cifs-utils: fix CVE-2022-27239 CVE-2022-29869

Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Chee Yang Lee <chee.yang.lee@intel.com> 2023-03-02 16:38:51 +0800
committer: Armin Kuster <akuster808@gmail.com> 2023-03-05 07:52:13 -0500
commit: 75cc182f389d7c9932402cec1740e08b6f24b91d (patch)
tree: fdea2ac1b758ddc475ed77a74567a74bc65881b4
parent: 54960c549b8f0f299f437c517c60a0fdac9f82da (diff)
download: meta-openembedded-75cc182f389d7c9932402cec1740e08b6f24b91d.tar.gz
3 files changed, 92 insertions, 1 deletions
diff --git a/meta-networking/recipes-support/cifs/cifs-utils_6.14.bb b/meta-networking/recipes-support/cifs/cifs-utils_6.14.bb
index d4cdda0f81..516e467ee4 100644
--- a/meta-networking/recipes-support/cifs/cifs-utils_6.14.bb
+++ b/meta-networking/recipes-support/cifs/cifs-utils_6.14.bb
@@ -5,7 +5,10 @@ LICENSE = "GPL-3.0-only & LGPL-3.0-only"
 LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
 SRCREV = "8c06dce7d596e478c20bc54bdcec87ad97f80a1b"
-SRC_URI = "git://git.samba.org/cifs-utils.git;branch=master"
+SRC_URI = "git://git.samba.org/cifs-utils.git;branch=master \
+           file://CVE-2022-27239.patch \
+           file://CVE-2022-29869.patch \
+"
 S = "${WORKDIR}/git"
 DEPENDS += "libtalloc"
diff --git a/meta-networking/recipes-support/cifs/files/CVE-2022-27239.patch b/meta-networking/recipes-support/cifs/files/CVE-2022-27239.patch
new file mode 100644
index 0000000000..77f6745abe
--- /dev/null
+++ b/meta-networking/recipes-support/cifs/files/CVE-2022-27239.patch
@@ -0,0 +1,40 @@
+From 007c07fd91b6d42f8bd45187cf78ebb06801139d Mon Sep 17 00:00:00 2001
+From: Jeffrey Bencteux <jbe@improsec.com>
+Date: Thu, 17 Mar 2022 12:58:52 -0400
+Subject: [PATCH] CVE-2022-27239: mount.cifs: fix length check for ip option
+ parsing
+Previous check was true whatever the length of the input string was,
+leading to a buffer overflow in the subsequent strcpy call.
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=15025
+Signed-off-by: Jeffrey Bencteux <jbe@improsec.com>
+Reviewed-by: David Disseldorp <ddiss@suse.de>
+Upstream-Status: Backport [ https://git.samba.org/?p=cifs-utils.git;a=commit;h=007c07fd91b6d42f8bd45187cf78ebb06801139d]
+CVE: CVE-2022-27239
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+---
+ mount.cifs.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+diff --git a/mount.cifs.c b/mount.cifs.c
+index 84274c9..3a6b449 100644
+--- a/mount.cifs.c
+++ b/mount.cifs.c
+@@ -926,9 +926,10 @@ parse_options(const char *data, struct parsed_mount_info *parsed_info)
+                        if (!value || !*value) {
+                                fprintf(stderr,
+                                        "target ip address argument missing\n");
+-                       } else if (strnlen(value, MAX_ADDRESS_LEN) <=
+                       } else if (strnlen(value, MAX_ADDRESS_LEN) <
+                                MAX_ADDRESS_LEN) {
+-                               strcpy(parsed_info->addrlist, value);
+                               strlcpy(parsed_info->addrlist, value,
+                                       MAX_ADDRESS_LEN);
+                                if (parsed_info->verboseflag)
+                                        fprintf(stderr,
+                                                "ip address %s override specified\n",
+-- 
+2.34.1
diff --git a/meta-networking/recipes-support/cifs/files/CVE-2022-29869.patch b/meta-networking/recipes-support/cifs/files/CVE-2022-29869.patch
new file mode 100644
index 0000000000..f0c3f37dec
--- /dev/null
+++ b/meta-networking/recipes-support/cifs/files/CVE-2022-29869.patch
@@ -0,0 +1,48 @@
+From 8acc963a2e7e9d63fe1f2e7f73f5a03f83d9c379 Mon Sep 17 00:00:00 2001
+From: Jeffrey Bencteux <jbe@improsec.com>
+Date: Sat, 19 Mar 2022 13:41:15 -0400
+Subject: [PATCH] mount.cifs: fix verbose messages on option parsing
+When verbose logging is enabled, invalid credentials file lines may be
+dumped to stderr. This may lead to information disclosure in particular
+conditions when the credentials file given is sensitive and contains '='
+signs.
