From 027714241ed38d830ec9abb09a527a473faa2c65 Mon Sep 17 00:00:00 2001 From: markeryang Date: Thu, 5 May 2022 19:35:41 +0800 Subject: [PATCH] Fix CVE-2022-27239 and CVE-2022-29869 --- 0001-CVE-2022-27239.patch | 35 ++++++++++++++++++++++++++++++++ 0002-CVE-2022-29869.patch | 42 +++++++++++++++++++++++++++++++++++++++ cifs-utils.spec | 8 +++++++- 3 files changed, 84 insertions(+), 1 deletion(-) create mode 100644 0001-CVE-2022-27239.patch create mode 100644 0002-CVE-2022-29869.patch diff --git a/0001-CVE-2022-27239.patch b/0001-CVE-2022-27239.patch new file mode 100644 index 0000000..f1e33dc --- /dev/null +++ b/0001-CVE-2022-27239.patch @@ -0,0 +1,35 @@ +From 955fb147e97a6a74e1aaa65766de91e2c1479765 Mon Sep 17 00:00:00 2001 +From: Jeffrey Bencteux +Date: Thu, 17 Mar 2022 12:58:52 -0400 +Subject: [PATCH] CVE-2022-27239: mount.cifs: fix length check for ip option + parsing + +Previous check was true whatever the length of the input string was, +leading to a buffer overflow in the subsequent strcpy call. + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=15025 + +Signed-off-by: Jeffrey Bencteux +Reviewed-by: David Disseldorp +--- + mount.cifs.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/mount.cifs.c b/mount.cifs.c +index 84274c9..3a6b449 100644 +--- a/mount.cifs.c ++++ b/mount.cifs.c +@@ -926,9 +926,10 @@ parse_options(const char *data, struct parsed_mount_info *parsed_info) + if (!value || !*value) { + fprintf(stderr, + "target ip address argument missing\n"); +- } else if (strnlen(value, MAX_ADDRESS_LEN) <= ++ } else if (strnlen(value, MAX_ADDRESS_LEN) < + MAX_ADDRESS_LEN) { +- strcpy(parsed_info->addrlist, value); ++ strlcpy(parsed_info->addrlist, value, ++ MAX_ADDRESS_LEN); + if (parsed_info->verboseflag) + fprintf(stderr, + "ip address %s override specified\n", +-- \ No newline at end of file diff --git a/0002-CVE-2022-29869.patch b/0002-CVE-2022-29869.patch new file mode 100644 index 0000000..8ba7b90 --- /dev/null +++ b/0002-CVE-2022-29869.patch @@ -0,0 +1,42 @@ +From 8acc963a2e7e9d63fe1f2e7f73f5a03f83d9c379 Mon Sep 17 00:00:00 2001 +From: Jeffrey Bencteux +Date: Sat, 19 Mar 2022 13:41:15 -0400 +Subject: [PATCH] mount.cifs: fix verbose messages on option parsing + +When verbose logging is enabled, invalid credentials file lines may be +dumped to stderr. This may lead to information disclosure in particular +conditions when the credentials file given is sensitive and contains '=' +signs. + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=15026 + +Signed-off-by: Jeffrey Bencteux +Reviewed-by: David Disseldorp +--- + mount.cifs.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/mount.cifs.c b/mount.cifs.c +index 3a6b449..2278995 100644 +--- a/mount.cifs.c ++++ b/mount.cifs.c +@@ -628,17 +628,13 @@ static int open_cred_file(char *file_name, + goto return_i; + break; + case CRED_DOM: +- if (parsed_info->verboseflag) +- fprintf(stderr, "domain=%s\n", +- temp_val); + strlcpy(parsed_info->domain, temp_val, + sizeof(parsed_info->domain)); + break; + case CRED_UNPARSEABLE: + if (parsed_info->verboseflag) + fprintf(stderr, "Credential formatted " +- "incorrectly: %s\n", +- temp_val ? temp_val : "(null)"); ++ "incorrectly\n"); + break; + } + } +-- \ No newline at end of file diff --git a/cifs-utils.spec b/cifs-utils.spec index 6712747..f80e9d8 100644 --- a/cifs-utils.spec +++ b/cifs-utils.spec @@ -1,6 +1,6 @@ Name: cifs-utils Version: 6.14 -Release: 2 +Release: 3 Summary: Utilities for doing and managing mounts of the Linux CIFS filesystem License: GPLv3+ URL: http://linux-cifs.samba.org/cifs-utils/ @@ -12,6 +12,9 @@ Provides: pam_cifscreds Obsoletes: pam_cifscreds Requires: keyutils +Patch1: 0001-CVE-2022-27239.patch +Patch2: 0002-CVE-2022-29869.patch + %description The in-kernel CIFS filesystem is generally the preferred method for mounting SMB/CIFS shares on Linux. @@ -75,6 +78,9 @@ install -m 644 contrib/request-key.d/cifs.spnego.conf %{buildroot}%{_sysconfdir} %{_mandir}/man8/* %changelog +* Thu May 5 2022 yanglongkang - 6.14-3 +- Fix CVE-2022-27239 and CVE-2022-29869 + * Sat Jan 8 2022 yanglongkang - 6.14-2 - delete BuildRequires python3-samba -- Gitee