Date: Monday, June 16, 2014 @ 12:42:57
Author: tpowa
Revision: 215193
archrelease: copy trunk to extra-i686, extra-x86_64
Added:
cifs-utils/repos/extra-i686/0003-cifskey-better-use-snprintf.patch
(from rev 215192, cifs-utils/trunk/0003-cifskey-better-use-snprintf.patch)
cifs-utils/repos/extra-i686/0004-cifscreds-better-error-handling-when-key_search-fail.patch
(from rev 215192,
cifs-utils/trunk/0004-cifscreds-better-error-handling-when-key_search-fail.patch)
cifs-utils/repos/extra-i686/0005-cifscreds-better-error-handling-for-key_add.patch
(from rev 215192,
cifs-utils/trunk/0005-cifscreds-better-error-handling-for-key_add.patch)
cifs-utils/repos/extra-i686/PKGBUILD
(from rev 215192, cifs-utils/trunk/PKGBUILD)
cifs-utils/repos/extra-i686/fix-5.9-credentials.patch
(from rev 215192, cifs-utils/trunk/fix-5.9-credentials.patch)
cifs-utils/repos/extra-x86_64/0003-cifskey-better-use-snprintf.patch
(from rev 215192, cifs-utils/trunk/0003-cifskey-better-use-snprintf.patch)
cifs-utils/repos/extra-x86_64/0004-cifscreds-better-error-handling-when-key_search-fail.patch
(from rev 215192,
cifs-utils/trunk/0004-cifscreds-better-error-handling-when-key_search-fail.patch)
cifs-utils/repos/extra-x86_64/0005-cifscreds-better-error-handling-for-key_add.patch
(from rev 215192,
cifs-utils/trunk/0005-cifscreds-better-error-handling-for-key_add.patch)
cifs-utils/repos/extra-x86_64/PKGBUILD
(from rev 215192, cifs-utils/trunk/PKGBUILD)
cifs-utils/repos/extra-x86_64/fix-5.9-credentials.patch
(from rev 215192, cifs-utils/trunk/fix-5.9-credentials.patch)
Deleted:
cifs-utils/repos/extra-i686/PKGBUILD
cifs-utils/repos/extra-i686/fix-5.9-credentials.patch
cifs-utils/repos/extra-x86_64/PKGBUILD
cifs-utils/repos/extra-x86_64/fix-5.9-credentials.patch
------------------------------------------------------------------------------+
/PKGBUILD |
90 ++++++++
/fix-5.9-credentials.patch |
32 +++
extra-i686/0003-cifskey-better-use-snprintf.patch |
49 ++++
extra-i686/0004-cifscreds-better-error-handling-when-key_search-fail.patch |
85 ++++++++
extra-i686/0005-cifscreds-better-error-handling-for-key_add.patch |
102 ++++++++++
extra-i686/PKGBUILD |
30 --
extra-i686/fix-5.9-credentials.patch |
16 -
extra-x86_64/0003-cifskey-better-use-snprintf.patch |
49 ++++
extra-x86_64/0004-cifscreds-better-error-handling-when-key_search-fail.patch |
85 ++++++++
extra-x86_64/0005-cifscreds-better-error-handling-for-key_add.patch |
102 ++++++++++
extra-x86_64/PKGBUILD |
30 --
extra-x86_64/fix-5.9-credentials.patch |
16 -
12 files changed, 594 insertions(+), 92 deletions(-)
Copied: cifs-utils/repos/extra-i686/0003-cifskey-better-use-snprintf.patch
(from rev 215192, cifs-utils/trunk/0003-cifskey-better-use-snprintf.patch)
===================================================================
--- extra-i686/0003-cifskey-better-use-snprintf.patch
(rev 0)
+++ extra-i686/0003-cifskey-better-use-snprintf.patch 2014-06-16 10:42:57 UTC
(rev 215193)
@@ -0,0 +1,49 @@
+From 0c521d5060035da655107001374e08873ac5dde8 Mon Sep 17 00:00:00 2001
+From: Sebastian Krahmer <krah...@suse.de>
+Date: Mon, 14 Apr 2014 11:39:41 +0200
+Subject: [PATCH] cifskey: better use snprintf()
+
+Prefer snprintf() over sprintf() in cifskey.c
+Projects that fork the code (pam_cifscreds) can't rely on
+the max-size parameters.
+
+[jlayton: removed unneeded initialization of "len" in key_add]
+
+Signed-off-by: Sebastian Krahmer <krah...@suse.de>
+---
+ cifskey.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/cifskey.c b/cifskey.c
+index 7716c42..e89cacf 100644
+--- a/cifskey.c
++++ b/cifskey.c
+@@ -29,7 +29,8 @@ key_search(const char *addr, char keytype)
+ {
+ char desc[INET6_ADDRSTRLEN + sizeof(KEY_PREFIX) + 4];
+
+- sprintf(desc, "%s:%c:%s", KEY_PREFIX, keytype, addr);
++ if (snprintf(desc, sizeof(desc), "%s:%c:%s", KEY_PREFIX, keytype, addr)
>= (int)sizeof(desc))
++ return -1;
+
+ return keyctl_search(DEST_KEYRING, CIFS_KEY_TYPE, desc, 0);
+ }
+@@ -43,10 +44,13 @@ key_add(const char *addr, const char *user, const char
*pass, char keytype)
+ char val[MOUNT_PASSWD_SIZE + MAX_USERNAME_SIZE + 2];
+
+ /* set key description */
+- sprintf(desc, "%s:%c:%s", KEY_PREFIX, keytype, addr);
++ if (snprintf(desc, sizeof(desc), "%s:%c:%s", KEY_PREFIX, keytype, addr)
>= (int)sizeof(desc))
++ return -1;
+
+ /* set payload contents */
+- len = sprintf(val, "%s:%s", user, pass);
++ len = snprintf(val, sizeof(val), "%s:%s", user, pass);
++ if (len >= (int)sizeof(val))
++ return -1;
+
+ return add_key(CIFS_KEY_TYPE, desc, val, len + 1, DEST_KEYRING);
+ }
+--
+1.8.4.2
+
Copied:
cifs-utils/repos/extra-i686/0004-cifscreds-better-error-handling-when-key_search-fail.patch
(from rev 215192,
cifs-utils/trunk/0004-cifscreds-better-error-handling-when-key_search-fail.patch)
===================================================================
--- extra-i686/0004-cifscreds-better-error-handling-when-key_search-fail.patch
(rev 0)
+++ extra-i686/0004-cifscreds-better-error-handling-when-key_search-fail.patch
2014-06-16 10:42:57 UTC (rev 215193)
@@ -0,0 +1,85 @@
+From 3da4c43b575498be86c87a2ac3f3142e3cab1c59 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlay...@samba.org>
+Date: Sun, 20 Apr 2014 20:41:05 -0400
+Subject: [PATCH] cifscreds: better error handling when key_search fails
+
+If we ended up getting a bogus string that would have overflowed, then
+make key_search set errno to EINVAL before returning. The callers can
+then test to see if the returned error is what was expected or something
+else and handle it appropriately.
+
+Cc: Sebastian Krahmer <krah...@suse.de>
+Signed-off-by: Jeff Layton <jlay...@samba.org>
+---
+ cifscreds.c | 9 +++++++++
+ cifskey.c | 5 ++++-
+ pam_cifscreds.c | 9 +++++++++
+ 3 files changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/cifscreds.c b/cifscreds.c
+index fa05dc8..64d55b0 100644
+--- a/cifscreds.c
++++ b/cifscreds.c
+@@ -188,6 +188,15 @@ static int cifscreds_add(struct cmdarg *arg)
+ return EXIT_FAILURE;
+ }
+
++ switch(errno) {
++ case ENOKEY:
++ /* success */
++ break;
++ default:
++ printf("Key search failed: %s\n", strerror(errno));
++ return EXIT_FAILURE;
++ }
++
+ currentaddress = nextaddress;
+ if (currentaddress) {
+ *(currentaddress - 1) = ',';
+diff --git a/cifskey.c b/cifskey.c
+index e89cacf..4f01ed0 100644
+--- a/cifskey.c
++++ b/cifskey.c
+@@ -20,6 +20,7 @@
+ #include <sys/types.h>
+ #include <keyutils.h>
+ #include <stdio.h>
++#include <errno.h>
+ #include "cifskey.h"
+ #include "resolve_host.h"
+
+@@ -29,8 +30,10 @@ key_search(const char *addr, char keytype)
+ {
+ char desc[INET6_ADDRSTRLEN + sizeof(KEY_PREFIX) + 4];
+
+- if (snprintf(desc, sizeof(desc), "%s:%c:%s", KEY_PREFIX, keytype, addr)
>= (int)sizeof(desc))
++ if (snprintf(desc, sizeof(desc), "%s:%c:%s", KEY_PREFIX, keytype, addr)
>= (int)sizeof(desc)) {
++ errno = EINVAL;
+ return -1;
++ }
+
+ return keyctl_search(DEST_KEYRING, CIFS_KEY_TYPE, desc, 0);
+ }
+diff --git a/pam_cifscreds.c b/pam_cifscreds.c
+index e0d8a55..fb23117 100644
+--- a/pam_cifscreds.c
++++ b/pam_cifscreds.c
+@@ -206,6 +206,15 @@ static int cifscreds_pam_add(pam_handle_t *ph, const char
*user, const char *pas
+ return PAM_SERVICE_ERR;
+ }
+
++ switch(errno) {
++ case ENOKEY:
++ break;
++ default:
++ pam_syslog(ph, LOG_ERR, "Unable to search keyring for
%s (%s)",
++ currentaddress, strerror(errno));
++ return PAM_SERVICE_ERR;
++ }
++
+ currentaddress = nextaddress;
+ if (currentaddress) {
+ *(currentaddress - 1) = ',';
+--
+1.8.4.2
+
Copied:
cifs-utils/repos/extra-i686/0005-cifscreds-better-error-handling-for-key_add.patch
(from rev 215192,
cifs-utils/trunk/0005-cifscreds-better-error-handling-for-key_add.patch)
===================================================================
--- extra-i686/0005-cifscreds-better-error-handling-for-key_add.patch
(rev 0)
+++ extra-i686/0005-cifscreds-better-error-handling-for-key_add.patch
2014-06-16 10:42:57 UTC (rev 215193)
@@ -0,0 +1,102 @@
+From 382ec63757c1d8d4d399d17ccc927c4897d4cfc9 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlay...@samba.org>
+Date: Sun, 20 Apr 2014 20:41:05 -0400
+Subject: [PATCH] cifscreds: better error handling for key_add
+
+If the string buffers would have been overrun, set errno to EINVAL
+before returning. Then, have the callers report the errors to
+stderr or syslog as appropriate.
+
+Cc: Sebastian Krahmer <krah...@suse.de>
+Signed-off-by: Jeff Layton <jlay...@samba.org>
+---
+ cifscreds.c | 6 +++---
+ cifskey.c | 8 ++++++--
+ pam_cifscreds.c | 9 +++++----
+ 3 files changed, 14 insertions(+), 9 deletions(-)
+
+diff --git a/cifscreds.c b/cifscreds.c
+index 64d55b0..5d84c3c 100644
+--- a/cifscreds.c
++++ b/cifscreds.c
+@@ -220,8 +220,8 @@ static int cifscreds_add(struct cmdarg *arg)
+ while (currentaddress) {
+ key_serial_t key = key_add(currentaddress, arg->user, pass,
arg->keytype);
+ if (key <= 0) {
+- fprintf(stderr, "error: Add credential key for %s\n",
+- currentaddress);
++ fprintf(stderr, "error: Add credential key for %s:
%s\n",
++ currentaddress, strerror(errno));
+ } else {
+ if (keyctl(KEYCTL_SETPERM, key, CIFS_KEY_PERMS) < 0) {
+ fprintf(stderr, "error: Setting permissons "
+@@ -422,7 +422,7 @@ static int cifscreds_update(struct cmdarg *arg)
+ key_serial_t key = key_add(addrs[id], arg->user, pass,
arg->keytype);
+ if (key <= 0)
+ fprintf(stderr, "error: Update credential key "
+- "for %s\n", addrs[id]);
++ "for %s: %s\n", addrs[id], strerror(errno));
+ }
+
+ return EXIT_SUCCESS;
+diff --git a/cifskey.c b/cifskey.c
+index 4f01ed0..919540f 100644
+--- a/cifskey.c
++++ b/cifskey.c
+@@ -47,13 +47,17 @@ key_add(const char *addr, const char *user, const char
*pass, char keytype)
+ char val[MOUNT_PASSWD_SIZE + MAX_USERNAME_SIZE + 2];
+
+ /* set key description */
+- if (snprintf(desc, sizeof(desc), "%s:%c:%s", KEY_PREFIX, keytype, addr)
>= (int)sizeof(desc))
++ if (snprintf(desc, sizeof(desc), "%s:%c:%s", KEY_PREFIX, keytype, addr)
>= (int)sizeof(desc)) {
++ errno = EINVAL;
+ return -1;
++ }
+
+ /* set payload contents */
+ len = snprintf(val, sizeof(val), "%s:%s", user, pass);
+- if (len >= (int)sizeof(val))
++ if (len >= (int)sizeof(val)) {
++ errno = EINVAL;
+ return -1;
++ }
+
+ return add_key(CIFS_KEY_TYPE, desc, val, len + 1, DEST_KEYRING);
+ }
+diff --git a/pam_cifscreds.c b/pam_cifscreds.c
+index fb23117..5d99c2d 100644
+--- a/pam_cifscreds.c
++++ b/pam_cifscreds.c
+@@ -208,6 +208,7 @@ static int cifscreds_pam_add(pam_handle_t *ph, const char
*user, const char *pas
+
+ switch(errno) {
+ case ENOKEY:
++ /* success */
+ break;
+ default:
+ pam_syslog(ph, LOG_ERR, "Unable to search keyring for
%s (%s)",
+@@ -233,8 +234,8 @@ static int cifscreds_pam_add(pam_handle_t *ph, const char
*user, const char *pas
+ while (currentaddress) {
+ key_serial_t key = key_add(currentaddress, user, password,
keytype);
+ if (key <= 0) {
+- pam_syslog(ph, LOG_ERR, "error: Add credential key for
%s",
+- currentaddress);
++ pam_syslog(ph, LOG_ERR, "error: Add credential key for
%s: %s",
++ currentaddress, strerror(errno));
+ } else {
+ if ((args & ARG_DEBUG) == ARG_DEBUG) {
+ pam_syslog(ph, LOG_DEBUG, "credential key for
\\\\%s\\%s added",
+@@ -336,8 +337,8 @@ static int cifscreds_pam_update(pam_handle_t *ph, const
char *user, const char *
+ for (id = 0; id < count; id++) {
+ key_serial_t key = key_add(currentaddress, user, password,
keytype);
+ if (key <= 0) {
+- pam_syslog(ph, LOG_ERR, "error: Update credential key
for %s",
+- currentaddress);
++ pam_syslog(ph, LOG_ERR, "error: Update credential key
for %s: %s",
++ currentaddress, strerror(errno));
+ }
+ }
+
+--
+1.8.4.2
+
Deleted: extra-i686/PKGBUILD
===================================================================
--- extra-i686/PKGBUILD 2014-06-16 10:42:46 UTC (rev 215192)
+++ extra-i686/PKGBUILD 2014-06-16 10:42:57 UTC (rev 215193)
@@ -1,30 +0,0 @@
-# $Id$
-# Maintainer: Tobias Powalowski <tp...@archlinux.org>
-pkgname=cifs-utils
-pkgver=6.3
-pkgrel=1
-pkgdesc="CIFS filesystem user-space tools"
-arch=(i686 x86_64)
-url="http://wiki.samba.org/index.php/LinuxCIFS_utils";
-license=('GPL')
-depends=('libcap-ng' 'keyutils' 'krb5' 'talloc' 'libwbclient' 'pam')
-source=(ftp://ftp.samba.org/pub/linux-cifs/cifs-utils/$pkgname-$pkgver.tar.bz2)
-
-build() {
- cd "$srcdir/$pkgname-$pkgver"
- # systemd support is broken in mount.cifs
- # https://bugs.archlinux.org/task/30958
- ./configure --prefix=/usr --sbindir=/usr/bin --disable-systemd
- make
-}
-
-package() {
- cd "$srcdir/$pkgname-$pkgver"
- make DESTDIR="$pkgdir" ROOTSBINDIR=/usr/bin install
- mkdir -p $pkgdir/etc/request-key.d
- install -m 644 contrib/request-key.d/cifs.idmap.conf
$pkgdir/etc/request-key.d
- install -m 644 contrib/request-key.d/cifs.spnego.conf
$pkgdir/etc/request-key.d
- # set mount.cifs uid, to enable none root mounting form fstab
- chmod +s $pkgdir/usr/bin/mount.cifs
-}
-md5sums=('93697dbc043cb4d5c66e15e281f872e5')
Copied: cifs-utils/repos/extra-i686/PKGBUILD (from rev 215192,
cifs-utils/trunk/PKGBUILD)
===================================================================
--- extra-i686/PKGBUILD (rev 0)
+++ extra-i686/PKGBUILD 2014-06-16 10:42:57 UTC (rev 215193)
@@ -0,0 +1,45 @@
+# $Id$
+# Maintainer: Tobias Powalowski <tp...@archlinux.org>
+pkgname=cifs-utils
+pkgver=6.3
+pkgrel=2
+pkgdesc="CIFS filesystem user-space tools"
+arch=(i686 x86_64)
+url="http://wiki.samba.org/index.php/LinuxCIFS_utils";
+license=('GPL')
+depends=('libcap-ng' 'keyutils' 'krb5' 'talloc' 'libwbclient' 'pam')
+source=(ftp://ftp.samba.org/pub/linux-cifs/cifs-utils/$pkgname-$pkgver.tar.bz2
+ '0003-cifskey-better-use-snprintf.patch'
+ '0004-cifscreds-better-error-handling-when-key_search-fail.patch'
+ '0005-cifscreds-better-error-handling-for-key_add.patch')
+
+prepare() {
+ cd "$srcdir/$pkgname-$pkgver"
+ # add fedora patches
+ # 40789 CVE-2014-2830
+ patch -Np1 -i "$srcdir/0003-cifskey-better-use-snprintf.patch"
+ patch -Np1 -i
"$srcdir/0004-cifscreds-better-error-handling-when-key_search-fail.patch"
+ patch -Np1 -i
"$srcdir/0005-cifscreds-better-error-handling-for-key_add.patch"
+}
+
+build() {
+ cd "$srcdir/$pkgname-$pkgver"
+ # systemd support is broken in mount.cifs
+ # https://bugs.archlinux.org/task/30958
+ ./configure --prefix=/usr --sbindir=/usr/bin --disable-systemd
+ make
+}
+
+package() {
+ cd "$srcdir/$pkgname-$pkgver"
+ make DESTDIR="$pkgdir" ROOTSBINDIR=/usr/bin install
+ mkdir -p $pkgdir/etc/request-key.d
+ install -m 644 contrib/request-key.d/cifs.idmap.conf
$pkgdir/etc/request-key.d
+ install -m 644 contrib/request-key.d/cifs.spnego.conf
$pkgdir/etc/request-key.d
+ # set mount.cifs uid, to enable none root mounting form fstab
+ chmod +s $pkgdir/usr/bin/mount.cifs
+}
+md5sums=('93697dbc043cb4d5c66e15e281f872e5'
+ 'cc13c6d1b734a446d0f4384e0ce32748'
+ '350491f336dc931f9b192228909e5924'
+ 'ac2b3367363fbc79f8f7fdfcae008a8c')
Deleted: extra-i686/fix-5.9-credentials.patch
===================================================================
--- extra-i686/fix-5.9-credentials.patch 2014-06-16 10:42:46 UTC (rev
215192)
+++ extra-i686/fix-5.9-credentials.patch 2014-06-16 10:42:57 UTC (rev
215193)
@@ -1,16 +0,0 @@
-X-Git-Url:
https://git.samba.org/?p=cifs-utils.git;a=blobdiff_plain;f=mount.cifs.c;h=40b77e92e3f734c606f522ccf279a0508ad64eab;hp=c7c3055cb890764937193b1d50d1f0fb7ae18826;hb=1a01f7c4b90695211d12291d7a24bec05b1f2922;hpb=739289ad3ce915e1ee2705ecd7ac4e907cd91405
-
-diff --git a/mount.cifs.c b/mount.cifs.c
-index c7c3055..40b77e9 100644
---- a/mount.cifs.c
-+++ b/mount.cifs.c
-@@ -581,7 +581,8 @@ static int open_cred_file(char *file_name,
- switch (parse_cred_line(line_buf + i, &temp_val)) {
- case CRED_USER:
- strlcpy(parsed_info->username, temp_val,
-- sizeof(parsed_info->domain));
-+ sizeof(parsed_info->username));
-+ parsed_info->got_user = 1;
- break;
- case CRED_PASS:
- i = set_password(parsed_info, temp_val);
Copied: cifs-utils/repos/extra-i686/fix-5.9-credentials.patch (from rev 215192,
cifs-utils/trunk/fix-5.9-credentials.patch)
===================================================================
--- extra-i686/fix-5.9-credentials.patch (rev 0)
+++ extra-i686/fix-5.9-credentials.patch 2014-06-16 10:42:57 UTC (rev
215193)
@@ -0,0 +1,16 @@
+X-Git-Url:
https://git.samba.org/?p=cifs-utils.git;a=blobdiff_plain;f=mount.cifs.c;h=40b77e92e3f734c606f522ccf279a0508ad64eab;hp=c7c3055cb890764937193b1d50d1f0fb7ae18826;hb=1a01f7c4b90695211d12291d7a24bec05b1f2922;hpb=739289ad3ce915e1ee2705ecd7ac4e907cd91405
+
+diff --git a/mount.cifs.c b/mount.cifs.c
+index c7c3055..40b77e9 100644
+--- a/mount.cifs.c
++++ b/mount.cifs.c
+@@ -581,7 +581,8 @@ static int open_cred_file(char *file_name,
+ switch (parse_cred_line(line_buf + i, &temp_val)) {
+ case CRED_USER:
+ strlcpy(parsed_info->username, temp_val,
+- sizeof(parsed_info->domain));
++ sizeof(parsed_info->username));
++ parsed_info->got_user = 1;
+ break;
+ case CRED_PASS:
+ i = set_password(parsed_info, temp_val);
Copied: cifs-utils/repos/extra-x86_64/0003-cifskey-better-use-snprintf.patch
(from rev 215192, cifs-utils/trunk/0003-cifskey-better-use-snprintf.patch)
===================================================================
--- extra-x86_64/0003-cifskey-better-use-snprintf.patch
(rev 0)
+++ extra-x86_64/0003-cifskey-better-use-snprintf.patch 2014-06-16 10:42:57 UTC
(rev 215193)
@@ -0,0 +1,49 @@
+From 0c521d5060035da655107001374e08873ac5dde8 Mon Sep 17 00:00:00 2001
+From: Sebastian Krahmer <krah...@suse.de>
+Date: Mon, 14 Apr 2014 11:39:41 +0200
+Subject: [PATCH] cifskey: better use snprintf()
+
+Prefer snprintf() over sprintf() in cifskey.c
+Projects that fork the code (pam_cifscreds) can't rely on
+the max-size parameters.