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=15026
+Signed-off-by: Jeffrey Bencteux <jbe@improsec.com>
+Reviewed-by: David Disseldorp <ddiss@suse.de>
+Upstream-Status: Backport [https://git.samba.org/?p=cifs-utils.git;a=commit;h=8acc963a2e7e9d63fe1f2e7f73f5a03f83d9c379]
+CVE: CVE-2022-29869
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+---
+ mount.cifs.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+diff --git a/mount.cifs.c b/mount.cifs.c
+index 3a6b449..2278995 100644
+--- a/mount.cifs.c
+++ b/mount.cifs.c
+@@ -628,17 +628,13 @@ static int open_cred_file(char *file_name,
+                                goto return_i;
+                        break;
+                case CRED_DOM:
+-                       if (parsed_info->verboseflag)
+-                               fprintf(stderr, "domain=%s\n",
+-                                       temp_val);
+                        strlcpy(parsed_info->domain, temp_val,
+                                sizeof(parsed_info->domain));
+                        break;
+                case CRED_UNPARSEABLE:
+                        if (parsed_info->verboseflag)
+                                fprintf(stderr, "Credential formatted "
+-                                       "incorrectly: %s\n",
+-                                       temp_val ? temp_val : "(null)");
+                                       "incorrectly\n");
+                        break;
+                }
+        }
+-- 
+2.34.1
author	Chee Yang Lee <chee.yang.lee@intel.com>	2023-03-02 16:38:51 +0800
committer	Armin Kuster <akuster808@gmail.com>	2023-03-05 07:52:13 -0500
commit	75cc182f389d7c9932402cec1740e08b6f24b91d (patch)
tree	fdea2ac1b758ddc475ed77a74567a74bc65881b4
parent	54960c549b8f0f299f437c517c60a0fdac9f82da (diff)
download	meta-openembedded-75cc182f389d7c9932402cec1740e08b6f24b91d.tar.gz

diff --git a/meta-networking/recipes-support/cifs/cifs-utils_6.14.bb b/meta-networking/recipes-support/cifs/cifs-utils_6.14.bb index d4cdda0f81..516e467ee4 100644 --- a/meta-networking/recipes-support/cifs/cifs-utils_6.14.bb +++ b/meta-networking/recipes-support/cifs/cifs-utils_6.14.bb
@@ -5,7 +5,10 @@ LICENSE = "GPL-3.0-only & LGPL-3.0-only"
5	LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"	5	LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
6		6
7	SRCREV = "8c06dce7d596e478c20bc54bdcec87ad97f80a1b"	7	SRCREV = "8c06dce7d596e478c20bc54bdcec87ad97f80a1b"
8	SRC_URI = "git://git.samba.org/cifs-utils.git;branch=master"	8	SRC_URI = "git://git.samba.org/cifs-utils.git;branch=master \
		9	file://CVE-2022-27239.patch \
		10	file://CVE-2022-29869.patch \
		11	"
9		12
10	S = "${WORKDIR}/git"	13	S = "${WORKDIR}/git"
11	DEPENDS += "libtalloc"	14	DEPENDS += "libtalloc"


diff --git a/meta-networking/recipes-support/cifs/files/CVE-2022-27239.patch b/meta-networking/recipes-support/cifs/files/CVE-2022-27239.patch new file mode 100644 index 0000000000..77f6745abe --- /dev/null +++ b/meta-networking/recipes-support/cifs/files/CVE-2022-27239.patch
@@ -0,0 +1,40 @@
		1	From 007c07fd91b6d42f8bd45187cf78ebb06801139d Mon Sep 17 00:00:00 2001
		2	From: Jeffrey Bencteux <jbe@improsec.com>
		3	Date: Thu, 17 Mar 2022 12:58:52 -0400
		4	Subject: [PATCH] CVE-2022-27239: mount.cifs: fix length check for ip option
		5	parsing
		6
		7	Previous check was true whatever the length of the input string was,
		8	leading to a buffer overflow in the subsequent strcpy call.
		9
		10	Bug: https://bugzilla.samba.org/show_bug.cgi?id=15025
		11
		12	Signed-off-by: Jeffrey Bencteux <jbe@improsec.com>
		13	Reviewed-by: David Disseldorp <ddiss@suse.de>
		14
		15	Upstream-Status: Backport [ https://git.samba.org/?p=cifs-utils.git;a=commit;h=007c07fd91b6d42f8bd45187cf78ebb06801139d]
		16	CVE: CVE-2022-27239
		17	Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
		18	---
		19	mount.cifs.c \| 5 +++--
		20	1 file changed, 3 insertions(+), 2 deletions(-)
		21
		22	diff --git a/mount.cifs.c b/mount.cifs.c
		23	index 84274c9..3a6b449 100644
		24	--- a/mount.cifs.c
		25	+++ b/mount.cifs.c
		26	@@ -926,9 +926,10 @@ parse_options(const char data, struct parsed_mount_info parsed_info)
		27	if (!value \|\| !*value) {
		28	fprintf(stderr,
		29	"target ip address argument missing\n");
		30	- } else if (strnlen(value, MAX_ADDRESS_LEN) <=
		31	+ } else if (strnlen(value, MAX_ADDRESS_LEN) <
		32	MAX_ADDRESS_LEN) {
		33	- strcpy(parsed_info->addrlist, value);
		34	+ strlcpy(parsed_info->addrlist, value,
		35	+ MAX_ADDRESS_LEN);
		36	if (parsed_info->verboseflag)
		37	fprintf(stderr,
		38	"ip address %s override specified\n",
		39	--
		40	2.34.1


diff --git a/meta-networking/recipes-support/cifs/files/CVE-2022-29869.patch b/meta-networking/recipes-support/cifs/files/CVE-2022-29869.patch new file mode 100644 index 0000000000..f0c3f37dec --- /dev/null +++ b/meta-networking/recipes-support/cifs/files/CVE-2022-29869.patch
@@ -0,0 +1,48 @@
		1	From 8acc963a2e7e9d63fe1f2e7f73f5a03f83d9c379 Mon Sep 17 00:00:00 2001
		2	From: Jeffrey Bencteux <jbe@improsec.com>
		3	Date: Sat, 19 Mar 2022 13:41:15 -0400
		4	Subject: [PATCH] mount.cifs: fix verbose messages on option parsing
		5
		6	When verbose logging is enabled, invalid credentials file lines may be
		7	dumped to stderr. This may lead to information disclosure in particular
		8	conditions when the credentials file given is sensitive and contains '='
		9	signs.
		10
		11	Bug: https://bugzilla.samba.org/show_bug.cgi?id=15026
		12
		13	Signed-off-by: Jeffrey Bencteux <jbe@improsec.com>
		14	Reviewed-by: David Disseldorp <ddiss@suse.de>
		15
		16	Upstream-Status: Backport [https://git.samba.org/?p=cifs-utils.git;a=commit;h=8acc963a2e7e9d63fe1f2e7f73f5a03f83d9c379]
		17	CVE: CVE-2022-29869
		18	Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
		19	---
		20	mount.cifs.c \| 6 +-----
		21	1 file changed, 1 insertion(+), 5 deletions(-)
		22
		23	diff --git a/mount.cifs.c b/mount.cifs.c
		24	index 3a6b449..2278995 100644
		25	--- a/mount.cifs.c
		26	+++ b/mount.cifs.c
		27	@@ -628,17 +628,13 @@ static int open_cred_file(char *file_name,
		28	goto return_i;
		29	break;
		30	case CRED_DOM:
		31	- if (parsed_info->verboseflag)
		32	- fprintf(stderr, "domain=%s\n",
		33	- temp_val);
		34	strlcpy(parsed_info->domain, temp_val,
		35	sizeof(parsed_info->domain));
		36	break;
		37	case CRED_UNPARSEABLE:
		38	if (parsed_info->verboseflag)
		39	fprintf(stderr, "Credential formatted "
		40	- "incorrectly: %s\n",
		41	- temp_val ? temp_val : "(null)");
		42	+ "incorrectly\n");
		43	break;
		44	}
		45	}
		46	--
		47	2.34.1
		48