From aa38f0c77391dbd47a2ab95bba1d3285000ce938f5d9aafda09515d7c868d468 Mon Sep 17 00:00:00 2001 From: David Disseldorp Date: Tue, 27 Apr 2021 12:30:18 +0000 Subject: [PATCH] Accepting request 888768 from home:aaptel:cifs-utils-cvefix update patch and patch name with ddiss comments OBS-URL: https://build.opensuse.org/request/show/888768 OBS-URL: https://build.opensuse.org/package/show/network:samba:STABLE/cifs-utils?expand=0&rev=193 --- ...all-fix-regression-in-kerberos-mount.patch | 80 ++++++++++--------- cifs-utils.changes | 4 +- cifs-utils.spec | 2 +- 3 files changed, 47 insertions(+), 39 deletions(-) rename 0001-cifs.upcall-fix-CVE-regression-in-kerberos-mount.patch => 0001-cifs.upcall-fix-regression-in-kerberos-mount.patch (84%) diff --git a/0001-cifs.upcall-fix-CVE-regression-in-kerberos-mount.patch b/0001-cifs.upcall-fix-regression-in-kerberos-mount.patch similarity index 84% rename from 0001-cifs.upcall-fix-CVE-regression-in-kerberos-mount.patch rename to 0001-cifs.upcall-fix-regression-in-kerberos-mount.patch index 9a917e5..f20f688 100644 --- a/0001-cifs.upcall-fix-CVE-regression-in-kerberos-mount.patch +++ b/0001-cifs.upcall-fix-regression-in-kerberos-mount.patch @@ -1,10 +1,13 @@ -From 5e885b485f08045e95e7f29418facf777e053fc3 Mon Sep 17 00:00:00 2001 +From 4ca235223d948fe4f3392da28b1471bce36e88d4 Mon Sep 17 00:00:00 2001 From: Aurelien Aptel Date: Wed, 21 Apr 2021 16:22:15 +0200 -Subject: [PATCH v2] cifs.upcall: fix CVE regression in kerberos mount +Subject: [PATCH v4] cifs.upcall: fix regression in kerberos mount -The last CVE fix introduced a regression for kerberos mounts when -cifs-utils is built with libcap-ng. +The fix for CVE-2021-20208 in commit e461afd ("cifs.upcall: try to use +container ipc/uts/net/pid/mnt/user namespaces") introduced a +regression for kerberos mounts when cifs-utils is built with +libcap-ng. It makes mount fail with ENOKEY "Required key not +available". Current state: @@ -52,14 +55,12 @@ This fix: Fixes: e461afd ("cifs.upcall: try to use container ipc/uts/net/pid/mnt/user namespaces") Signed-off-by: Aurelien Aptel -Reviewed-by: Paulo Alcantara - --- - cifs.upcall.c | 212 +++++++++++++++++++++++++++++++------------------- - 1 file changed, 132 insertions(+), 80 deletions(-) + cifs.upcall.c | 214 ++++++++++++++++++++++++++++++++------------------ + 1 file changed, 139 insertions(+), 75 deletions(-) diff --git a/cifs.upcall.c b/cifs.upcall.c -index e413934..31d102b 100644 +index e413934..ad04301 100644 --- a/cifs.upcall.c +++ b/cifs.upcall.c @@ -52,6 +52,9 @@ @@ -119,12 +120,13 @@ index e413934..31d102b 100644 -decode_key_description(const char *desc, struct decoded_args *arg) +__decode_key_description(const char *desc, struct decoded_args *arg) { - int len; +- int len; - int retval = 0; ++ size_t len; char *pos; const char *tkn = desc; -@@ -826,13 +838,9 @@ decode_key_description(const char *desc, struct decoded_args *arg) +@@ -826,13 +838,13 @@ decode_key_description(const char *desc, struct decoded_args *arg) len = pos - tkn; len -= 5; @@ -132,8 +134,10 @@ index e413934..31d102b 100644 - arg->hostname = strndup(tkn + 5, len); - if (arg->hostname == NULL) { - syslog(LOG_ERR, "Unable to allocate memory"); -- return 1; -- } ++ if (len > sizeof(arg->hostname)-1) { ++ syslog(LOG_ERR, "host= value too long for buffer"); + return 1; + } - retval |= DKD_HAVE_HOSTNAME; + memset(arg->hostname, 0, sizeof(arg->hostname)); + strncpy(arg->hostname, tkn + 5, len); @@ -141,7 +145,7 @@ index e413934..31d102b 100644 syslog(LOG_DEBUG, "host=%s", arg->hostname); } else if (!strncmp(tkn, "ip4=", 4) || !strncmp(tkn, "ip6=", 4)) { if (pos == NULL) -@@ -841,13 +849,9 @@ decode_key_description(const char *desc, struct decoded_args *arg) +@@ -841,13 +853,13 @@ decode_key_description(const char *desc, struct decoded_args *arg) len = pos - tkn; len -= 4; @@ -149,8 +153,10 @@ index e413934..31d102b 100644 - arg->ip = strndup(tkn + 4, len); - if (arg->ip == NULL) { - syslog(LOG_ERR, "Unable to allocate memory"); -- return 1; -- } ++ if (len > sizeof(arg->ip)-1) { ++ syslog(LOG_ERR, "ip[46]= value too long for buffer"); + return 1; + } - retval |= DKD_HAVE_IP; + memset(arg->ip, 0, sizeof(arg->ip)); + strncpy(arg->ip, tkn + 4, len); @@ -158,7 +164,7 @@ index e413934..31d102b 100644 syslog(LOG_DEBUG, "ip=%s", arg->ip); } else if (strncmp(tkn, "user=", 5) == 0) { if (pos == NULL) -@@ -856,13 +860,9 @@ decode_key_description(const char *desc, struct decoded_args *arg) +@@ -856,13 +868,13 @@ decode_key_description(const char *desc, struct decoded_args *arg) len = pos - tkn; len -= 5; @@ -166,8 +172,10 @@ index e413934..31d102b 100644 - arg->username = strndup(tkn + 5, len); - if (arg->username == NULL) { - syslog(LOG_ERR, "Unable to allocate memory"); -- return 1; -- } ++ if (len > sizeof(arg->username)-1) { ++ syslog(LOG_ERR, "user= value too long for buffer"); + return 1; + } - retval |= DKD_HAVE_USERNAME; + memset(arg->username, 0, sizeof(arg->username)); + strncpy(arg->username, tkn + 5, len); @@ -175,7 +183,7 @@ index e413934..31d102b 100644 syslog(LOG_DEBUG, "user=%s", arg->username); } else if (strncmp(tkn, "pid=", 4) == 0) { errno = 0; -@@ -873,13 +873,13 @@ decode_key_description(const char *desc, struct decoded_args *arg) +@@ -873,13 +885,13 @@ decode_key_description(const char *desc, struct decoded_args *arg) return 1; } syslog(LOG_DEBUG, "pid=%u", arg->pid); @@ -192,7 +200,7 @@ index e413934..31d102b 100644 arg->sec = MS_KRB5; } syslog(LOG_DEBUG, "sec=%d", arg->sec); -@@ -891,7 +891,7 @@ decode_key_description(const char *desc, struct decoded_args *arg) +@@ -891,7 +903,7 @@ decode_key_description(const char *desc, struct decoded_args *arg) strerror(errno)); return 1; } @@ -201,7 +209,7 @@ index e413934..31d102b 100644 syslog(LOG_DEBUG, "uid=%u", arg->uid); } else if (strncmp(tkn, "creduid=", 8) == 0) { errno = 0; -@@ -901,7 +901,7 @@ decode_key_description(const char *desc, struct decoded_args *arg) +@@ -901,7 +913,7 @@ decode_key_description(const char *desc, struct decoded_args *arg) strerror(errno)); return 1; } @@ -210,7 +218,7 @@ index e413934..31d102b 100644 syslog(LOG_DEBUG, "creduid=%u", arg->creduid); } else if (strncmp(tkn, "ver=", 4) == 0) { /* if version */ errno = 0; -@@ -911,14 +911,56 @@ decode_key_description(const char *desc, struct decoded_args *arg) +@@ -911,14 +923,56 @@ decode_key_description(const char *desc, struct decoded_args *arg) strerror(errno)); return 1; } @@ -269,7 +277,7 @@ index e413934..31d102b 100644 } static int setup_key(const key_serial_t key, const void *data, size_t datalen) -@@ -1098,7 +1140,7 @@ int main(const int argc, char *const argv[]) +@@ -1098,7 +1152,7 @@ int main(const int argc, char *const argv[]) bool try_dns = false, legacy_uid = false , env_probe = true; char *buf; char hostbuf[NI_MAXHOST], *host; @@ -278,7 +286,7 @@ index e413934..31d102b 100644 const char *oid; uid_t uid; char *keytab_name = NULL; -@@ -1109,7 +1151,6 @@ int main(const int argc, char *const argv[]) +@@ -1109,7 +1163,6 @@ int main(const int argc, char *const argv[]) const char *key_descr = NULL; hostbuf[0] = '\0'; @@ -286,7 +294,7 @@ index e413934..31d102b 100644 openlog(prog, 0, LOG_DAEMON); -@@ -1150,9 +1191,6 @@ int main(const int argc, char *const argv[]) +@@ -1150,9 +1203,6 @@ int main(const int argc, char *const argv[]) } } @@ -296,7 +304,7 @@ index e413934..31d102b 100644 /* is there a key? */ if (argc <= optind) { usage(); -@@ -1178,6 +1216,10 @@ int main(const int argc, char *const argv[]) +@@ -1178,6 +1228,10 @@ int