Hi Stephane, I sincerely apologise for causing this regression. I did try and cover all the combinations with patched / unpatched kernel and patched / unpatched cifs-utils, but it seems I missed this one.
It seems I only tested kerberos credential caches in the default locations, and never hit the bug. It is also pretty unfortunate that the kernel rejects any unknown parameters, as it would have been an easy workaround. Are you okay with running 5.15.0-142-generic from jammy-proposed as a fix in the meantime? The SRU cycle is due to complete the week of 16th of June, https://kernel.ubuntu.com/, when it will likely be released to -updates. You can also downgrade cifs-utils to 2:6.14-1ubuntu0.1 in the meantime. I will speak to some of my colleagues and think about potentially changing + get_cachename_from_process_env((env_probe && (arg->upcall_target == UPTARGET_APP)) ? arg->pid : 0); to something a little more reasonable. I just need to balance regression risk, vs closing the actual CVE, to try not cause any further disruption. Again, I am sorry for any inconvenience caused. Thanks, Matthew -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2099914 Title: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2099914/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
