| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| 0001-Fix-fPIE-casing.patch | [PATCH] Fix -fPIE casing -fpie seems to work, but bhlc complains that -fPIE is missing |
Mathieu Parent <math.parent@gmail.com> | yes | upstream | 2019-07-31 | |
| 0002-Install-hook-relative-to-DESTDIR.patch | [PATCH] Install hook relative to $(DESTDIR) | Mathieu Parent <math.parent@gmail.com> | no | 2020-11-13 | ||
| 0003-Change-script-shbangs-to-python3.patch | [PATCH] Change script shbangs to python3 | Mathieu Parent <math.parent@gmail.com> | no | 2020-11-13 | ||
| 0010-CVE-2021-20208.patch | [PATCH] cifs.upcall: try to use container ipc/uts/net/pid/mnt/user namespaces In certain scenarios (e.g. kerberos multimount), when a process does syscalls, the kernel sometimes has to query information or trigger some actions in userspace. To do so it calls the cifs.upcall binary with information on the process that triggered the syscall in the first place. ls(pid=10) ====> open("foo") ====> kernel that user doesn't have an SMB session, lets create one using his kerberos credential cache call cifs.upcall and ask for krb info for whoever owns pid=10 | cifs.upcall --pid 10 <=================+ ...gather info... return binary blob used when establishing SMB session ===================> kernel open SMB session, handle open() syscall ls <=================================== return open() result to ls On a system using containers, the kernel is still calling the host cifs.upcall and using the host configuration (for network, pid, etc). This patch changes the behaviour of cifs.upcall so that it uses the calling process namespaces (ls in the example) when doing its job. Note that the kernel still calls the binary in the host, but the binary will place itself the contexts of the calling process namespaces. This code makes use of (but shouldn't require) the following kernel config options and syscall flags: approx. year | introduced | config/flags |
Alastair Houghton <alastair@alastairs-place.net> | no | 2020-12-29 | ||
| 0011-fix-regression-for-CVE-2021-20208.patch | [PATCH v4] cifs.upcall: fix regression in kerberos mount The fix for CVE-2021-20208 in commit e461afd ("cifs.upcall: try to use container ipc/uts/net/pid/mnt/user namespaces") introduced a regression for kerberos mounts when cifs-utils is built with libcap-ng. It makes mount fail with ENOKEY "Required key not available". Current state: mount.cifs '---> mount() ---> kernel negprot, session setup (need security blob for krb) request_key("cifs.spnego", payload="pid=%d;username=...") upcall /sbin/request-key <--------------' reads /etc/request-keys.conf dispatch cifs.spnego request calls /usr/sbin/cifs.upcall <key id> - drop privileges (capabilities) - fetch keyid - parse payload - switch to mount.cifs namespaces - call krb5_xxx() funcs - generate security blob - set key value to security blob '-----------------------------------> kernel put blob in session setup packet continue auth open tcon get share root setup superblock mount.cifs mount() returns <-----------' By the time cifs.upcall tries to switch to namespaces, enough capabilities have dropped in trim_capabilities() that it makes setns() fail with EPERM. setns() requires CAP_SYS_ADMIN. With libcap trim_capabilities() is a no-op. This fix: - moves the namespace switch earlier so that operations like setgroups(), setgid(), scanning of pid environment, ... happens in the contained namespaces. - moves trim_capabilities() after the namespace switch - moves the string processing to decode the key request payload in a child process with minimum capabilities. the decoded data is shared with the parent process via shared memory obtained with mmap(). |
Aurelien Aptel <aaptel@suse.com> | no | 2021-04-21 | ||
| CVE-2022-27239-mount.cifs-fix-length-check-for-ip-op.patch | CVE-2022-27239: mount.cifs: fix length check for ip option parsing Previous check was true whatever the length of the input string was, leading to a buffer overflow in the subsequent strcpy call. |
Jeffrey Bencteux <jbe@improsec.com> | yes | debian upstream | https://git.samba.org/cifs-utils.git/?p=cifs-utils.git;a=commit;h=007c07fd91b6d42f8bd45187cf78ebb06801139d | 2022-03-17 |
| mount.cifs-fix-verbose-messages-on-option-parsing.patch | mount.cifs: fix verbose messages on option parsing When verbose logging is enabled, invalid credentials file lines may be dumped to stderr. This may lead to information disclosure in particular conditions when the credentials file given is sensitive and contains '=' signs. |
Jeffrey Bencteux <jbe@improsec.com> | yes | debian upstream | https://git.samba.org/cifs-utils.git/?p=cifs-utils.git;a=commit;h=8acc963a2e7e9d63fe1f2e7f73f5a03f83d9c379 | 2022-03-19 |