Fix CVE-2022-27239 and CVE-2022-29869

(cherry picked from commit 027714241ed38d830ec9abb09a527a473faa2c65)
2022-05-05 19:35:41 +08:00 · 2022-05-05 19:35:41 +08:00 · b921941cff
commit b921941cff
parent a85441d2ba
3 changed files with 84 additions and 1 deletions
--- a/0001-CVE-2022-27239.patch
+++ b/0001-CVE-2022-27239.patch
@ -0,0 +1,35 @@
 From 955fb147e97a6a74e1aaa65766de91e2c1479765 Mon Sep 17 00:00:00 2001
 From: Jeffrey Bencteux <jbe@improsec.com>
 Date: Thu, 17 Mar 2022 12:58:52 -0400
 Subject: [PATCH] CVE-2022-27239: mount.cifs: fix length check for ip option
 parsing
 Previous check was true whatever the length of the input string was,
 leading to a buffer overflow in the subsequent strcpy call.
 Bug: https://bugzilla.samba.org/show_bug.cgi?id=15025
 Signed-off-by: Jeffrey Bencteux <jbe@improsec.com>
 Reviewed-by: David Disseldorp <ddiss@suse.de>
 ---
 mount.cifs.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
 diff --git a/mount.cifs.c b/mount.cifs.c
 index 84274c9..3a6b449 100644
 --- a/mount.cifs.c
 +++ b/mount.cifs.c
@@ -926,9 +926,10 @@ parse_options(const char *data, struct parsed_mount_info *parsed_info)
 			if (!value || !*value) {
 				fprintf(stderr,
 					"target ip address argument missing\n");
 -			} else if (strnlen(value, MAX_ADDRESS_LEN) <=
 +			} else if (strnlen(value, MAX_ADDRESS_LEN) <
 				MAX_ADDRESS_LEN) {
 -				strcpy(parsed_info->addrlist, value);
 +				strlcpy(parsed_info->addrlist, value,
 +					MAX_ADDRESS_LEN);
 				if (parsed_info->verboseflag)
 					fprintf(stderr,
 						"ip address %s override specified\n",
 --
--- a/0002-CVE-2022-29869.patch
+++ b/0002-CVE-2022-29869.patch
@ -0,0 +1,42 @@
 From 8acc963a2e7e9d63fe1f2e7f73f5a03f83d9c379 Mon Sep 17 00:00:00 2001
 From: Jeffrey Bencteux <jbe@improsec.com>
 Date: Sat, 19 Mar 2022 13:41:15 -0400
 Subject: [PATCH] mount.cifs: fix verbose messages on option parsing
 When verbose logging is enabled, invalid credentials file lines may be
 dumped to stderr. This may lead to information disclosure in particular
 conditions when the credentials file given is sensitive and contains '='
 signs.
 Bug: https://bugzilla.samba.org/show_bug.cgi?id=15026
 Signed-off-by: Jeffrey Bencteux <jbe@improsec.com>
 Reviewed-by: David Disseldorp <ddiss@suse.de>
 ---
 mount.cifs.c | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)
 diff --git a/mount.cifs.c b/mount.cifs.c
 index 3a6b449..2278995 100644
 --- a/mount.cifs.c
 +++ b/mount.cifs.c
@@ -628,17 +628,13 @@ static int open_cred_file(char *file_name,
 				goto return_i;
 			break;
 		case CRED_DOM:
 -			if (parsed_info->verboseflag)
 -				fprintf(stderr, "domain=%s\n",
 -					temp_val);
 			strlcpy(parsed_info->domain, temp_val,
 				sizeof(parsed_info->domain));
 			break;
 		case CRED_UNPARSEABLE:
 			if (parsed_info->verboseflag)
 				fprintf(stderr, "Credential formatted "
 -					"incorrectly: %s\n",
 -					temp_val ? temp_val : "(null)");
 +					"incorrectly\n");
 			break;
 		}
 	}
 --
--- a/cifs-utils.spec
+++ b/cifs-utils.spec
@ -1,6 +1,6 @@
 Name:           cifs-utils
 Version:        6.14
-Release:        2
+Release:        3
 Summary:        Utilities for doing and managing mounts of the Linux CIFS filesystem
 License:        GPLv3+
 URL:            http://linux-cifs.samba.org/cifs-utils/
@ -12,6 +12,9 @@ Provides:       pam_cifscreds
 Obsoletes:      pam_cifscreds
 Requires:       keyutils
 Patch1:	0001-CVE-2022-27239.patch
 Patch2: 0002-CVE-2022-29869.patch
 %description
 The in-kernel CIFS filesystem is generally the preferred method for mounting
 SMB/CIFS shares on Linux.
@ -75,6 +78,9 @@ install -m 644 contrib/request-key.d/cifs.spnego.conf %{buildroot}%{_sysconfdir}
 %{_mandir}/man8/*
 %changelog
 * Thu May 5 2022 yanglongkang <yanglongkang@h-partners.com> - 6.14-3
 - Fix CVE-2022-27239 and CVE-2022-29869
 * Sat Jan 8 2022 yanglongkang <yanglongkang@huawei.com> - 6.14-2
 - delete BuildRequires python3-samba