diff --git a/0000-Add-missing-position-handling-to-mount-parameters-gi.patch b/0000-Add-missing-position-handling-to-mount-parameters-gi.patch new file mode 100644 index 0000000000000000000000000000000000000000..58aebfe3f03c13220161cd0f9d820dd9e40abe07 --- /dev/null +++ b/0000-Add-missing-position-handling-to-mount-parameters-gi.patch @@ -0,0 +1,51 @@ +From 8f46aaadffde42ef0c89e97c0443ee7944708d94 Mon Sep 17 00:00:00 2001 +From: Simon Arlott +Date: Thu, 26 Nov 2020 00:28:08 +0000 +Subject: [PATCH] Add missing position handling to mount parameters + gid/backup_gid/snapshot + +The code tries to optimise for the last parameter not needing to update +the position which means that every time a new one is added to the end +by copying and pasting, the string position is not updated. + +That makes it impossible to use backup_uid=/backup_gid=/snapshot= after +gid= or snapshot= after backup_gid= because part of the string is +overwritten and contains invalid keys like "gbackup_uid". + +Prepare for the next parameter to be added on the end by updating the +position for snapshot= even though it will be unused. +--- + mount.cifs.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/mount.cifs.c b/mount.cifs.c +index 2474e98..ff07232 100644 +--- a/mount.cifs.c ++++ b/mount.cifs.c +@@ -1245,6 +1245,7 @@ nocopy: + out_len++; + } + snprintf(out + out_len, word_len + 5, "gid=%s", txtbuf); ++ out_len = strlen(out); + } + if (got_bkupuid) { + word_len = snprintf(txtbuf, sizeof(txtbuf), "%u", bkupuid); +@@ -1276,6 +1277,7 @@ nocopy: + out_len++; + } + snprintf(out + out_len, word_len + 11, "backupgid=%s", txtbuf); ++ out_len = strlen(out); + } + if (got_snapshot) { + word_len = snprintf(txtbuf, sizeof(txtbuf), "%llu", snapshot); +@@ -1291,6 +1293,7 @@ nocopy: + out_len++; + } + snprintf(out + out_len, word_len + 11, "snapshot=%s", txtbuf); ++ out_len = strlen(out); + } + + return 0; +-- +2.33.0 + diff --git a/0003-cifs-utils-fix-probabilistic-compiling-error.patch b/0003-cifs-utils-fix-probabilistic-compiling-error.patch new file mode 100644 index 0000000000000000000000000000000000000000..eb92a65d37e37d2ec9b4ab9da45a060f40068641 --- /dev/null +++ b/0003-cifs-utils-fix-probabilistic-compiling-error.patch @@ -0,0 +1,44 @@ +From aeaa786aceb0ea781ded2c151fb68f6b34880ad4 Mon Sep 17 00:00:00 2001 +From: lizhe +Date: Tue, 26 May 2020 11:54:11 +0800 +Subject: [PATCH] cifs-utils: fix probabilistic compiling error + +When we compile cifs-utils, we may probabilistic +encounter install error like: +cd ***/sbin && ln -sf mount.cifs mount.smb3 +***/sbin: No such file or directory + +The reason of this problem is that if we compile +cifs-utils using multithreading, target +'install-sbinPROGRAMS' may be built after +target 'install-exec-hook' of the main Makefile. +Target 'install-sbinPROGRAMS' will copy the +executable file 'mount.cifs' to the $(ROOTSBINDIR), +which target 'install-exec-hook' will do the +'ln' command on. + +This patch add the dependency of target +'install-exec-hook' to ensure the correct order +of the compiling. + +Signed-off-by: lizhe +--- + Makefile.am | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Makefile.am b/Makefile.am +index a95782d..8a17e73 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -117,7 +117,7 @@ endif + + SUBDIRS = contrib + +-install-exec-hook: ++install-exec-hook: install-sbinPROGRAMS + (cd $(ROOTSBINDIR) && ln -sf mount.cifs mount.smb3) + + install-data-hook: +-- +2.33.0 + diff --git a/0004-mount.cifs-fix-max-buffer-size-when-parsing-snapshot.patch b/0004-mount.cifs-fix-max-buffer-size-when-parsing-snapshot.patch new file mode 100644 index 0000000000000000000000000000000000000000..269a6dac7c077377d96066765cf83720151db37a --- /dev/null +++ b/0004-mount.cifs-fix-max-buffer-size-when-parsing-snapshot.patch @@ -0,0 +1,26 @@ +From 7156c6eca0fcf3d4a2fd2f8677b2622475c5c46e Mon Sep 17 00:00:00 2001 +From: Pavel Shilovsky +Date: Wed, 9 Dec 2020 11:29:40 -0800 +Subject: [PATCH] mount.cifs: fix max buffer size when parsing snapshot option + +Signed-off-by: Pavel Shilovsky +--- + mount.cifs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/mount.cifs.c b/mount.cifs.c +index ff07232..7c949cf 100644 +--- a/mount.cifs.c ++++ b/mount.cifs.c +@@ -1292,7 +1292,7 @@ nocopy: + strlcat(out, ",", MAX_OPTIONS_LEN); + out_len++; + } +- snprintf(out + out_len, word_len + 11, "snapshot=%s", txtbuf); ++ snprintf(out + out_len, word_len + 10, "snapshot=%s", txtbuf); + out_len = strlen(out); + } + +-- +2.33.0 + diff --git a/1001-cifs.upcall-update-the-cap-bounding-set-only-when-CA.patch b/0005-cifs.upcall-update-the-cap-bounding-set-only-when-CA.patch similarity index 100% rename from 1001-cifs.upcall-update-the-cap-bounding-set-only-when-CA.patch rename to 0005-cifs.upcall-update-the-cap-bounding-set-only-when-CA.patch diff --git a/1002-mount.cifs-update-the-cap-bounding-set-only-when-CAP.patch b/0006-mount.cifs-update-the-cap-bounding-set-only-when-CAP.patch similarity index 100% rename from 1002-mount.cifs-update-the-cap-bounding-set-only-when-CAP.patch rename to 0006-mount.cifs-update-the-cap-bounding-set-only-when-CAP.patch diff --git a/0004-CVE-2022-27239.patch b/0007-CVE-2022-27239.patch similarity index 100% rename from 0004-CVE-2022-27239.patch rename to 0007-CVE-2022-27239.patch diff --git a/0005-CVE-2022-29869.patch b/0008-CVE-2022-29869.patch similarity index 100% rename from 0005-CVE-2022-29869.patch rename to 0008-CVE-2022-29869.patch diff --git a/0009-mount.cifs-fix-crash-when-mount-point-does-not-exist.patch b/0009-mount.cifs-fix-crash-when-mount-point-does-not-exist.patch new file mode 100644 index 0000000000000000000000000000000000000000..a73b28ac564398a1166fab1ff3adc75fb9b58c67 --- /dev/null +++ b/0009-mount.cifs-fix-crash-when-mount-point-does-not-exist.patch @@ -0,0 +1,65 @@ +From 9ad46fc480818e48868ba841a8a1eed9a74e7294 Mon Sep 17 00:00:00 2001 +From: Paulo Alcantara +Date: Thu, 6 May 2021 16:25:13 -0300 +Subject: [PATCH] mount.cifs: fix crash when mount point does not exist + +@mountpointp is initially set to a statically allocated string in +main(), and if we fail to update it in acquire_mountpoint(), make sure +to set it to NULL and avoid freeing it at mount_exit. + +This fixes the following crash + + $ mount.cifs //srv/share /mnt/foo/bar -o ... + Couldn't chdir to /mnt/foo/bar: No such file or directory + munmap_chunk(): invalid pointer + Aborted + +Signed-off-by: Paulo Alcantara (SUSE) +Reviewed-by: Aurelien Aptel +--- + mount.cifs.