Accepting request 888768 from home:aaptel:cifs-utils-cvefix

update patch and patch name with ddiss comments

OBS-URL: https://build.opensuse.org/request/show/888768
OBS-URL: https://build.opensuse.org/package/show/network:samba:STABLE/cifs-utils?expand=0&rev=193

0001-cifs.upcall-fix-regression-in-kerberos-mount.patch

@@ -1,10 +1,13 @@
-From 5e885b485f08045e95e7f29418facf777e053fc3 Mon Sep 17 00:00:00 2001
+From 4ca235223d948fe4f3392da28b1471bce36e88d4 Mon Sep 17 00:00:00 2001
 From: Aurelien Aptel <aaptel@suse.com>
 Date: Wed, 21 Apr 2021 16:22:15 +0200
-Subject: [PATCH v2] cifs.upcall: fix CVE regression in kerberos mount
+Subject: [PATCH v4] cifs.upcall: fix regression in kerberos mount
 
-The last CVE fix introduced a regression for kerberos mounts when
-cifs-utils is built with libcap-ng.
+The fix for CVE-2021-20208 in commit e461afd ("cifs.upcall: try to use
+container ipc/uts/net/pid/mnt/user namespaces") introduced a
+regression for kerberos mounts when cifs-utils is built with
+libcap-ng. It makes mount fail with ENOKEY "Required key not
+available".
 
 Current state:
 
@@ -52,14 +55,12 @@ This fix:
 
 Fixes: e461afd ("cifs.upcall: try to use container ipc/uts/net/pid/mnt/user namespaces")
 Signed-off-by: Aurelien Aptel <aaptel@suse.com>
-Reviewed-by: Paulo Alcantara <palcantara@suse.de>
-
 ---
- cifs.upcall.c | 212 +++++++++++++++++++++++++++++++-------------------
- 1 file changed, 132 insertions(+), 80 deletions(-)
+ cifs.upcall.c | 214 ++++++++++++++++++++++++++++++++------------------
+ 1 file changed, 139 insertions(+), 75 deletions(-)
 
 diff --git a/cifs.upcall.c b/cifs.upcall.c
-index e413934..31d102b 100644
+index e413934..ad04301 100644
 --- a/cifs.upcall.c
 +++ b/cifs.upcall.c
 @@ -52,6 +52,9 @@
@@ -119,12 +120,13 @@ index e413934..31d102b 100644
 -decode_key_description(const char *desc, struct decoded_args *arg)
 +__decode_key_description(const char *desc, struct decoded_args *arg)
  {
- 	int len;
+-	int len;
 -	int retval = 0;
++	size_t len;
  	char *pos;
  	const char *tkn = desc;
  
-@@ -826,13 +838,9 @@ decode_key_description(const char *desc, struct decoded_args *arg)
+@@ -826,13 +838,13 @@ decode_key_description(const char *desc, struct decoded_args *arg)
  				len = pos - tkn;
  
  			len -= 5;
@@ -132,8 +134,10 @@ index e413934..31d102b 100644
 -			arg->hostname = strndup(tkn + 5, len);
 -			if (arg->hostname == NULL) {
 -				syslog(LOG_ERR, "Unable to allocate memory");
--				return 1;
--			}
++			if (len > sizeof(arg->hostname)-1) {
++				syslog(LOG_ERR, "host= value too long for buffer");
+ 				return 1;
+ 			}
 -			retval |= DKD_HAVE_HOSTNAME;
 +			memset(arg->hostname, 0, sizeof(arg->hostname));
 +			strncpy(arg->hostname, tkn + 5, len);
@@ -141,7 +145,7 @@ index e413934..31d102b 100644
  			syslog(LOG_DEBUG, "host=%s", arg->hostname);
  		} else if (!strncmp(tkn, "ip4=", 4) || !strncmp(tkn, "ip6=", 4)) {
  			if (pos == NULL)
-@@ -841,13 +849,9 @@ decode_key_description(const char *desc, struct decoded_args *arg)
+@@ -841,13 +853,13 @@ decode_key_description(const char *desc, struct decoded_args *arg)
  				len = pos - tkn;
  
  			len -= 4;
@@ -149,8 +153,10 @@ index e413934..31d102b 100644
 -			arg->ip = strndup(tkn + 4, len);
 -			if (arg->ip == NULL) {
 -				syslog(LOG_ERR, "Unable to allocate memory");
--				return 1;
--			}
++			if (len > sizeof(arg->ip)-1) {
++				syslog(LOG_ERR, "ip[46]= value too long for buffer");
+ 				return 1;
+ 			}
 -			retval |= DKD_HAVE_IP;
 +			memset(arg->ip, 0, sizeof(arg->ip));
 +			strncpy(arg->ip, tkn + 4, len);
@@ -158,7 +164,7 @@ index e413934..31d102b 100644
  			syslog(LOG_DEBUG, "ip=%s", arg->ip);
  		} else if (strncmp(tkn, "user=", 5) == 0) {
  			if (pos == NULL)
-@@ -856,13 +860,9 @@ decode_key_description(const char *desc, struct decoded_args *arg)
+@@ -856,13 +868,13 @@ decode_key_description(const char *desc, struct decoded_args *arg)
  				len = pos - tkn;
  
  			len -= 5;
@@ -166,8 +172,10 @@ index e413934..31d102b 100644
 -			arg->username = strndup(tkn + 5, len);
 -			if (arg->username == NULL) {
 -				syslog(LOG_ERR, "Unable to allocate memory");
--				return 1;
--			}
++			if (len > sizeof(arg->username)-1) {
++				syslog(LOG_ERR, "user= value too long for buffer");
+ 				return 1;
+ 			}
 -			retval |= DKD_HAVE_USERNAME;
 +			memset(arg->username, 0, sizeof(arg->username));
 +			strncpy(arg->username, tkn + 5, len);
@@ -175,7 +183,7 @@ index e413934..31d102b 100644
  			syslog(LOG_DEBUG, "user=%s", arg->username);
  		} else if (strncmp(tkn, "pid=", 4) == 0) {
  			errno = 0;
-@@ -873,13 +873,13 @@ decode_key_description(const char *desc, struct decoded_args *arg)
+@@ -873,13 +885,13 @@ decode_key_description(const char *desc, struct decoded_args *arg)
  				return 1;
  			}
  			syslog(LOG_DEBUG, "pid=%u", arg->pid);
@@ -192,7 +200,7 @@ index e413934..31d102b 100644
  				arg->sec = MS_KRB5;
  			}
  			syslog(LOG_DEBUG, "sec=%d", arg->sec);
-@@ -891,7 +891,7 @@ decode_key_description(const char *desc, struct decoded_args *arg)
+@@ -891,7 +903,7 @@ decode_key_description(const char *desc, struct decoded_args *arg)
  				       strerror(errno));
  				return 1;
  			}
@@ -201,7 +209,7 @@ index e413934..31d102b 100644
  			syslog(LOG_DEBUG, "uid=%u", arg->uid);
  		} else if (strncmp(tkn, "creduid=", 8) == 0) {
  			errno = 0;
-@@ -901,7 +901,7 @@ decode_key_description(const char *desc, struct decoded_args *arg)
+@@ -901,7 +913,7 @@ decode_key_description(const char *desc, struct decoded_args *arg)
  				       strerror(errno));
  				return 1;
  			}
@@ -210,7 +218,7 @@ index e413934..31d102b 100644
  			syslog(LOG_DEBUG, "creduid=%u", arg->creduid);
  		} else if (strncmp(tkn, "ver=", 4) == 0) {	/* if version */
  			errno = 0;
-@@ -911,14 +911,56 @@ decode_key_description(const char *desc, struct decoded_args *arg)
+@@ -911,14 +923,56 @@ decode_key_description(const char *desc, struct decoded_args *arg)
  				       strerror(errno));
  				return 1;
  			}
@@ -269,7 +277,7 @@ index e413934..31d102b 100644
  }
  
  static int setup_key(const key_serial_t key, const void *data, size_t datalen)
-@@ -1098,7 +1140,7 @@ int main(const int argc, char *const argv[])
+@@ -1098,7 +1152,7 @@ int main(const int argc, char *const argv[])
  	bool try_dns = false, legacy_uid = false , env_probe = true;
  	char *buf;
  	char hostbuf[NI_MAXHOST], *host;
@@ -278,7 +286,7 @@ index e413934..31d102b 100644
  	const char *oid;
  	uid_t uid;
  	char *keytab_name = NULL;
-@@ -1109,7 +1151,6 @@ int main(const int argc, char *const argv[])
+@@ -1109,7 +1163,6 @@ int main(const int argc, char *const argv[])
  	const char *key_descr = NULL;
  
  	hostbuf[0] = '\0';
@@ -286,7 +294,7 @@ index e413934..31d102b 100644
  
  	openlog(prog, 0, LOG_DAEMON);
  
-@@ -1150,9 +1191,6 @@ int main(const int argc, char *const argv[])
+@@ -1150,9 +1203,6 @@ int main(const int argc, char *const argv[])
  		}
  	}
  
@@ -296,7 +304,7 @@ index e413934..31d102b 100644
  	/* is there a key? */
  	if (argc <= optind) {
  		usage();
-@@ -1178,6 +1216,10 @@ int main(const int argc, char *const argv[])
+@@ -1178,6 +1228,10 @@ int main(const int argc, char *const argv[])
  
  	syslog(LOG_DEBUG, "key description: %s", buf);
  
@@ -307,7 +315,7 @@ index e413934..31d102b 100644
  	if (strncmp(buf, "cifs.resolver", sizeof("cifs.resolver") - 1) == 0)
  		key_descr = ".cifs.resolver";
  	else if (strncmp(buf, "dns_resolver", sizeof("dns_resolver") - 1) == 0)
-@@ -1187,33 +1229,42 @@ int main(const int argc, char *const argv[])
+@@ -1187,33 +1241,42 @@ int main(const int argc, char *const argv[])
  		goto out;
  	}
  
@@ -359,7 +367,7 @@ index e413934..31d102b 100644
  	else {
  		/* no uid= or creduid= parm -- something is wrong */
  		syslog(LOG_ERR, "No uid= or creduid= parm specified");
-@@ -1221,6 +1272,21 @@ int main(const int argc, char *const argv[])
+@@ -1221,6 +1284,21 @@ int main(const int argc, char *const argv[])
  		goto out;
  	}
  
@@ -381,7 +389,7 @@ index e413934..31d102b 100644
  	/*
  	 * The kernel doesn't pass down the gid, so we resort here to scraping
  	 * one out of the passwd nss db. Note that this might not reflect the
-@@ -1266,20 +1332,7 @@ int main(const int argc, char *const argv[])
+@@ -1266,20 +1344,7 @@ int main(const int argc, char *const argv[])
  	 * look at the environ file.
  	 */
  	env_cachename =
@@ -403,7 +411,7 @@ index e413934..31d102b 100644
  
  	rc = setuid(uid);
  	if (rc == -1) {
-@@ -1301,18 +1354,18 @@ int main(const int argc, char *const argv[])
+@@ -1301,18 +1366,18 @@ int main(const int argc, char *const argv[])
  
  	ccache = get_existing_cc(env_cachename);
  	/* Couldn't find credcache? Try to use keytab */
@@ -426,7 +434,7 @@ index e413934..31d102b 100644
  	case MS_KRB5:
  	case KRB5:
  		/*
-@@ -1328,7 +1381,7 @@ int main(const int argc, char *const argv[])
+@@ -1328,7 +1393,7 @@ int main(const int argc, char *const argv[])
  		 * TRY only:
  		 * cifs/bar.example.com@REALM
  		 */
@@ -435,7 +443,7 @@ index e413934..31d102b 100644
  			oid = OID_KERBEROS5_OLD;
  		else
  			oid = OID_KERBEROS5;
-@@ -1385,10 +1438,10 @@ retry_new_hostname:
+@@ -1385,10 +1450,10 @@ retry_new_hostname:
  				break;
  		}
  
@@ -448,7 +456,7 @@ index e413934..31d102b 100644
  		if (rc)
  			break;
  
-@@ -1396,7 +1449,7 @@ retry_new_hostname:
+@@ -1396,7 +1461,7 @@ retry_new_hostname:
  		host = hostbuf;
  		goto retry_new_hostname;
  	default:
@@ -457,7 +465,7 @@ index e413934..31d102b 100644
  		rc = 1;
  		break;
  	}
-@@ -1414,7 +1467,7 @@ retry_new_hostname:
+@@ -1414,7 +1479,7 @@ retry_new_hostname:
  		rc = 1;
  		goto out;
  	}
@@ -466,7 +474,7 @@ index e413934..31d102b 100644
  	keydata->flags = 0;
  	keydata->sesskey_len = sess_key.length;
  	keydata->secblob_len = secblob.length;
-@@ -1440,11 +1493,10 @@ out:
+@@ -1440,11 +1505,10 @@ out:
  		krb5_cc_close(context, ccache);
  	if (context)
  		krb5_free_context(context);

cifs-utils.changes

@@ -1,8 +1,8 @@
 -------------------------------------------------------------------
 Fri Apr 23 10:41:59 UTC 2021 - Aurelien Aptel <aaptel@suse.com>
 
-- cifs.upcall: fix CVE regression in kerberos mount; (bsc#1184815).
-  * add 0001-cifs.upcall-fix-CVE-regression-in-kerberos-mount.patch
+- cifs.upcall: fix regression in kerberos mount; (bsc#1184815).
+  * add 0001-cifs.upcall-fix-regression-in-kerberos-mount.patch
 
 -------------------------------------------------------------------
 Tue Mar  9 17:17:59 UTC 2021 - palcantara@suse.de

cifs-utils.spec

@@ -38,7 +38,7 @@ Source1:        cifs.init
 
 Patch1:         fix-sbin-install-error.patch
 Patch2:         0001-cifs.upcall-try-to-use-container-ipc-uts-net-pid-mnt.patch
-Patch3:         0001-cifs.upcall-fix-CVE-regression-in-kerberos-mount.patch
+Patch3:         0001-cifs.upcall-fix-regression-in-kerberos-mount.patch
 
 # Both SSSD and cifs-utils provide an idmap plugin for cifs.ko
 # /etc/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins