Version in base suite: 6.11-3.1 Base version: cifs-utils_6.11-3.1 Target version: cifs-utils_6.11-3.1+deb11u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/c/cifs-utils/cifs-utils_6.11-3.1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/c/cifs-utils/cifs-utils_6.11-3.1+deb11u1.dsc changelog | 10 ++ patches/CVE-2022-27239-mount.cifs-fix-length-check-for-ip-op.patch | 39 ++++++++ patches/mount.cifs-fix-verbose-messages-on-option-parsing.patch | 47 ++++++++++ patches/series | 2 4 files changed, 98 insertions(+) diff -Nru cifs-utils-6.11/debian/changelog cifs-utils-6.11/debian/changelog --- cifs-utils-6.11/debian/changelog 2021-07-26 21:16:25.000000000 +0000 +++ cifs-utils-6.11/debian/changelog 2022-05-10 20:12:42.000000000 +0000 @@ -1,3 +1,13 @@ +cifs-utils (2:6.11-3.1+deb11u1) bullseye-security; urgency=high + + * Non-maintainer upload by the Security Team. + * mount.cifs: fix length check for ip option parsing (CVE-2022-27239) + (Closes: #1010818) + * mount.cifs: fix verbose messages on option parsing (CVE-2022-29869) + (Closes: #1010818) + + -- Salvatore Bonaccorso Tue, 10 May 2022 22:12:42 +0200 + cifs-utils (2:6.11-3.1) unstable; urgency=medium * Non-maintainer upload diff -Nru cifs-utils-6.11/debian/patches/CVE-2022-27239-mount.cifs-fix-length-check-for-ip-op.patch cifs-utils-6.11/debian/patches/CVE-2022-27239-mount.cifs-fix-length-check-for-ip-op.patch --- cifs-utils-6.11/debian/patches/CVE-2022-27239-mount.cifs-fix-length-check-for-ip-op.patch 1970-01-01 00:00:00.000000000 +0000 +++ cifs-utils-6.11/debian/patches/CVE-2022-27239-mount.cifs-fix-length-check-for-ip-op.patch 2022-05-10 20:12:42.000000000 +0000 @@ -0,0 +1,39 @@ +From: Jeffrey Bencteux +Date: Thu, 17 Mar 2022 12:58:52 -0400 +Subject: CVE-2022-27239: mount.cifs: fix length check for ip option parsing +Origin: https://git.samba.org/cifs-utils.git/?p=cifs-utils.git;a=commit;h=007c07fd91b6d42f8bd45187cf78ebb06801139d +Bug: https://bugzilla.samba.org/show_bug.cgi?id=15025 +Bug-Debian: https://bugs.debian.org/1010818 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-27239 + +Previous check was true whatever the length of the input string was, +leading to a buffer overflow in the subsequent strcpy call. + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=15025 + +Signed-off-by: Jeffrey Bencteux +Reviewed-by: David Disseldorp +--- + mount.cifs.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/mount.cifs.c b/mount.cifs.c +index 84274c98ddf5..3a6b449cc10c 100644 +--- a/mount.cifs.c ++++ b/mount.cifs.c +@@ -926,9 +926,10 @@ parse_options(const char *data, struct parsed_mount_info *parsed_info) + if (!value || !*value) { + fprintf(stderr, + "target ip address argument missing\n"); +- } else if (strnlen(value, MAX_ADDRESS_LEN) <= ++ } else if (strnlen(value, MAX_ADDRESS_LEN) < + MAX_ADDRESS_LEN) { +- strcpy(parsed_info->addrlist, value); ++ strlcpy(parsed_info->addrlist, value, ++ MAX_ADDRESS_LEN); + if (parsed_info->verboseflag) + fprintf(stderr, + "ip address %s override specified\n", +-- +2.36.0 + diff -Nru cifs-utils-6.11/debian/patches/mount.cifs-fix-verbose-messages-on-option-parsing.patch cifs-utils-6.11/debian/patches/mount.cifs-fix-verbose-messages-on-option-parsing.patch --- cifs-utils-6.11/debian/patches/mount.cifs-fix-verbose-messages-on-option-parsing.patch 1970-01-01 00:00:00.000000000 +0000 +++ cifs-utils-6.11/debian/patches/mount.cifs-fix-verbose-messages-on-option-parsing.patch 2022-05-10 20:12:42.000000000 +0000 @@ -0,0 +1,47 @@ +From: Jeffrey Bencteux +Date: Sat, 19 Mar 2022 13:41:15 -0400 +Subject: mount.cifs: fix verbose messages on option parsing +Origin: https://git.samba.org/cifs-utils.git/?p=cifs-utils.git;a=commit;h=8acc963a2e7e9d63fe1f2e7f73f5a03f83d9c379 +Bug: https://bugzilla.samba.org/show_bug.cgi?id=15026 +Bug-Debian: https://bugs.debian.org/1010818 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-29869 + +When verbose logging is enabled, invalid credentials file lines may be +dumped to stderr. This may lead to information disclosure in particular +conditions when the credentials file given is sensitive and contains '=' +signs. + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=15026 + +Signed-off-by: Jeffrey Bencteux +Reviewed-by: David Disseldorp +--- + mount.cifs.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/mount.cifs.c b/mount.cifs.c +index 3a6b449cc10c..2278995c9653 100644 +--- a/mount.cifs.c ++++ b/mount.cifs.c +@@ -628,17 +628,13 @@ static int open_cred_file(char *file_name, + goto return_i; + break; + case CRED_DOM: +- if (parsed_info->verboseflag) +- fprintf(stderr, "domain=%s\n", +- temp_val); + strlcpy(parsed_info->domain, temp_val, + sizeof(parsed_info->domain)); + break; + case CRED_UNPARSEABLE: + if (parsed_info->verboseflag) + fprintf(stderr, "Credential formatted " +- "incorrectly: %s\n", +- temp_val ? temp_val : "(null)"); ++ "incorrectly\n"); + break; + } + } +-- +2.36.0 + diff -Nru cifs-utils-6.11/debian/patches/series cifs-utils-6.11/debian/patches/series --- cifs-utils-6.11/debian/patches/series 2021-07-26 21:16:21.000000000 +0000 +++ cifs-utils-6.11/debian/patches/series 2022-05-10 20:12:42.000000000 +0000 @@ -3,3 +3,5 @@ 0003-Change-script-shbangs-to-python3.patch 0010-CVE-2021-20208.patch 0011-fix-regression-for-CVE-2021-20208.patch +CVE-2022-27239-mount.cifs-fix-length-check-for-ip-op.patch +mount.cifs-fix-verbose-messages-on-option-parsing.patch