Bug#651897: pu: package cifs-utils/2:4.5-2+squeeze1
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu
Hi
The security team asked us to consider an upload to pu fixing 2 low severity security issues (which don't warrant a DSA).
Attached a debdiff of the proposed upload.
Cheers
Luk
diff -Nru cifs-utils-4.5/debian/changelog cifs-utils-4.5/debian/changelog
--- cifs-utils-4.5/debian/changelog 2010-06-04 22:33:37.000000000 +0200
+++ cifs-utils-4.5/debian/changelog 2011-12-12 23:28:04.000000000 +0100
@@ -1,3 +1,11 @@
+cifs-utils (2:4.5-2+squeeze1) stable; urgency=low
+
+ * Stable update to prevent mtab corruption
+ - CVE-2011-1678
+ - CVE-2011-2724
+
+ -- Luk Claes <luk@debian.org> Mon, 12 Dec 2011 23:21:58 +0100
+
cifs-utils (2:4.5-2) unstable; urgency=low
* Lintian override for the suid-root binary.
diff -Nru cifs-utils-4.5/debian/patches/CVE-2011-1678.patch cifs-utils-4.5/debian/patches/CVE-2011-1678.patch
--- cifs-utils-4.5/debian/patches/CVE-2011-1678.patch 1970-01-01 01:00:00.000000000 +0100
+++ cifs-utils-4.5/debian/patches/CVE-2011-1678.patch 2011-12-12 23:41:59.000000000 +0100
@@ -0,0 +1,134 @@
+From: Jeff Layton <jlayton@samba.org>
+Date: Tue, 12 Jul 2011 12:19:33 +0000 (-0400)
+Subject: mtab: handle ENOSPC/EFBIG condition properly when altering mtab
+X-Git-Tag: cifs-utils-5.1~19
+X-Git-Url: https://git.samba.org/?p=cifs-utils.git;a=commitdiff_plain;h=f6eae44a3d05b6515a59651e6bed8b6dde689aec
+
+mtab: handle ENOSPC/EFBIG condition properly when altering mtab
+
+It's possible that when mount.cifs goes to append the mtab that there
+won't be enough space to do so, and the mntent won't be appended to the
+file in its entirety.
+
+Add a my_endmntent routine that will fflush and then fsync the FILE if
+that succeeds. If either fails then it will truncate the file back to
+its provided size. It will then call endmntent unconditionally.
+
+Have add_mtab call fstat on the opened mtab file in order to get the
+size of the file before it has been appended. Assuming that that
+succeeds, use my_endmntent to ensure that the file is not corrupted
+before closing it. It's possible that we'll have a small race window
+where the mtab is incorrect, but it should be quickly corrected.
+
+This was reported some time ago as CVE-2011-1678:
+
+ http://openwall.com/lists/oss-security/2011/03/04/9
+
+...and it seems to fix the reproducer that I was able to come up with.
+
+Signed-off-by: Jeff Layton <jlayton@samba.org>
+Reviewed-by: Suresh Jayaraman <sjayaraman@suse.de>
+---
+
+diff --git a/mount.cifs.c b/mount.cifs.c
+index 9d7e107..107a5a5 100644
+--- a/mount.cifs.c
++++ b/mount.cifs.c
+@@ -1428,10 +1428,11 @@ static int check_mtab(const char *progname, const char *devname,
+ static int
+ add_mtab(char *devname, char *mountpoint, unsigned long flags, const char *fstype)
+ {
+- int rc = 0;
++ int rc = 0, tmprc, fd;
+ uid_t uid;
+ char *mount_user = NULL;
+ struct mntent mountent;
++ struct stat statbuf;
+ FILE *pmntfile;
+ sigset_t mask, oldmask;
+
+@@ -1483,6 +1484,23 @@ add_mtab(char *devname, char *mountpoint, unsigned long flags, const char *fstyp
+ goto add_mtab_exit;
+ }
+
++ fd = fileno(pmntfile);
++ if (fd < 0) {
++ fprintf(stderr, "mntent does not appear to be valid\n");
++ unlock_mtab();
++ rc = EX_FILEIO;
++ goto add_mtab_exit;
++ }
++
++ rc = fstat(fd, &statbuf);
++ if (rc != 0) {
++ fprintf(stderr, "unable to fstat open mtab\n");
++ endmntent(pmntfile);
++ unlock_mtab();
++ rc = EX_FILEIO;
++ goto add_mtab_exit;
++ }
++
+ mountent.mnt_fsname = devname;
+ mountent.mnt_dir = mountpoint;
+ mountent.mnt_type = (char *)(void *)fstype;
+@@ -1514,5 +1532,14 @@ add_mtab(char *devname, char *mountpoint, unsigned long flags, const char *fstyp
+ rc = addmntent(pmntfile, &mountent);
++ if (rc) {
++ fprintf(stderr, "unable to add mount entry to mtab\n");
++ ftruncate(fd, statbuf.st_size);
++ rc = EX_FILEIO;
++ }
++ tmprc = my_endmntent(pmntfile, statbuf.st_size);
++ if (tmprc) {
++ fprintf(stderr, "error %d detected on close of mtab\n", tmprc);
++ rc = EX_FILEIO;
++ }
+- endmntent(pmntfile);
+ unlock_mtab();
+ SAFE_FREE(mountent.mnt_opts);
+ add_mtab_exit:
+diff --git a/mount.h b/mount.h
+index d49c2ea..80bdbe7 100644
+--- a/mount.h
++++ b/mount.h
+@@ -35,4 +35,5 @@
+ extern int lock_mtab(void);
+ extern void unlock_mtab(void);
++extern int my_endmntent(FILE *stream, off_t size);
+
+ #endif /* ! _MOUNT_H_ */
+diff --git a/mtab.c b/mtab.c
+index 9cd50d8..de545b7 100644
+--- a/mtab.c
++++ b/mtab.c
+@@ -251,3 +251,30 @@ lock_mtab (void) {
+ return 0;
+ }
+
++/*
++ * Call fflush and fsync on the mtab, and then endmntent. If either fflush
++ * or fsync fails, then truncate the file back to "size". endmntent is called
++ * unconditionally, and the errno (if any) from fflush and fsync are returned.
++ */
++int
++my_endmntent(FILE *stream, off_t size)
++{
++ int rc, fd;
++
++ fd = fileno(stream);
++ if (fd < 0)
++ return -EBADF;
++
++ rc = fflush(stream);
++ if (!rc)
++ rc = fsync(fd);
++
++ /* truncate file back to "size" -- best effort here */
++ if (rc) {
++ rc = errno;
++ ftruncate(fd, size);
++ }
++
++ endmntent(stream);
++ return rc;
++}
diff -Nru cifs-utils-4.5/debian/patches/CVE-2011-2724.patch cifs-utils-4.5/debian/patches/CVE-2011-2724.patch
--- cifs-utils-4.5/debian/patches/CVE-2011-2724.patch 1970-01-01 01:00:00.000000000 +0100
+++ cifs-utils-4.5/debian/patches/CVE-2011-2724.patch 2011-12-12 23:18:35.000000000 +0100
@@ -0,0 +1,16 @@
+X-Git-Url: https://git.samba.org/?p=cifs-utils.git;a=blobdiff_plain;f=mount.cifs.c;h=aa4581f3cf3f3dc0515666fbc985a97d5e846f38;hp=107a5a5c5280abe02614cdebdc052b91a13d19d9;hb=1e7a32924b22d1f786b6f490ce8590656f578f91;hpb=861824f588a870da7c110b6f199eb5ce7d4dc476
+
+diff --git a/mount.cifs.c b/mount.cifs.c
+index 107a5a5..aa4581f 100644
+--- a/mount.cifs.c
++++ b/mount.cifs.c
+@@ -1419,8 +1419,7 @@ static int check_newline(const char *progname, const char *name)
+ static int check_mtab(const char *progname, const char *devname,
+ const char *dir)
+ {
+- if (check_newline(progname, devname) == -1 ||
+- check_newline(progname, dir) == -1)
++ if (check_newline(progname, devname) || check_newline(progname, dir))
+ return EX_USAGE;
+ return 0;
+ }
diff -Nru cifs-utils-4.5/debian/patches/series cifs-utils-4.5/debian/patches/series
--- cifs-utils-4.5/debian/patches/series 2010-06-04 22:33:38.000000000 +0200
+++ cifs-utils-4.5/debian/patches/series 2011-12-12 23:42:37.000000000 +0100
@@ -1 +1,3 @@
debian-changes-2:4.5-2
+CVE-2011-1678.patch
+CVE-2011-2724.patch
Reply to: