Re: CVE-2025-2312 in cifs-utils
Hi Noah,
On Tue, Apr 22, 2025 at 01:49:39PM -0400, Noah Meyerhans wrote:
> My employer is interested in seeing cifs-utils CVE-2025-2312
> (cifs.upcall program from the cifs-utils package makes an upcall to the
> wrong namespace in containerized environments) fixed in bookworm. [1]
> According to the tracker, the fix depends on a kernel change in addition
> to the cifs-utils userspace fix [2, 3].
>
> The kernel change doesn't appear to have been backported to any of the
> kernel.org LTS trees, so I've suggested that the people responsible for
> implementation of that change should also work to backport it there.
> Without this, it seems that even trixie will be vulnerable.
>
> I don't believe that this issue warrants a DSA, or that it should be
> considered RC for trixie. If we publish a fix, it should be by way of a
> point release containing a kernel that includes the upstream change and
> an updated cifs-utils package. Do the maintainers involved agree?
Speaking for the security-team, right the issue does not warrant a DSA
on its own, it might be addressed in a point release (and have it
already prepared in the occurence of using a kernel with the kernel
side fix). I cannot speak though for the cifs-utils maintainers.
>
> In the event that upstream is unwilling to apply this change to the
> kernel LTS trees, would the kernel team consider carrying it as a local
> patch?
Speaking for the kernel-team: No, if we want that change in stable and
for the 6.1.y kernel then it should be accepted upstream in the 6.1.y
series. As alternative your employer might use backports kernel?
Regards,
Salvatore
Reply to: