- Package:
- src:cifs-utils
- Source:
- cifs-utils
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2022-06-18 11:51:04 UTC
- Severity:
- grave
- Tags:
Hi, The following vulnerabilities were published for cifs-utils. CVE-2022-27239[0]: | In cifs-utils through 6.14, a stack-based buffer overflow when parsing | the mount.cifs ip= command-line argument could lead to local attackers | gaining root privileges. CVE-2022-29869[1]: | cifs-utils through 6.14, with verbose logging, can cause an | information leak when a file contains = (equal sign) characters but is | not a valid credentials file. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-27239 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27239 [1] https://security-tracker.debian.org/tracker/CVE-2022-29869 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29869 Regards, Salvatore
Hi, Working on the buster- and bullseye-security updates and can propose as well a NMU for unstable if needed. Regards, Salvatore
Dear maintainer, I've prepared an NMU for cifs-utils (versioned as 2:6.14-1.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. Regards, Salvatore
We believe that the bug you reported is fixed in the latest version of
cifs-utils, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1010818@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated cifs-utils package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Tue, 10 May 2022 21:59:48 +0200
Source: cifs-utils
Architecture: source
Version: 2:6.14-1.1
Distribution: unstable
Urgency: high
Maintainer: Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 1010818
Changes:
cifs-utils (2:6.14-1.1) unstable; urgency=high
.
* Non-maintainer upload.
* mount.cifs: fix length check for ip option parsing (CVE-2022-27239)
(Closes: #1010818)
* mount.cifs: fix verbose messages on option parsing (CVE-2022-29869)
(Closes: #1010818)
Checksums-Sha1:
bd1f9aafaa727599e930be085a41108602ac1704 2642 cifs-utils_6.14-1.1.dsc
38b8f898bef8389b2f73bd925274dc22b0e9a8bc 10156 cifs-utils_6.14-1.1.debian.tar.xz
Checksums-Sha256:
fd96db459bc0bf6885d33f36a0d66e814f69e7f8f7d70808c1415cb4f1ca9f28 2642 cifs-utils_6.14-1.1.dsc
1800a0aa7350a903f69208765da99ec379f3e83f2534a16aa6e7c7a8093fdf93 10156 cifs-utils_6.14-1.1.debian.tar.xz
Files:
607a77891b2de97eb64aa306f9e953db 2642 otherosfs optional cifs-utils_6.14-1.1.dsc
4fc87c286d4f0fb72046eb3078619ce9 10156 otherosfs optional cifs-utils_6.14-1.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmJ6xX5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EWrYP/jxD3O3l06osoH5J8I9HcBwIM0H7zpcB
PtB5E3st+9hnZ7oDOlAAkor2WDZkKOlADgLwZ53qti6jP7T9r+9fT1E9iH3qdFtv
cjYnftMKK/kEuEkDsNmxZczzE0jMUU6d5tMuiz41BPeUr0SRUhyBp08EfvKV3Q8I
UNGk8xLAioV5vqCPScVAqrHFVPvsxFHHHMy/9fhflkLZps77IDTh2a3KLxfbuLzm
wzGk5E95KqOCYorYZU85ILRCUcjmFrU9cIhrnZc5+5RrUjGMHI8XsE+4z68snJZp
ZLDBPP2yguBSKVAaHk+PuzxgJvTJ3TF7aNKMLmnxnTCPt27xi0j1mpHZtbyFgyZm
