Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: pu
Hi The security team asked us to consider an upload to pu fixing 2 low severity security issues (which don't warrant a DSA). Attached a debdiff of the proposed upload. Cheers Luk
diff -Nru cifs-utils-4.5/debian/changelog cifs-utils-4.5/debian/changelog --- cifs-utils-4.5/debian/changelog 2010-06-04 22:33:37.000000000 +0200 +++ cifs-utils-4.5/debian/changelog 2011-12-12 23:28:04.000000000 +0100 @@ -1,3 +1,11 @@ +cifs-utils (2:4.5-2+squeeze1) stable; urgency=low + + * Stable update to prevent mtab corruption + - CVE-2011-1678 + - CVE-2011-2724 + + -- Luk Claes <l...@debian.org> Mon, 12 Dec 2011 23:21:58 +0100 + cifs-utils (2:4.5-2) unstable; urgency=low * Lintian override for the suid-root binary. diff -Nru cifs-utils-4.5/debian/patches/CVE-2011-1678.patch cifs-utils-4.5/debian/patches/CVE-2011-1678.patch --- cifs-utils-4.5/debian/patches/CVE-2011-1678.patch 1970-01-01 01:00:00.000000000 +0100 +++ cifs-utils-4.5/debian/patches/CVE-2011-1678.patch 2011-12-12 23:41:59.000000000 +0100 @@ -0,0 +1,134 @@ +From: Jeff Layton <jlay...@samba.org> +Date: Tue, 12 Jul 2011 12:19:33 +0000 (-0400) +Subject: mtab: handle ENOSPC/EFBIG condition properly when altering mtab +X-Git-Tag: cifs-utils-5.1~19 +X-Git-Url: https://git.samba.org/?p=cifs-utils.git;a=commitdiff_plain;h=f6eae44a3d05b6515a59651e6bed8b6dde689aec + +mtab: handle ENOSPC/EFBIG condition properly when altering mtab + +It's possible that when mount.cifs goes to append the mtab that there +won't be enough space to do so, and the mntent won't be appended to the +file in its entirety. + +Add a my_endmntent routine that will fflush and then fsync the FILE if +that succeeds. If either fails then it will truncate the file back to +its provided size. It will then call endmntent unconditionally. + +Have add_mtab call fstat on the opened mtab file in order to get the +size of the file before it has been appended. Assuming that that +succeeds, use my_endmntent to ensure that the file is not corrupted +before closing it. It's possible that we'll have a small race window +where the mtab is incorrect, but it should be quickly corrected. + +This was reported some time ago as CVE-2011-1678: + + http://openwall.com/lists/oss-security/2011/03/04/9 + +...and it seems to fix the reproducer that I was able to come up with. + +Signed-off-by: Jeff Layton <jlay...@samba.org> +Reviewed-by: Suresh Jayaraman <sjayara...@suse.de> +--- + +diff --git a/mount.cifs.c b/mount.cifs.c +index 9d7e107..107a5a5 100644 +--- a/mount.cifs.c ++++ b/mount.cifs.c +@@ -1428,10 +1428,11 @@ static int check_mtab(const char *progname, const char *devname, + static int + add_mtab(char *devname, char *mountpoint, unsigned long flags, const char *fstype) + { +- int rc = 0; ++ int rc = 0, tmprc, fd; + uid_t uid; + char *mount_user = NULL; + struct mntent mountent; ++ struct stat statbuf; + FILE *pmntfile; + sigset_t mask, oldmask; + +@@ -1483,6 +1484,23 @@ add_mtab(char *devname, char *mountpoint, unsigned long flags, const char *fstyp + goto add_mtab_exit; + } + ++ fd = fileno(pmntfile); ++ if (fd < 0) { ++ fprintf(stderr, "mntent does not appear to be valid\n"); ++ unlock_mtab(); ++ rc = EX_FILEIO; ++ goto add_mtab_exit; ++ } ++ ++ rc = fstat(fd, &statbuf); ++ if (rc != 0) { ++ fprintf(stderr, "unable to fstat open mtab\n"); ++ endmntent(pmntfile); ++ unlock_mtab(); ++ rc = EX_FILEIO; ++ goto add_mtab_exit; ++ } ++ + mountent.mnt_fsname = devname; + mountent.mnt_dir = mountpoint; + mountent.mnt_type = (char *)(void *)fstype; +@@ -1514,5 +1532,14 @@ add_mtab(char *devname, char *mountpoint, unsigned long flags, const char *fstyp + rc = addmntent(pmntfile, &mountent); ++ if (rc) { ++ fprintf(stderr, "unable to add mount entry to mtab\n"); ++ ftruncate(fd, statbuf.st_size); ++ rc = EX_FILEIO; ++ } ++ tmprc = my_endmntent(pmntfile, statbuf.st_size); ++ if (tmprc) { ++ fprintf(stderr, "error %d detected on close of mtab\n", tmprc); ++ rc = EX_FILEIO; ++ } +- endmntent(pmntfile); + unlock_mtab(); + SAFE_FREE(mountent.mnt_opts); + add_mtab_exit: +diff --git a/mount.h b/mount.h +index d49c2ea..80bdbe7 100644 +--- a/mount.h ++++ b/mount.h +@@ -35,4 +35,5 @@ + extern int lock_mtab(void); + extern void unlock_mtab(void); ++extern int my_endmntent(FILE *stream, off_t size); + + #endif /* ! _MOUNT_H_ */ +diff --git a/mtab.c b/mtab.c +index 9cd50d8..de545b7 100644 +--- a/mtab.c ++++ b/mtab.c +@@ -251,3 +251,30 @@ lock_mtab (void) { + return 0; + } + ++/* ++ * Call fflush and fsync on the mtab, and then endmntent. If either fflush ++ * or fsync fails, then truncate the file back to "size". endmntent is called ++ * unconditionally, and the errno (if any) from fflush and fsync are returned. ++ */ ++int ++my_endmntent(FILE *stream, off_t size) ++{ ++ int rc, fd; ++ ++ fd = fileno(stream); ++ if (fd < 0) ++ return -EBADF; ++ ++ rc = fflush(stream); ++ if (!rc) ++ rc = fsync(fd); ++ ++ /* truncate file back to "size" -- best effort here */ ++ if (rc) { ++ rc = errno; ++ ftruncate(fd, size); ++ } ++ ++ endmntent(stream); ++ return rc; ++} diff -Nru cifs-utils-4.5/debian/patches/CVE-2011-2724.patch cifs-utils-4.5/debian/patches/CVE-2011-2724.patch --- cifs-utils-4.5/debian/patches/CVE-2011-2724.patch 1970-01-01 01:00:00.000000000 +0100 +++ cifs-utils-4.5/debian/patches/CVE-2011-2724.patch 2011-12-12 23:18:35.000000000 +0100 @@ -0,0 +1,16 @@ +X-Git-Url: https://git.samba.org/?p=cifs-utils.git;a=blobdiff_plain;f=mount.cifs.c;h=aa4581f3cf3f3dc0515666fbc985a97d5e846f38;hp=107a5a5c5280abe02614cdebdc052b91a13d19d9;hb=1e7a32924b22d1f786b6f490ce8590656f578f91;hpb=861824f588a870da7c110b6f199eb5ce7d4dc476 + +diff --git a/mount.cifs.c b/mount.cifs.c +index 107a5a5..aa4581f 100644 +--- a/mount.cifs.c ++++ b/mount.cifs.c +@@ -1419,8 +1419,7 @@ static int check_newline(const char *progname, const char *name) + static int check_mtab(const char *progname, const char *devname, + const char *dir) + { +- if (check_newline(progname, devname) == -1 || +- check_newline(progname, dir) == -1) ++ if (check_newline(progname, devname) || check_newline(progname, dir)) + return EX_USAGE; + return 0; + } diff -Nru cifs-utils-4.5/debian/patches/series cifs-utils-4.5/debian/patches/series --- cifs-utils-4.5/debian/patches/series 2010-06-04 22:33:38.000000000 +0200 +++ cifs-utils-4.5/debian/patches/series 2011-12-12 23:42:37.000000000 +0100 @@ -1 +1,3 @@ debian-changes-2:4.5-2 +CVE-2011-1678.patch +CVE-2011-2724.patch
