Control: tags 1010818 + patch Control: tags 1010818 + pending
Dear maintainer, I've prepared an NMU for cifs-utils (versioned as 2:6.14-1.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. Regards, Salvatore
diff -Nru cifs-utils-6.14/debian/changelog cifs-utils-6.14/debian/changelog --- cifs-utils-6.14/debian/changelog 2021-12-14 11:15:06.000000000 +0100 +++ cifs-utils-6.14/debian/changelog 2022-05-10 21:59:48.000000000 +0200 @@ -1,3 +1,13 @@ +cifs-utils (2:6.14-1.1) unstable; urgency=high + + * Non-maintainer upload. + * mount.cifs: fix length check for ip option parsing (CVE-2022-27239) + (Closes: #1010818) + * mount.cifs: fix verbose messages on option parsing (CVE-2022-29869) + (Closes: #1010818) + + -- Salvatore Bonaccorso <car...@debian.org> Tue, 10 May 2022 21:59:48 +0200 + cifs-utils (2:6.14-1) unstable; urgency=medium * New upstream version 6.14 diff -Nru cifs-utils-6.14/debian/patches/CVE-2022-27239-mount.cifs-fix-length-check-for-ip-op.patch cifs-utils-6.14/debian/patches/CVE-2022-27239-mount.cifs-fix-length-check-for-ip-op.patch --- cifs-utils-6.14/debian/patches/CVE-2022-27239-mount.cifs-fix-length-check-for-ip-op.patch 1970-01-01 01:00:00.000000000 +0100 +++ cifs-utils-6.14/debian/patches/CVE-2022-27239-mount.cifs-fix-length-check-for-ip-op.patch 2022-05-10 21:59:48.000000000 +0200 @@ -0,0 +1,39 @@ +From: Jeffrey Bencteux <j...@improsec.com> +Date: Thu, 17 Mar 2022 12:58:52 -0400 +Subject: CVE-2022-27239: mount.cifs: fix length check for ip option parsing +Origin: https://git.samba.org/cifs-utils.git/?p=cifs-utils.git;a=commit;h=007c07fd91b6d42f8bd45187cf78ebb06801139d +Bug: https://bugzilla.samba.org/show_bug.cgi?id=15025 +Bug-Debian: https://bugs.debian.org/1010818 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-27239 + +Previous check was true whatever the length of the input string was, +leading to a buffer overflow in the subsequent strcpy call. + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=15025 + +Signed-off-by: Jeffrey Bencteux <j...@improsec.com> +Reviewed-by: David Disseldorp <dd...@suse.de> +--- + mount.cifs.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/mount.cifs.c b/mount.cifs.c +index 84274c98ddf5..3a6b449cc10c 100644 +--- a/mount.cifs.c ++++ b/mount.cifs.c +@@ -926,9 +926,10 @@ parse_options(const char *data, struct parsed_mount_info *parsed_info) + if (!value || !*value) { + fprintf(stderr, + "target ip address argument missing\n"); +- } else if (strnlen(value, MAX_ADDRESS_LEN) <= ++ } else if (strnlen(value, MAX_ADDRESS_LEN) < + MAX_ADDRESS_LEN) { +- strcpy(parsed_info->addrlist, value); ++ strlcpy(parsed_info->addrlist, value, ++ MAX_ADDRESS_LEN); + if (parsed_info->verboseflag) + fprintf(stderr, + "ip address %s override specified\n", +-- +2.36.0 + diff -Nru cifs-utils-6.14/debian/patches/mount.cifs-fix-verbose-messages-on-option-parsing.patch cifs-utils-6.14/debian/patches/mount.cifs-fix-verbose-messages-on-option-parsing.patch --- cifs-utils-6.14/debian/patches/mount.cifs-fix-verbose-messages-on-option-parsing.patch 1970-01-01 01:00:00.000000000 +0100 +++ cifs-utils-6.14/debian/patches/mount.cifs-fix-verbose-messages-on-option-parsing.patch 2022-05-10 21:59:48.000000000 +0200 @@ -0,0 +1,47 @@ +From: Jeffrey Bencteux <j...@improsec.com> +Date: Sat, 19 Mar 2022 13:41:15 -0400 +Subject: mount.cifs: fix verbose messages on option parsing +Origin: https://git.samba.org/cifs-utils.git/?p=cifs-utils.git;a=commit;h=8acc963a2e7e9d63fe1f2e7f73f5a03f83d9c379 +Bug: https://bugzilla.samba.org/show_bug.cgi?id=15026 +Bug-Debian: https://bugs.debian.org/1010818 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-29869 + +When verbose logging is enabled, invalid credentials file lines may be +dumped to stderr. This may lead to information disclosure in particular +conditions when the credentials file given is sensitive and contains '=' +signs. + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=15026 + +Signed-off-by: Jeffrey Bencteux <j...@improsec.com> +Reviewed-by: David Disseldorp <dd...@suse.de> +--- + mount.cifs.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/mount.cifs.c b/mount.cifs.c +index 3a6b449cc10c..2278995c9653 100644 +--- a/mount.cifs.c ++++ b/mount.cifs.c +@@ -628,17 +628,13 @@ static int open_cred_file(char *file_name, + goto return_i; + break; + case CRED_DOM: +- if (parsed_info->verboseflag) +- fprintf(stderr, "domain=%s\n", +- temp_val); + strlcpy(parsed_info->domain, temp_val, + sizeof(parsed_info->domain)); + break; + case CRED_UNPARSEABLE: + if (parsed_info->verboseflag) + fprintf(stderr, "Credential formatted " +- "incorrectly: %s\n", +- temp_val ? temp_val : "(null)"); ++ "incorrectly\n"); + break; + } + } +-- +2.36.0 + diff -Nru cifs-utils-6.14/debian/patches/series cifs-utils-6.14/debian/patches/series --- cifs-utils-6.14/debian/patches/series 2021-12-14 11:11:19.000000000 +0100 +++ cifs-utils-6.14/debian/patches/series 2022-05-10 21:59:48.000000000 +0200 @@ -1,2 +1,4 @@ 0001-Fix-fPIE-casing.patch 0003-Change-script-shbangs-to-python3.patch +CVE-2022-27239-mount.cifs-fix-length-check-for-ip-op.patch +mount.cifs-fix-verbose-messages-on-option-parsing.patch
