CVE-2025-2312 in cifs-utils

To: team@security.debian.org, debian-kernel@lists.debian.org, mjt@debian.org
Subject: CVE-2025-2312 in cifs-utils
From: Noah Meyerhans <noahm@debian.org>
Date: Tue, 22 Apr 2025 13:49:39 -0400
Message-id: <[🔎] aAfWs0qTLPO3H-oB@doom.morgul.net>

My employer is interested in seeing cifs-utils CVE-2025-2312
(cifs.upcall program from the cifs-utils package makes an upcall to the
wrong namespace in containerized environments) fixed in bookworm. [1]
According to the tracker, the fix depends on a kernel change in addition
to the cifs-utils userspace fix [2, 3].

The kernel change doesn't appear to have been backported to any of the
kernel.org LTS trees, so I've suggested that the people responsible for
implementation of that change should also work to backport it there.
Without this, it seems that even trixie will be vulnerable.

I don't believe that this issue warrants a DSA, or that it should be
considered RC for trixie.  If we publish a fix, it should be by way of a
point release containing a kernel that includes the upstream change and
an updated cifs-utils package.  Do the maintainers involved agree?

In the event that upstream is unwilling to apply this change to the
kernel LTS trees, would the kernel team consider carrying it as a local
patch?

Thanks
noah

1. https://security-tracker.debian.org/tracker/CVE-2025-2312
2. https://git.kernel.org/linus/db363b0a1d9e6b9dc556296f1b1007aeb496a8cf
3. https://git.samba.org/?p=cifs-utils.git;a=commit;h=89b679228cc1be9739d54203d28289b03352c174

Reply to:

Follow-Ups:
- Re: CVE-2025-2312 in cifs-utils
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Bug#1103877: /boot/vmlinuz-6.12.22-amd64: ThinkPad X1 Carbon Gen 12 MIPI camera support
Next by Date: Re: CVE-2025-2312 in cifs-utils
Previous by thread: Bug#1103877: /boot/vmlinuz-6.12.22-amd64: ThinkPad X1 Carbon Gen 12 MIPI camera support
Next by thread: Re: CVE-2025-2312 in cifs-utils
Index(es):
- Date
- Thread