FYI. The EGI security team has found a vulnerability in the client. It's
a trivial buffer overflow issue that is exercised when a kXR_waitresp
message is malformed in a particular way. Discovered by the dCache guys.
Lukasz
-------- Forwarded Message --------
Subject: Re: Vulnerability found in xrootd client software.
Date: Tue, 14 Apr 2015 16:10:18 +0200
From: Lukasz Janyst <[log in to unmask]>
To: [log in to unmask]
CC: [log in to unmask], [log in to unmask], [log in to unmask],
[log in to unmask]
Thanks for reporting. I will fix it today and we will have a 4.1.2
release with another small fix tomorrow.
Lukasz
>>>>>>>>> On 04/14/2015 12:34 PM, [log in to unmask] wrote:
>>>>>>>>>> Dear Lukasz Janyst,
>>>>>>>>>>
>>>>>>>>>> A vulnerability has been reported in the xrootd client software,
>>>>>>>>>> and I
>>>>>>>>> understand you are the best contact. There has already been quite
>>>>>>>>> a lot of rapid discussion and investigation within the ticket.
>>>>>>>>>>
>>>>>>>>>> I have added you as Admin CC to the ticket, so you should be
>>>>>>>>>> able to read
>>>>> it.
>>>>>>>>>>
>>>>>>>>>> The information can be viewed at:
>>>>>>>>>> https://rt.egi.eu/rt/Ticket/Display.html?id=8464
>>>>>>>>>>
>>>>>>>>>> If you have difficulty viewing it, please let me know.
>>>>>>>>>>
>>>>>>>>>> It is currently in Risk Assessment. I think it is unlikely to be
>>>>>>>>>> assessed as 'High' or
>>>>>>>>> 'Critical', as it is on the client side, it is far more likely to
>>>>>>>>> be assessed as 'Moderate' or 'Low', but it looks as though it is
>>>>>>>>> definitely a real vulnerability and it will need fixing.
>>>>>>>>>>
>>>>>>>>>> Thanks,
>>>>>>>>>>
>>>>>>>>>> Linda Cornwall
>>>>>>>>>>
>>>>>>>>>> ----------------------------------------------------------------
>>>>>>>>>> --
>>>>>>>>>> --
>>>>>>>>>> --
>>>>>>>>>>
>>>>>>>>>> We will follow the approved EGI Software Vulnerability issue
>>>>>>>>>> handling process
>>>>>>>>> which can be downloaded from:
>>>>>>>>>>
>>>>>>>>>> https://documents.egi.eu/public/ShowDocument?docid=717
>>>>>>>>>>
>>>>>>>>>> The process can be summarised as follows:-
>>>>>>>>>>
>>>>>>>>>> The RAT, along with the developers of the software involved,
>>>>>>>>>> investigate the
>>>>>>>>> issue.
>>>>>>>>>>
>>>>>>>>>> If the issue is valid, the RAT carries out a Risk Assessment
>>>>>>>>>> which involves
>>>>>>>>> placing the issue into one of four Risk Categories - Critical,
>>>>>>>>> High, Moderate or Low.
>>>>>>>>>>
>>>>>>>>>> A target date for resolution is then set according to the Risk
>>>>>>>>>> category.
>>>>>>>>>>
>>>>>>>>>> We aim to do this within 4 working days.
>>>>>>>>>>
>>>>>>>>>> The information is then passed to the developers and software
>>>>>>>>>> distributers who should ensure the problem is eliminated in time
>>>>>>>>>> for the target
>>>>>>>>> date.
>>>>>>>>>>
>>>>>>>>>> A publicly readable advisory should be issued when the problem
>>>>>>>>>> is fixed, or on
>>>>>>>>> the Target date, whichever is the sooner.
>>>>>>>>>>
>>>>>>>>>> More information can be found on the EGI Software Vulnerability
>>>>>>>>>> Group Wiki at
>>>>>>>>>> https://wiki.egi.eu/wiki/SVG:Issue_Handling_Summary
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Thank you,
>>>>>>>>>>
>>>>>>>>>> The EGI Software Vulnerability Group (SVG)
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> ----------------------------------------------------------------
>>>>>>>>>> --
>>>>>>>>>> Dr Linda Cornwall,
>>>>>>>>>> Particle Physics Department,
>>>>>>>>>> STFC Rutherford Appleton Laboratory, Harwell Oxford, DIDCOT,
>>>>>>>>>> OX11 OQX,
>>>>>>>>>> United Kingdom
>>>>>>>>>>
>>>>>>>>>> E-mail [log in to unmask]
>>>>>>>>>> Tel. +44 (0) 1235 44 6138
>>>>>>>>>> Skype linda.ann.cornwall
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>
>>
>
########################################################################
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1
