Message -------- Subject: Re: Vulnerability found in xrootd client software. Date: Tue, 14 Apr 2015 16:10:18 +0200 From: Lukasz Janyst <[log in to unmask]> To: [log in to unmask] CC: [log in to unmask], [log in to unmask], [log in to unmask], [log in to unmask] Thanks for reporting. I will fix it today and we will have a 4.1.2 release with another small fix tomorrow. Lukasz >>>>>>>>> On 04/14/2015 12:34 PM, [log in to unmask] wrote: >>>>>>>>>> Dear Lukasz Janyst, >>>>>>>>>> >>>>>>>>>> A vulnerability has been reported in the xrootd client software, >>>>>>>>>> and I >>>>>>>>> understand you are the best contact. There has already been quite >>>>>>>>> a lot of rapid discussion and investigation within the ticket. >>>>>>>>>> >>>>>>>>>> I have added you as Admin CC to the ticket, so you should be >>>>>>>>>> able to read >>>>> it. >>>>>>>>>> >>>>>>>>>> The information can be viewed at: >>>>>>>>>> https://rt.egi.eu/rt/Ticket/Display.html?id=8464 >>>>>>>>>> >>>>>>>>>> If you have difficulty viewing it, please let me know. >>>>>>>>>> >>>>>>>>>> It is currently in Risk Assessment. I think it is unlikely to be >>>>>>>>>> assessed as 'High' or >>>>>>>>> 'Critical', as it is on the client side, it is far more likely to >>>>>>>>> be assessed as 'Moderate' or 'Low', but it looks as though it is >>>>>>>>> definitely a real vulnerability and it will need fixing. >>>>>>>>>> >>>>>>>>>> Thanks, >>>>>>>>>> >>>>>>>>>> Linda Cornwall >>>>>>>>>> >>>>>>>>>> ---------------------------------------------------------------- >>>>>>>>>> -- >>>>>>>>>> -- >>>>>>>>>> -- >>>>>>>>>> >>>>>>>>>> We will follow the approved EGI Software Vulnerability issue >>>>>>>>>> handling process >>>>>>>>> which can be downloaded from: >>>>>>>>>> >>>>>>>>>> https://documents.egi.eu/public/ShowDocument?docid=717 >>>>>>>>>> >>>>>>>>>> The process can be summarised as follows:- >>>>>>>>>> >>>>>>>>>> The RAT, along with the developers of the software involved, >>>>>>>>>> investigate the >>>>>>>>> issue. >>>>>>>>>> >>>>>>>>>> If the issue is valid, the RAT carries out a Risk Assessment >>>>>>>>>> which involves >>>>>>>>> placing the issue into one of four Risk Categories - Critical, >>>>>>>>> High, Moderate or Low. >>>>>>>>>> >>>>>>>>>> A target date for resolution is then set according to the Risk >>>>>>>>>> category. >>>>>>>>>> >>>>>>>>>> We aim to do this within 4 working days. >>>>>>>>>> >>>>>>>>>> The information is then passed to the developers and software >>>>>>>>>> distributers who should ensure the problem is eliminated in time >>>>>>>>>> for the target >>>>>>>>> date. >>>>>>>>>> >>>>>>>>>> A publicly readable advisory should be issued when the problem >>>>>>>>>> is fixed, or on >>>>>>>>> the Target date, whichever is the sooner. >>>>>>>>>> >>>>>>>>>> More information can be found on the EGI Software Vulnerability >>>>>>>>>> Group Wiki at >>>>>>>>>> https://wiki.egi.eu/wiki/SVG:Issue_Handling_Summary >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Thank you, >>>>>>>>>> >>>>>>>>>> The EGI Software Vulnerability Group (SVG) >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> ---------------------------------------------------------------- >>>>>>>>>> -- >>>>>>>>>> Dr Linda Cornwall, >>>>>>>>>> Particle Physics Department, >>>>>>>>>> STFC Rutherford Appleton Laboratory, Harwell Oxford, DIDCOT, >>>>>>>>>> OX11 OQX, >>>>>>>>>> United Kingdom >>>>>>>>>> >>>>>>>>>> E-mail [log in to unmask] >>>>>>>>>> Tel. +44 (0) 1235 44 6138 >>>>>>>>>> Skype linda.ann.cornwall >>>>>>>>>> >>>>>>>>>> >>>>>>>> >>>>>> >>>> >> > ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1