Npns/AOrlh211Hr9mdl38SXRfzhqht+6Jn0tqVHzE5LR1IPaA0a2+QGaPmq095Go
g55GY2qJw70HEIjHwpubm3pKaU2PZBeNcO2aieVSNNbUvQFGBdOukbFkReuCT1y0
mL9d00FO1sSh9YuuWZXCJGvSCOIcqDSKae/OikwD/ebbb8I2Cb3Iav83cJiBVZYj
keb2tii6X1kwIEp+/p1xda1Pq7lJvD6pVy1KW5cIrS3BMMg9II8ezUUbIjfkWqgV
tFJRPdUpRAstFM5U+QNXm/pPENO1R4E1AGh4K3Kj8P64P1BBlcZIwg16BbAaQYxS
b9Z96GDcz5Hk
=lxsK
-----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of
cifs-utils, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1010818@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated cifs-utils package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Tue, 10 May 2022 22:12:42 +0200
Source: cifs-utils
Architecture: source
Version: 2:6.11-3.1+deb11u1
Distribution: bullseye-security
Urgency: high
Maintainer: Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 1010818
Changes:
cifs-utils (2:6.11-3.1+deb11u1) bullseye-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* mount.cifs: fix length check for ip option parsing (CVE-2022-27239)
(Closes: #1010818)
* mount.cifs: fix verbose messages on option parsing (CVE-2022-29869)
(Closes: #1010818)
Checksums-Sha1:
b3be2a53acee1d7b29a078f36814cad74db9ad43 2674 cifs-utils_6.11-3.1+deb11u1.dsc
f9c9c0b54b002ba17e7194e51ba5c0390af6a147 408903 cifs-utils_6.11.orig.tar.bz2
d7d25acd8e2e8bffcfdc7a9f3155bd5619b8be03 819 cifs-utils_6.11.orig.tar.bz2.asc
c85d5f5959b7e46d48d87082cbc4532075dfdb55 16212 cifs-utils_6.11-3.1+deb11u1.debian.tar.xz
Checksums-Sha256:
f99420d5f3b5aec6ba40cda686e55389359f5a8441f7511e6082078ef3ddf8a6 2674 cifs-utils_6.11-3.1+deb11u1.dsc
b859239a3f204f8220d3e54ed43bf8109e1ef202042dd87ba87492f8878728d9 408903 cifs-utils_6.11.orig.tar.bz2
e4a4a333e686169e3908d0b8bb759e67dd7e791fe4524c185bf4cc77199268c1 819 cifs-utils_6.11.orig.tar.bz2.asc
912b4ec642c47f94ab7a1743d19f5b1b14a1ca15c783aceb40071e974cae2821 16212 cifs-utils_6.11-3.1+deb11u1.debian.tar.xz
Files:
8e41213ea33445ed36bc5c6ef85a3a0e 2674 otherosfs optional cifs-utils_6.11-3.1+deb11u1.dsc
df8756f1644fee193cab2a45ebc896b7 408903 otherosfs optional cifs-utils_6.11.orig.tar.bz2
8a826986b3c858c2a2d9e93de20ad699 819 otherosfs optional cifs-utils_6.11.orig.tar.bz2.asc
3d3a67c2c6b959d550cb76eaea9a5f15 16212 otherosfs optional cifs-utils_6.11-3.1+deb11u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmJ6x+9fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E07cP/R8MQRr2i2aew6eFI5wJkq0ENjQGhu5Q
M2cj8iQT/y5m0kf/WrXVyctCatxSZsSizMj9ZsVB1GCbriIXUQvuZ923Q5bebNjQ
5xWmMGuPCk29vQmVx3uniF+klGVirjAtXLuQ7iBMhrsB6EjDnL0B3pjgoYnvrD0q
LJ3HngSyLzMlmRwaOddV6eHnDrUfzcGuByR5uM+wVnluic5HydaUAEjvUXBX7ZT2
R2A/9Wy+lFamUiwONeXwQyRqydst7rB1QMFUjm7GGA7nmj/c/eJfCVmXpvtHCDHH
kBSbTTKcm3DwkEYTdUWBKeLRAPGdM67G2FL9hpsYsYAFvBKcWZBjeYAdixLWpdqE
NxdGb/exwyguoAEtUtQP6zK6Y+rbEaLs4mFGqpSlGy+2037/IfqfJyYJDfNCim8Y
acw761wh1WL66L+z5wfwnSv5kKfMTJpw2KJimih6Upm2xEc0aAAPDsbhWE7MLY84
9DgXEt88yPJL8GuTLAnI2C1KhGmShK2L1GNEI9IRe6i8ar/w7xDHFhEOZ1qaMyYQ
SSKP5Lz7hGKcyYRgCimttfqFOWO+ynp5wy1Ey0roH7q88RfkSbzWG2Re5P3Ix0/x
Kr/DLYXYBRXu0+h8mfXcDli2jPv0IHVvfdTqpPnaHKjN4nHsZsIDVxD0sDIgtjsZ
qURL6g/Mplry
=XTAv
-----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of
cifs-utils, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1010818@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated cifs-utils package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Tue, 10 May 2022 22:26:50 +0200
Source: cifs-utils
Architecture: source
Version: 2:6.8-2+deb10u1
Distribution: buster-security
Urgency: high
Maintainer: Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 1010818
Changes:
cifs-utils (2:6.8-2+deb10u1) buster-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* mount.cifs: fix length check for ip option parsing (CVE-2022-27239)
(Closes: #1010818)
* mount.cifs: fix verbose messages on option parsing (CVE-2022-29869)
(Closes: #1010818)
Checksums-Sha1:
09534755a87a2783110a9a6b65cc75240375c799 2629 cifs-utils_6.8-2+deb10u1.dsc
3440625e73a2e8ea58c63c61b46a61f5b7f95bac 384426 cifs-utils_6.8.orig.tar.bz2
14d3a856affbbfde0942801bbec85d6cd90a777c 819 cifs-utils_6.8.orig.tar.bz2.asc
edf2e3c46c477b2e68740f10ea541eb2027564de 8920 cifs-utils_6.8-2+deb10u1.debian.tar.xz
Checksums-Sha256:
16745d3fecd096804d3d2c5fe0580f525a4fc420d49428b273a3c2f888155b6e 2629 cifs-utils_6.8-2+deb10u1.dsc
e7d1f6050c43f21f82cd77e288eb756755effd22f0c310fc2c525df9d41dff79 384426 cifs-utils_6.8.orig.tar.bz2
71846355e6d02298175ae28ab1900802c5e81b56f6cbab6a2857da4e9be50291 819 cifs-utils_6.8.orig.tar.bz2.asc
268fb0c088394b304fd86d9d28c72556a481994ad2a9d70cc5de5d7b29d86375 8920 cifs-utils_6.8-2+deb10u1.debian.tar.xz
Files:
05e170a18a23db846ca966a5ce8b6d69 2629 otherosfs optional cifs-utils_6.8-2+deb10u1.dsc
a385d60293e6f9e4cb0d4ac2093990d8 384426 otherosfs optional cifs-utils_6.8.orig.tar.bz2
2d675503e3e323249f1ce70d1ec972da 819 otherosfs optional cifs-utils_6.8.orig.tar.bz2.asc
d40c017b7452fdafdeaf0ec38bfff046 8920 otherosfs optional cifs-utils_6.8-2+deb10u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmJ6ywxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EtWAP/ihfbpQ5myu3tDoAi3y7jC+KUgP8Ye0E
zEe1SngUeD5zCjwFpR+3RdQURz7ZAOkKfYPRn25EIF/azhWJhwGwN2XN6mGA7eSX
n3QMdl6r2aM93tOPrrFf6RPw9N7qq7XWyxr851ZwcWk+f0nReMfpPn99Al89QChl
CfCZxuUS8z8/ZFMSzjGThdA5cp+1RC9+4dHSl1u3sVf7t+MU2spYW1b43B1ZCa0S
VWe7Bp/AVs8Ty8vtkI0gcodrwnlRMJL9YOkJCL1dVNwsoMtt54yZuZ2ZzigwXYWj
pLEqECxBLFFtvcMtQ4DwLUMec7DXM5zTntuJ9KOV6O8yXgkGp90lvAXInME/++61
gEfyQcId4ZVE+QBJUsFSb0VqcBId89atWk+V84SZ8ymvKSkYnHIxWhyj4tAQBptl
X2OdIrKi+IgpeO4eJgyg4IVGHc8hgNS7BnzQP8e6NSKG9KYDGmO70JKWWzsSUxFx
XobkbDYBQb9VZsnZtG5eiFywzqkw5xIGsrtpQYve2uJkFZqM6oOxRHwdPc2ukkd7
/sxXArXwRfyfTrdk7MSqc3hua2M1ticFp6fBz2mlwAE3J4rTF0n7Gm53FGIGDWDy
08EnlID1R1LTrkedWQVUMUTNqr/2r0Xq9yC1hmTTl54myi7h7TJFjdqMqal24qF8
qXddwO+x770Q
=5zpg
-----END PGP SIGNATURE-----