main(const int argc, char *const argv[]) syslog(LOG_DEBUG, "key description: %s", buf); @@ -307,7 +315,7 @@ index e413934..31d102b 100644 if (strncmp(buf, "cifs.resolver", sizeof("cifs.resolver") - 1) == 0) key_descr = ".cifs.resolver"; else if (strncmp(buf, "dns_resolver", sizeof("dns_resolver") - 1) == 0) -@@ -1187,33 +1229,42 @@ int main(const int argc, char *const argv[]) +@@ -1187,33 +1241,42 @@ int main(const int argc, char *const argv[]) goto out; } @@ -359,7 +367,7 @@ index e413934..31d102b 100644 else { /* no uid= or creduid= parm -- something is wrong */ syslog(LOG_ERR, "No uid= or creduid= parm specified"); -@@ -1221,6 +1272,21 @@ int main(const int argc, char *const argv[]) +@@ -1221,6 +1284,21 @@ int main(const int argc, char *const argv[]) goto out; } @@ -381,7 +389,7 @@ index e413934..31d102b 100644 /* * The kernel doesn't pass down the gid, so we resort here to scraping * one out of the passwd nss db. Note that this might not reflect the -@@ -1266,20 +1332,7 @@ int main(const int argc, char *const argv[]) +@@ -1266,20 +1344,7 @@ int main(const int argc, char *const argv[]) * look at the environ file. */ env_cachename = @@ -403,7 +411,7 @@ index e413934..31d102b 100644 rc = setuid(uid); if (rc == -1) { -@@ -1301,18 +1354,18 @@ int main(const int argc, char *const argv[]) +@@ -1301,18 +1366,18 @@ int main(const int argc, char *const argv[]) ccache = get_existing_cc(env_cachename); /* Couldn't find credcache? Try to use keytab */ @@ -426,7 +434,7 @@ index e413934..31d102b 100644 case MS_KRB5: case KRB5: /* -@@ -1328,7 +1381,7 @@ int main(const int argc, char *const argv[]) +@@ -1328,7 +1393,7 @@ int main(const int argc, char *const argv[]) * TRY only: * cifs/bar.example.com@REALM */ @@ -435,7 +443,7 @@ index e413934..31d102b 100644 oid = OID_KERBEROS5_OLD; else oid = OID_KERBEROS5; -@@ -1385,10 +1438,10 @@ retry_new_hostname: +@@ -1385,10 +1450,10 @@ retry_new_hostname: break; } @@ -448,7 +456,7 @@ index e413934..31d102b 100644 if (rc) break; -@@ -1396,7 +1449,7 @@ retry_new_hostname: +@@ -1396,7 +1461,7 @@ retry_new_hostname: host = hostbuf; goto retry_new_hostname; default: @@ -457,7 +465,7 @@ index e413934..31d102b 100644 rc = 1; break; } -@@ -1414,7 +1467,7 @@ retry_new_hostname: +@@ -1414,7 +1479,7 @@ retry_new_hostname: rc = 1; goto out; } @@ -466,7 +474,7 @@ index e413934..31d102b 100644 keydata->flags = 0; keydata->sesskey_len = sess_key.length; keydata->secblob_len = secblob.length; -@@ -1440,11 +1493,10 @@ out: +@@ -1440,11 +1505,10 @@ out: krb5_cc_close(context, ccache); if (context) krb5_free_context(context); diff --git a/cifs-utils.changes b/cifs-utils.changes index b0529b1..3deb669 100644 --- a/cifs-utils.changes +++ b/cifs-utils.changes @@ -1,8 +1,8 @@ ------------------------------------------------------------------- Fri Apr 23 10:41:59 UTC 2021 - Aurelien Aptel -- cifs.upcall: fix CVE regression in kerberos mount; (bsc#1184815). - * add 0001-cifs.upcall-fix-CVE-regression-in-kerberos-mount.patch +- cifs.upcall: fix regression in kerberos mount; (bsc#1184815). + * add 0001-cifs.upcall-fix-regression-in-kerberos-mount.patch ------------------------------------------------------------------- Tue Mar 9 17:17:59 UTC 2021 - palcantara@suse.de diff --git a/cifs-utils.spec b/cifs-utils.spec index 024ac62..685293d 100644 --- a/cifs-utils.spec +++ b/cifs-utils.spec @@ -38,7 +38,7 @@ Source1: cifs.init Patch1: fix-sbin-install-error.patch Patch2: 0001-cifs.upcall-try-to-use-container-ipc-uts-net-pid-mnt.patch -Patch3: 0001-cifs.upcall-fix-CVE-regression-in-kerberos-mount.patch +Patch3: 0001-cifs.upcall-fix-regression-in-kerberos-mount.patch # Both SSSD and cifs-utils provide an idmap plugin for cifs.ko # /etc/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins