packages/cifs-utils
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2022-27239 and CVE-2022-29869

Browse Source 
(cherry picked from commit 027714241ed38d830ec9abb09a527a473faa2c65)
This commit is contained in:
markeryang 2022-05-05 19:35:41 +08:00 committed by openeuler-sync-bot
parent a85441d2ba
commit b921941cff
3 changed files with 84 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
0001-CVE-2022-27239.patch Normal file
View File

@ -0,0 +1,35 @@
From 955fb147e97a6a74e1aaa65766de91e2c1479765 Mon Sep 17 00:00:00 2001
From: Jeffrey Bencteux <jbe@improsec.com>
Date: Thu, 17 Mar 2022 12:58:52 -0400
Subject: [PATCH] CVE-2022-27239: mount.cifs: fix length check for ip option
parsing
Previous check was true whatever the length of the input string was,
leading to a buffer overflow in the subsequent strcpy call.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15025
Signed-off-by: Jeffrey Bencteux <jbe@improsec.com>
Reviewed-by: David Disseldorp <ddiss@suse.de>
---
mount.cifs.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/mount.cifs.c b/mount.cifs.c
index 84274c9..3a6b449 100644
--- a/mount.cifs.c
+++ b/mount.cifs.c
@@ -926,9 +926,10 @@ parse_options(const char *data, struct parsed_mount_info *parsed_info)
if (!value || !*value) {
fprintf(stderr,
"target ip address argument missing\n");
- } else if (strnlen(value, MAX_ADDRESS_LEN) <=
+ } else if (strnlen(value, MAX_ADDRESS_LEN) <
MAX_ADDRESS_LEN) {
- strcpy(parsed_info->addrlist, value);
+ strlcpy(parsed_info->addrlist, value,
+ MAX_ADDRESS_LEN);
if (parsed_info->verboseflag)
fprintf(stderr,
"ip address %s override specified\n",
--

42
0002-CVE-2022-29869.patch Normal file
View File

@ -0,0 +1,42 @@
From 8acc963a2e7e9d63fe1f2e7f73f5a03f83d9c379 Mon Sep 17 00:00:00 2001
From: Jeffrey Bencteux <jbe@improsec.com>
Date: Sat, 19 Mar 2022 13:41:15 -0400
Subject: [PATCH] mount.cifs: fix verbose messages on option parsing
When verbose logging is enabled, invalid credentials file lines may be
dumped to stderr. This may lead to information disclosure in particular
conditions when the credentials file given is sensitive and contains '='
signs.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15026
Signed-off-by: Jeffrey Bencteux <jbe@improsec.com>
Reviewed-by: David Disseldorp <ddiss@suse.de>
---
mount.cifs.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/mount.cifs.c b/mount.cifs.c
index 3a6b449..2278995 100644
--- a/mount.cifs.c
+++ b/mount.cifs.c
@@ -628,17 +628,13 @@ static int open_cred_file(char *file_name,
goto return_i;
break;
case CRED_DOM:
- if (parsed_info->verboseflag)
- fprintf(stderr, "domain=%s\n",
- temp_val);
strlcpy(parsed_info->domain, temp_val,
sizeof(parsed_info->domain));
break;
case CRED_UNPARSEABLE:
if (parsed_info->verboseflag)
fprintf(stderr, "Credential formatted "
- "incorrectly: %s\n",
- temp_val ? temp_val : "(null)");
+ "incorrectly\n");
break;
}
}
--

8
cifs-utils.spec
View File

@ -1,6 +1,6 @@
Name: cifs-utils
Version: 6.14
Release: 2
Release: 3
Summary: Utilities for doing and managing mounts of the Linux CIFS filesystem
License: GPLv3+
URL: http://linux-cifs.samba.org/cifs-utils/
@ -12,6 +12,9 @@ Provides: pam_cifscreds
Obsoletes: pam_cifscreds
Requires: keyutils
Patch1: 0001-CVE-2022-27239.patch
Patch2: 0002-CVE-2022-29869.patch
%description
The in-kernel CIFS filesystem is generally the preferred method for mounting
SMB/CIFS shares on Linux.
@ -75,6 +78,9 @@ install -m 644 contrib/request-key.d/cifs.spnego.conf %{buildroot}%{_sysconfdir}
%{_mandir}/man8/*
%changelog
* Thu May 5 2022 yanglongkang <yanglongkang@h-partners.com> - 6.14-3
- Fix CVE-2022-27239 and CVE-2022-29869
* Sat Jan 8 2022 yanglongkang <yanglongkang@huawei.com> - 6.14-2
- delete BuildRequires python3-samba