Hi, Thank you for the quick reply and analisys of the problem.
On Fri, Aug 29, 2025 at 04:50:39PM -0500, Andrew Deason wrote: > > > On 29.08.25 18:28, Jose M Calhariz wrote: > > > > Just found out, the latest security update for Debian v11, breaks > > > > command bos. > > > > > > > > Any attempt to run "bos status <server>" returns: > > > > > > > > bos: running unauthenticated > > > > bos: failed to contact host's bosserver (RPC interface mismatch (-451)). > > I can reproduce this; it happens with 1.8.6-5+deb11u1 specifically, not > 1.8.9-1+deb12u1. I don't think there's anything special about the target > server; it shouldn't require any particular version. > > It looks like 1.8.6-5+deb11u1 doesn't have upstream commit > 5abea9b8b1164f203fe18b5abe7d64ac8cb514eb (bos: Let xdr allocate rpc > output strings), included in upstream 1.8.8. Without that, bos tries to > reuse the string buffer for various rpc output arguments, which is > prohibited by the "xdr: Prevent XDR_DECODE buffer overruns" commit, > mentioned by Ben: > > On Fri, 29 Aug 2025 11:08:38 -0700 > "Benjamin Kaduk" <[email protected]> wrote: > > > I would be looking more closely at the xdr_string() change in src/rx/xdr.c > > (note the commit message there specifically refers to several callsites in > > bos.c that rely on the behavior of functions that make use of > > xdr_string()). > > > > The "OPENAFS-SA-2024-003: xdr: Prevent XDR_DECODE buffer overruns" change > > is also touching some potentially relevant code, as does > > "OPENAFS-SA-2024-003: xdr: Ensure correct string length in xdr_string". > > -- -- Mulheres e elefantes nunca esquecem. --Dorothy Parker
signature.asc
Description: PGP signature
