Bug#651897: pu: package cifs-utils/2:4.5-2+squeeze1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#651897: pu: package cifs-utils/2:4.5-2+squeeze1
From: Luk Claes <luk@debian.org>
Date: Mon, 12 Dec 2011 23:54:43 +0100
Message-id: <[🔎] 20111212225443.8715.92429.reportbug@station.luk.local>
Reply-to: Luk Claes <luk@debian.org>, 651897@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu

Hi

The security team asked us to consider an upload to pu fixing 2 low severity security issues (which don't warrant a DSA).

Attached a debdiff of the proposed upload.

Cheers

Luk

diff -Nru cifs-utils-4.5/debian/changelog cifs-utils-4.5/debian/changelog
--- cifs-utils-4.5/debian/changelog	2010-06-04 22:33:37.000000000 +0200
+++ cifs-utils-4.5/debian/changelog	2011-12-12 23:28:04.000000000 +0100
@@ -1,3 +1,11 @@
+cifs-utils (2:4.5-2+squeeze1) stable; urgency=low
+
+  * Stable update to prevent mtab corruption
+    - CVE-2011-1678
+    - CVE-2011-2724
+
+ -- Luk Claes <luk@debian.org>  Mon, 12 Dec 2011 23:21:58 +0100
+
 cifs-utils (2:4.5-2) unstable; urgency=low
 
   * Lintian override for the suid-root binary.
diff -Nru cifs-utils-4.5/debian/patches/CVE-2011-1678.patch cifs-utils-4.5/debian/patches/CVE-2011-1678.patch
--- cifs-utils-4.5/debian/patches/CVE-2011-1678.patch	1970-01-01 01:00:00.000000000 +0100
+++ cifs-utils-4.5/debian/patches/CVE-2011-1678.patch	2011-12-12 23:41:59.000000000 +0100
@@ -0,0 +1,134 @@
+From: Jeff Layton <jlayton@samba.org>
+Date: Tue, 12 Jul 2011 12:19:33 +0000 (-0400)
+Subject: mtab: handle ENOSPC/EFBIG condition properly when altering mtab
+X-Git-Tag: cifs-utils-5.1~19
+X-Git-Url: https://git.samba.org/?p=cifs-utils.git;a=commitdiff_plain;h=f6eae44a3d05b6515a59651e6bed8b6dde689aec
+
+mtab: handle ENOSPC/EFBIG condition properly when altering mtab
+
+It's possible that when mount.cifs goes to append the mtab that there
+won't be enough space to do so, and the mntent won't be appended to the
+file in its entirety.
+
+Add a my_endmntent routine that will fflush and then fsync the FILE if
+that succeeds. If either fails then it will truncate the file back to
+its provided size. It will then call endmntent unconditionally.
+
+Have add_mtab call fstat on the opened mtab file in order to get the
+size of the file before it has been appended. Assuming that that
+succeeds, use my_endmntent to ensure that the file is not corrupted
+before closing it. It's possible that we'll have a small race window
+where the mtab is incorrect, but it should be quickly corrected.
+
+This was reported some time ago as CVE-2011-1678:
+
+    http://openwall.com/lists/oss-security/2011/03/04/9
+
+...and it seems to fix the reproducer that I was able to come up with.
+
+Signed-off-by: Jeff Layton <jlayton@samba.org>
+Reviewed-by: Suresh Jayaraman <sjayaraman@suse.de>
+---
+
+diff --git a/mount.cifs.c b/mount.cifs.c
+index 9d7e107..107a5a5 100644
+--- a/mount.cifs.c
++++ b/mount.cifs.c
+@@ -1428,10 +1428,11 @@ static int check_mtab(const char *progname, const char *devname,
+ static int
+ add_mtab(char *devname, char *mountpoint, unsigned long flags, const char *fstype)
+ {
+-	int rc = 0;
++	int rc = 0, tmprc, fd;
+ 	uid_t uid;
+ 	char *mount_user = NULL;
+ 	struct mntent mountent;
++	struct stat statbuf;
+ 	FILE *pmntfile;
+ 	sigset_t mask, oldmask;
+ 
+@@ -1483,6 +1484,23 @@ add_mtab(char *devname, char *mountpoint, unsigned long flags, const char *fstyp
+ 		goto add_mtab_exit;
+ 	}
+ 
++	fd = fileno(pmntfile);
++	if (fd < 0) {
++		fprintf(stderr, "mntent does not appear to be valid\n");
++		unlock_mtab();
++		rc = EX_FILEIO;
++		goto add_mtab_exit;
++	}
++
++	rc = fstat(fd, &statbuf);
++	if (rc != 0) {
++		fprintf(stderr, "unable to fstat open mtab\n");
++		endmntent(pmntfile);
++		unlock_mtab();
++		rc = EX_FILEIO;
++		goto add_mtab_exit;
++	}
++
+ 	mountent.mnt_fsname = devname;
+ 	mountent.mnt_dir = mountpoint;
+ 	mountent.mnt_type = (char *)(void *)fstype;
+@@ -1514,5 +1532,14 @@ add_mtab(char *devname, char *mountpoint, unsigned long flags, const char *fstyp
+ 	rc = addmntent(pmntfile, &mountent);
++ 	if (rc) {
++ 		fprintf(stderr, "unable to add mount entry to mtab\n");
++		ftruncate(fd, statbuf.st_size);
++		rc = EX_FILEIO;
++	}
++	tmprc = my_endmntent(pmntfile, statbuf.st_size);
++	if (tmprc) {
++		fprintf(stderr, "error %d detected on close of mtab\n", tmprc);
++ 		rc = EX_FILEIO;
++ 	}
+-	endmntent(pmntfile);
+ 	unlock_mtab();
+ 	SAFE_FREE(mountent.mnt_opts);
+ add_mtab_exit:
+diff --git a/mount.h b/mount.h
+index d49c2ea..80bdbe7 100644
+--- a/mount.h
++++ b/mount.h
+@@ -35,4 +35,5 @@
+ extern int lock_mtab(void);
+ extern void unlock_mtab(void);
++extern int my_endmntent(FILE *stream, off_t size);
+ 
+ #endif /* ! _MOUNT_H_ */
+diff --git a/mtab.c b/mtab.c
+index 9cd50d8..de545b7 100644
+--- a/mtab.c
++++ b/mtab.c
+@@ -251,3 +251,30 @@ lock_mtab (void) {
+ 	return 0;
+ }
+ 
++/*
++ * Call fflush and fsync on the mtab, and then endmntent. If either fflush
++ * or fsync fails, then truncate the file back to "size". endmntent is called
++ * unconditionally, and the errno (if any) from fflush and fsync are returned.
++ */
++int
++my_endmntent(FILE *stream, off_t size)
++{
++	int rc, fd;
++
++	fd = fileno(stream);
++	if (fd < 0)
++		return -EBADF;
++
++	rc = fflush(stream);
++	if (!rc)
++		rc = fsync(fd);
++
++	/* truncate file back to "size" -- best effort here */
++	if (rc) {
++		rc = errno;
++		ftruncate(fd, size);
++	}
++
++	endmntent(stream);
++	return rc;
++}
diff -Nru cifs-utils-4.5/debian/patches/CVE-2011-2724.patch cifs-utils-4.5/debian/patches/CVE-2011-2724.patch
--- cifs-utils-4.5/debian/patches/CVE-2011-2724.patch	1970-01-01 01:00:00.000000000 +0100
+++ cifs-utils-4.5/debian/patches/CVE-2011-2724.patch	2011-12-12 23:18:35.000000000 +0100
@@ -0,0 +1,16 @@
+X-Git-Url: https://git.samba.org/?p=cifs-utils.git;a=blobdiff_plain;f=mount.cifs.c;h=aa4581f3cf3f3dc0515666fbc985a97d5e846f38;hp=107a5a5c5280abe02614cdebdc052b91a13d19d9;hb=1e7a32924b22d1f786b6f490ce8590656f578f91;hpb=861824f588a870da7c110b6f199eb5ce7d4dc476
+
+diff --git a/mount.cifs.c b/mount.cifs.c
+index 107a5a5..aa4581f 100644
+--- a/mount.cifs.c
++++ b/mount.cifs.c
+@@ -1419,8 +1419,7 @@ static int check_newline(const char *progname, const char *name)
+ static int check_mtab(const char *progname, const char *devname,
+ 		      const char *dir)
+ {
+-	if (check_newline(progname, devname) == -1 ||
+-	    check_newline(progname, dir) == -1)
++	if (check_newline(progname, devname) || check_newline(progname, dir))
+ 		return EX_USAGE;
+ 	return 0;
+ }
diff -Nru cifs-utils-4.5/debian/patches/series cifs-utils-4.5/debian/patches/series
--- cifs-utils-4.5/debian/patches/series	2010-06-04 22:33:38.000000000 +0200
+++ cifs-utils-4.5/debian/patches/series	2011-12-12 23:42:37.000000000 +0100
@@ -1 +1,3 @@
 debian-changes-2:4.5-2
+CVE-2011-1678.patch
+CVE-2011-2724.patch

Reply to:

Follow-Ups:
- Bug#651897: pu: package cifs-utils/2:4.5-2+squeeze1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Re: Bug#645881: critical update 29 available
Next by Date: Re: [SRM] Uploading new upstream stable version to Squeeze?
Previous by thread: Bug#649845: marked as done (binNMU request for proftpd addon modules)
Next by thread: Bug#651897: pu: package cifs-utils/2:4.5-2+squeeze1
Index(es):
- Date
- Thread