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/mount.cifs.c b/mount.cifs.c +index 7f898bb..84274c9 100644 +--- a/mount.cifs.c ++++ b/mount.cifs.c +@@ -1996,9 +1996,9 @@ acquire_mountpoint(char **mountpointp) + */ + realuid = getuid(); + if (realuid == 0) { +- dacrc = toggle_dac_capability(0, 1); +- if (dacrc) +- return dacrc; ++ rc = toggle_dac_capability(0, 1); ++ if (rc) ++ goto out; + } else { + oldfsuid = setfsuid(realuid); + oldfsgid = setfsgid(getgid()); +@@ -2019,7 +2019,6 @@ acquire_mountpoint(char **mountpointp) + rc = EX_SYSERR; + } + +- *mountpointp = mountpoint; + restore_privs: + if (realuid == 0) { + dacrc = toggle_dac_capability(0, 0); +@@ -2030,9 +2029,13 @@ restore_privs: + gid_t __attribute__((unused)) gignore = setfsgid(oldfsgid); + } + +- if (rc) ++out: ++ if (rc) { + free(mountpoint); ++ mountpoint = NULL; ++ } + ++ *mountpointp = mountpoint; + return rc; + } + +-- +2.33.0 + diff --git a/0010-cifs.upcall-fix-regression-in-kerberos-mount.patch b/0010-cifs.upcall-fix-regression-in-kerberos-mount.patch new file mode 100644 index 0000000000000000000000000000000000000000..7e370649bdd7ae80adf7038acade382eef3f1581 --- /dev/null +++ b/0010-cifs.upcall-fix-regression-in-kerberos-mount.patch @@ -0,0 +1,493 @@ +From 7f9711dd902a239c499682015d708f73ec884af2 Mon Sep 17 00:00:00 2001 +From: Aurelien Aptel +Date: Wed, 21 Apr 2021 16:22:15 +0200 +Subject: [PATCH] cifs.upcall: fix regression in kerberos mount + +The fix for CVE-2021-20208 in commit e461afd ("cifs.upcall: try to use +container ipc/uts/net/pid/mnt/user namespaces") introduced a +regression for kerberos mounts when cifs-utils is built with +libcap-ng. It makes mount fail with ENOKEY "Required key not +available". + +Current state: + +mount.cifs + '---> mount() ---> kernel + negprot, session setup (need security blob for krb) + request_key("cifs.spnego", payload="pid=%d;username=...") + upcall + /sbin/request-key <--------------' + reads /etc/request-keys.conf + dispatch cifs.spnego request + calls /usr/sbin/cifs.upcall + - drop privileges (capabilities) + - fetch keyid + - parse payload + - switch to mount.cifs namespaces + - call krb5_xxx() funcs + - generate security blob + - set key value to security blob + '-----------------------------------> kernel + put blob in session setup packet + continue auth + open tcon + get share root + setup superblock +mount.cifs mount() returns <-----------' + +By the time cifs.upcall tries to switch to namespaces, enough +capabilities have dropped in trim_capabilities() that it makes setns() +fail with EPERM. + +setns() requires CAP_SYS_ADMIN. + +With libcap trim_capabilities() is a no-op. + +This fix: + +- moves the namespace switch earlier so that operations like + setgroups(), setgid(), scanning of pid environment, ... happens in the + contained namespaces. +- moves trim_capabilities() after the namespace switch +- moves the string processing to decode the key request payload in a + child process with minimum capabilities. the decoded data is shared + with the parent process via shared memory obtained with mmap(). + +Fixes: e461afd ("cifs.upcall: try to use container ipc/uts/net/pid/mnt/user namespaces") +Signed-off-by: Aurelien Aptel +--- + cifs.upcall.c | 214 ++++++++++++++++++++++++++++++++------------------ + 1 file changed, 139 insertions(+), 75 deletions(-) + +diff --git a/cifs.upcall.c b/cifs.upcall.c +index e413934..ad04301 100644 +--- a/cifs.upcall.c ++++ b/cifs.upcall.c +@@ -52,6 +52,9 @@ + #include + #include + #include ++#include ++#include ++#include + + #include "data_blob.h" + #include "spnego.h" +@@ -787,6 +790,25 @@ handle_krb5_mech(const char *oid, const char *host, DATA_BLOB * secblob, + return retval; + } + ++ ++ ++struct decoded_args { ++ int ver; ++ char hostname[NI_MAXHOST + 1]; ++ char ip[NI_MAXHOST + 1]; ++ ++/* Max user name length. */ ++#define MAX_USERNAME_SIZE 256 ++ char username[MAX_USERNAME_SIZE + 1]; ++ ++ uid_t uid; ++ uid_t creduid; ++ pid_t pid; ++ sectype_t sec; ++ ++/* ++ * Flags to keep track of what was provided ++ */ + #define DKD_HAVE_HOSTNAME 0x1 + #define DKD_HAVE_VERSION 0x2 + #define DKD_HAVE_SEC 0x4 +@@ -796,23 +818,13 @@ handle_krb5_mech(const char *oid, const char *host, DATA_BLOB * secblob, + #define DKD_HAVE_CREDUID 0x40 + #define DKD_HAVE_USERNAME 0x80 + #define DKD_MUSTHAVE_SET (DKD_HAVE_HOSTNAME|DKD_HAVE_VERSION|DKD_HAVE_SEC) +- +-struct decoded_args { +- int ver; +- char *hostname; +- char *ip; +- char *username; +- uid_t uid; +- uid_t creduid; +- pid_t pid; +- sectype_t sec; ++ int have; + }; + + static unsigned int +-decode_key_description(const char *desc, struct decoded_args *arg) ++__decode_key_description(const char *desc, struct decoded_args *arg) + { +- int len; +- int retval = 0; ++ size_t len; + char *pos; + const char *tkn = desc; + +@@ -826,13 +838,13 @@ decode_key_description(const char *desc, struct decoded_args *arg) + len = pos - tkn; + + len -= 5; +- free(arg->hostname); +- arg->hostname = strndup(tkn + 5, len); +- if (arg->hostname == NULL) { +- syslog(LOG_ERR, "Unable to allocate memory"); ++ if (len > sizeof(arg->hostname)-1) { ++ syslog(LOG_ERR, "host= value too long for buffer"); + return 1; + } +- retval |= DKD_HAVE_HOSTNAME; ++ memset(arg->hostname, 0, sizeof(arg->hostname)); ++ strncpy(arg->hostname, tkn + 5, len); ++ arg->have |= DKD_HAVE_HOSTNAME; + syslog(LOG_DEBUG, "host=%s", arg->hostname); + } else if (!strncmp(tkn, "ip4=", 4) || !strncmp(tkn, "ip6=", 4)) { + if (pos == NULL) +@@ -841,13 +853,13 @@ decode_key_description(const char *desc, struct decoded_args *arg) + len = pos - tkn; + + len -= 4; +- free(arg->ip); +- arg->ip = strndup(tkn + 4, len); +- if (arg->ip == NULL) { +- syslog(LOG_ERR, "Unable to allocate memory"); ++ if (len > sizeof(arg->ip)-1) { ++ syslog(LOG_ERR, "ip[46]= value too long for buffer"); + return 1; + } +- retval |= DKD_HAVE_IP; ++ memset(arg->ip, 0, sizeof(arg->ip)); ++ strncpy(arg->ip, tkn + 4, len); ++ arg->have |= DKD_HAVE_IP; + syslog(LOG_DEBUG, "ip=%s", arg->ip); + } else if (strncmp(tkn, "user=", 5) == 0) { + if (pos == NULL) +@@ -856,13 +868,13 @@ decode_key_description(const char *desc, struct decoded_args *arg) + len = pos - tkn; + + len -= 5; +- free(arg->username); +- arg->username = strndup(tkn + 5, len); +- if (arg->username == NULL) { +- syslog(LOG_ERR, "Unable to allocate memory"); ++ if (len > sizeof(arg->username)-1) { ++ syslog(LOG_ERR, "user= value too long for buffer"); + return 1; + } +- retval |= DKD_HAVE_USERNAME; ++ memset(arg->username, 0, sizeof(arg->username)); ++ strncpy(arg->username, tkn + 5, len); ++ arg->have |= DKD_HAVE_USERNAME; + syslog(LOG_DEBUG, "user=%s", arg->username); + } else if (strncmp(tkn, "pid=", 4) == 0) { + errno = 0; +@@ -873,13 +885,13 @@ decode_key_description(const char *desc, struct decoded_args *arg) + return 1; + } + syslog(LOG_DEBUG, "pid=%u", arg->pid); +- retval |= DKD_HAVE_PID; ++ arg->have |= DKD_HAVE_PID; + } else if (strncmp(tkn, "sec=", 4) == 0) { + if (strncmp(tkn + 4, "krb5", 4) == 0) { +- retval |= DKD_HAVE_SEC; ++ arg->have |= DKD_HAVE_SEC; + arg->sec = KRB5; + } else if (strncmp(tkn + 4, "mskrb5", 6) == 0) { +- retval |= DKD_HAVE_SEC; ++ arg->have |= DKD_HAVE_SEC; + arg->sec = MS_KRB5; + } + syslog(LOG_DEBUG, "sec=%d", arg->sec); +@@ -891,7 +903,7 @@ decode_key_description(const char *desc, struct decoded_args *arg) + strerror(errno)); + return 1; + } +- retval |= DKD_HAVE_UID; ++ arg->have |= DKD_HAVE_UID; + syslog(LOG_DEBUG, "uid=%u", arg->uid); + } else if (strncmp(tkn, "creduid=", 8) == 0) { + errno = 0; +@@ -901,7 +913,7 @@ decode_key_description(const char *desc, struct decoded_args *arg) + strerror(errno)); + return 1; + } +- retval |= DKD_HAVE_CREDUID; ++ arg->have |= DKD_HAVE_CREDUID; + syslog(LOG_DEBUG, "creduid=%u", arg->creduid); + } else if (strncmp(tkn, "ver=", 4) == 0) { /* if version */ + errno = 0; +@@ -911,14 +923,56 @@ decode_key_description(const char *desc, struct decoded_args *arg) + strerror(errno)); + return 1; + } +- retval |= DKD_HAVE_VERSION; ++ arg->have |= DKD_HAVE_VERSION; + syslog(LOG_DEBUG, "ver=%d", arg->ver); + } + if (pos == NULL) + break; + tkn = pos + 1; + } while (tkn); +- return retval; ++ return 0; ++} ++ ++static unsigned int ++decode_key_description(const char *desc, struct decoded_args **arg) ++{ ++ pid_t pid; ++ pid_t rc; ++ int status; ++ ++ /* ++ * Do all the decoding/string processing in a child process ++ * with low privileges. ++ */ ++ ++ *arg = mmap(NULL, sizeof(struct decoded_args), PROT_READ | PROT_WRITE, ++ MAP_ANONYMOUS | MAP_SHARED, -1, 0); ++ if (*arg == MAP_FAILED) { ++ syslog(LOG_ERR, "%s: mmap failed: %s", __func__, strerror(errno)); ++ return -1; ++ } ++ ++ pid = fork(); ++ if (pid < 0) { ++ syslog(LOG_ERR, "%s: fork failed: %s", __func__, strerror(errno)); ++ munmap(*arg, sizeof(struct decoded_args)); ++ *arg = NULL; ++ return -1; ++ } ++ if (pid == 0) { ++ /* do the parsing in child */ ++ drop_all_capabilities(); ++ exit(__decode_key_description(desc, *arg)); ++ } ++ ++ rc = waitpid(pid, &status, 0); ++ if (rc < 0 || !WIFEXITED(status) || WEXITSTATUS(status) != 0) { ++ munmap(*arg, sizeof(struct decoded_args)); ++ *arg = NULL; ++ return 1; ++ } ++ ++ return 0; + } + + static int setup_key(const key_serial_t key, const void *data, size_t datalen) +@@ -1098,7 +1152,7 @@ int main(const int argc, char *const argv[]) + bool try_dns = false, legacy_uid = false , env_probe = true; + char *buf; + char hostbuf[NI_MAXHOST], *host; +- struct decoded_args arg; ++ struct decoded_args *arg = NULL; + const char *oid; + uid_t uid; + char *keytab_name = NULL; +@@ -1109,7 +1163,6 @@ int main(const int argc, char *const argv[]) + const char *key_descr = NULL; + + hostbuf[0] = '\0'; +- memset(&arg, 0, sizeof(arg)); + + openlog(prog, 0, LOG_DAEMON); + +@@ -1150,9 +1203,6 @@ int main(const int argc, char *const argv[]) + } + } + +- if (trim_capabilities(env_probe)) +- goto out; +- + /* is there a key? */ + if (argc <= optind) { + usage(); +@@ -1178,6 +1228,10 @@ int main(const int argc, char *const argv[]) + + syslog(LOG_DEBUG, "key description: %s", buf); + ++ /* ++ * If we are requested a simple DNS query, do it and exit ++ */ ++ + if (strncmp(buf, "cifs.resolver", sizeof("cifs.resolver") - 1) == 0) + key_descr = ".cifs.resolver"; + else if (strncmp(buf, "dns_resolver", sizeof("dns_resolver") - 1) == 0) +@@ -1187,33 +1241,42 @@ int main(const int argc, char *const argv[]) + goto out; + } + +- have = decode_key_description(buf, &arg); ++ /* ++ * Otherwise, it's a spnego key request ++ */ ++ ++ rc = decode_key_description(buf, &arg); + free(buf); +- if ((have & DKD_MUSTHAVE_SET) != DKD_MUSTHAVE_SET) { ++ if (rc) { ++ syslog(LOG_ERR, "failed to decode key description"); ++ goto out; ++ } ++ ++ if ((arg->have & DKD_MUSTHAVE_SET) != DKD_MUSTHAVE_SET) { + syslog(LOG_ERR, "unable to get necessary params from key " + "description (0x%x)", have); + rc = 1; + goto out; + } + +- if (arg.ver > CIFS_SPNEGO_UPCALL_VERSION) { ++ if (arg->ver > CIFS_SPNEGO_UPCALL_VERSION) { + syslog(LOG_ERR, "incompatible kernel upcall version: 0x%x", +- arg.ver); ++ arg->ver); + rc = 1; + goto out; + } + +- if (strlen(arg.hostname) >= NI_MAXHOST) { ++ if (strlen(arg->hostname) >= NI_MAXHOST) { + syslog(LOG_ERR, "hostname provided by kernel is too long"); + rc = 1; + goto out; + + } + +- if (!legacy_uid && (have & DKD_HAVE_CREDUID)) +- uid = arg.creduid; +- else if (have & DKD_HAVE_UID) +- uid = arg.uid; ++ if (!legacy_uid && (arg->have & DKD_HAVE_CREDUID)) ++ uid = arg->creduid; ++ else if (arg->have & DKD_HAVE_UID) ++ uid = arg->uid; + else { + /* no uid= or creduid= parm -- something is wrong */ + syslog(LOG_ERR, "No uid= or creduid= parm specified"); +@@ -1221,6 +1284,21 @@ int main(const int argc, char *const argv[]) + goto out; + } + ++ /* ++ * Change to the process's namespace. This means that things will work ++ * acceptably in containers, because we'll be looking at the correct ++ * filesystem and have the correct network configuration. ++ */ ++ rc = switch_to_process_ns(arg->pid); ++ if (rc == -1) { ++ syslog(LOG_ERR, "unable to switch to process namespace: %s", strerror(errno)); ++ rc = 1; ++ goto out; ++ } ++ ++ if (trim_capabilities(env_probe)) ++ goto out; ++ + /* + * The kernel doesn't pass down the gid, so we resort here to scraping + * one out of the passwd nss db. Note that this might not reflect the +@@ -1266,20 +1344,7 @@ int main(const int argc, char *const argv[]) + * look at the environ file. + */ + env_cachename = +- get_cachename_from_process_env(env_probe ? arg.pid : 0); +- +- /* +- * Change to the process's namespace. This means that things will work +- * acceptably in containers, because we'll be looking at the correct +- * filesystem and have the correct network configuration. +- */ +- rc = switch_to_process_ns(arg.pid); +- if (rc == -1) { +- syslog(LOG_ERR, "unable to switch to process namespace: %s", +- strerror(errno)); +- rc = 1; +- goto out; +- } ++ get_cachename_from_process_env(env_probe ? arg->pid : 0); + + rc = setuid(uid); + if (rc == -1) { +@@ -1301,18 +1366,18 @@ int main(const int argc, char *const argv[]) + + ccache = get_existing_cc(env_cachename); + /* Couldn't find credcache? Try to use keytab */ +- if (ccache == NULL && arg.username != NULL) +- ccache = init_cc_from_keytab(keytab_name, arg.username); ++ if (ccache == NULL && arg->username[0] != '\0') ++ ccache = init_cc_from_keytab(keytab_name, arg->username); + + if (ccache == NULL) { + rc = 1; + goto out; + } + +- host = arg.hostname; ++ host = arg->hostname; + + // do mech specific authorization +- switch (arg.sec) { ++ switch (arg->sec) { + case MS_KRB5: + case KRB5: + /* +@@ -1328,7 +1393,7 @@ int main(const int argc, char *const argv[]) + * TRY only: + * cifs/bar.example.com@REALM + */ +- if (arg.sec == MS_KRB5) ++ if (arg->sec == MS_KRB5) + oid = OID_KERBEROS5_OLD; + else + oid = OID_KERBEROS5; +@@ -1385,10 +1450,10 @@ retry_new_hostname: + break; + } + +- if (!try_dns || !(have & DKD_HAVE_IP)) ++ if (!try_dns || !(arg->have & DKD_HAVE_IP)) + break; + +- rc = ip_to_fqdn(arg.ip, hostbuf, sizeof(hostbuf)); ++ rc = ip_to_fqdn(arg->ip, hostbuf, sizeof(hostbuf)); + if (rc) + break; + +@@ -1396,7 +1461,7 @@ retry_new_hostname: + host = hostbuf; + goto retry_new_hostname; + default: +- syslog(LOG_ERR, "sectype: %d is not implemented", arg.sec); ++ syslog(LOG_ERR, "sectype: %d is not implemented", arg->sec); + rc = 1; + break; + } +@@ -1414,7 +1479,7 @@ retry_new_hostname: + rc = 1; + goto out; + } +- keydata->version = arg.ver; ++ keydata->version = arg->ver; + keydata->flags = 0; + keydata->sesskey_len = sess_key.length; + keydata->secblob_len = secblob.length; +@@ -1440,11 +1505,10 @@ out: + krb5_cc_close(context, ccache); + if (context) + krb5_free_context(context); +- free(arg.hostname); +- free(arg.ip); +- free(arg.username); + free(keydata); + free(env_cachename); ++ if (arg) ++ munmap(arg, sizeof(*arg)); + syslog(LOG_DEBUG, "Exit status %ld", rc); + return rc; + } +-- +2.33.0 + diff --git a/cifs-utils.spec b/cifs-utils.spec index 2c20a8eb0a3030fc5873e7e9be7704d19d4dd409..ae1488a6978476ed8a1c46518ab445fec3af0574 100644 --- a/cifs-utils.spec +++ b/cifs-utils.spec @@ -1,18 +1,22 @@ Name: cifs-utils Version: 6.10 -Release: 5 +Release: 6 Summary: Utilities for doing and managing mounts of the Linux CIFS filesystem License: GPLv3+ URL: http://linux-cifs.samba.org/cifs-utils/ Source0: https://download.samba.org/pub/linux-cifs/cifs-utils/%{name}-%{version}.tar.bz2 -Patch0: 0001-CVE-2020-14342-mount.cifs-fix-shell-command-injectio.patch -Patch1: 0002-CVE-2021-20208.patch -Patch2: 1001-cifs.upcall-update-the-cap-bounding-set-only-when-CA.patch -Patch3: 1002-mount.cifs-update-the-cap-bounding-set-only-when-CAP.patch -Patch4: 0004-CVE-2022-27239.patch -Patch5: 0005-CVE-2022-29869.patch - +Patch0: 0000-Add-missing-position-handling-to-mount-parameters-gi.patch +Patch1: 0001-CVE-2020-14342-mount.cifs-fix-shell-command-injectio.patch +Patch2: 0002-CVE-2021-20208.patch +Patch3: 0003-cifs-utils-fix-probabilistic-compiling-error.patch +Patch4: 0004-mount.cifs-fix-max-buffer-size-when-parsing-snapshot.patch +Patch5: 0005-cifs.upcall-update-the-cap-bounding-set-only-when-CA.patch +Patch6: 0006-mount.cifs-update-the-cap-bounding-set-only-when-CAP.patch +Patch7: 0007-CVE-2022-27239.patch +Patch8: 0008-CVE-2022-29869.patch +Patch9: 0009-mount.cifs-fix-crash-when-mount-point-does-not-exist.patch +Patch10: 0010-cifs.upcall-fix-regression-in-kerberos-mount.patch BuildRequires: python3-docutils libcap-ng-devel libtalloc-devel krb5-devel keyutils-libs-devel autoconf BuildRequires: automake libwbclient-devel pam-devel python3-samba pkg-config fdupes gcc @@ -85,6 +89,9 @@ install -m 644 contrib/request-key.d/cifs.spnego.conf %{buildroot}%{_sysconfdir} %{_mandir}/man8/* %changelog +* Thu Mar 30 2023 Zhiqiang Liu - 6.10-6 +- backport some patches + * Thu May 5 2022 yanglongkang - 6.10-5 - Fix CVE-2022-27239 and CVE-2022-29869