+
+[jlayton: removed unneeded initialization of "len" in key_add]
+
+Signed-off-by: Sebastian Krahmer <krah...@suse.de>
+---
+ cifskey.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/cifskey.c b/cifskey.c
+index 7716c42..e89cacf 100644
+--- a/cifskey.c
++++ b/cifskey.c
+@@ -29,7 +29,8 @@ key_search(const char *addr, char keytype)
+ {
+ char desc[INET6_ADDRSTRLEN + sizeof(KEY_PREFIX) + 4];
+
+- sprintf(desc, "%s:%c:%s", KEY_PREFIX, keytype, addr);
++ if (snprintf(desc, sizeof(desc), "%s:%c:%s", KEY_PREFIX, keytype, addr)
>= (int)sizeof(desc))
++ return -1;
+
+ return keyctl_search(DEST_KEYRING, CIFS_KEY_TYPE, desc, 0);
+ }
+@@ -43,10 +44,13 @@ key_add(const char *addr, const char *user, const char
*pass, char keytype)
+ char val[MOUNT_PASSWD_SIZE + MAX_USERNAME_SIZE + 2];
+
+ /* set key description */
+- sprintf(desc, "%s:%c:%s", KEY_PREFIX, keytype, addr);
++ if (snprintf(desc, sizeof(desc), "%s:%c:%s", KEY_PREFIX, keytype, addr)
>= (int)sizeof(desc))
++ return -1;
+
+ /* set payload contents */
+- len = sprintf(val, "%s:%s", user, pass);
++ len = snprintf(val, sizeof(val), "%s:%s", user, pass);
++ if (len >= (int)sizeof(val))
++ return -1;
+
+ return add_key(CIFS_KEY_TYPE, desc, val, len + 1, DEST_KEYRING);
+ }
+--
+1.8.4.2
+
Copied:
cifs-utils/repos/extra-x86_64/0004-cifscreds-better-error-handling-when-key_search-fail.patch
(from rev 215192,
cifs-utils/trunk/0004-cifscreds-better-error-handling-when-key_search-fail.patch)
===================================================================
---
extra-x86_64/0004-cifscreds-better-error-handling-when-key_search-fail.patch
(rev 0)
+++
extra-x86_64/0004-cifscreds-better-error-handling-when-key_search-fail.patch
2014-06-16 10:42:57 UTC (rev 215193)
@@ -0,0 +1,85 @@
+From 3da4c43b575498be86c87a2ac3f3142e3cab1c59 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlay...@samba.org>
+Date: Sun, 20 Apr 2014 20:41:05 -0400
+Subject: [PATCH] cifscreds: better error handling when key_search fails
+
+If we ended up getting a bogus string that would have overflowed, then
+make key_search set errno to EINVAL before returning. The callers can
+then test to see if the returned error is what was expected or something
+else and handle it appropriately.
+
+Cc: Sebastian Krahmer <krah...@suse.de>
+Signed-off-by: Jeff Layton <jlay...@samba.org>
+---
+ cifscreds.c | 9 +++++++++
+ cifskey.c | 5 ++++-
+ pam_cifscreds.c | 9 +++++++++
+ 3 files changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/cifscreds.c b/cifscreds.c
+index fa05dc8..64d55b0 100644
+--- a/cifscreds.c
++++ b/cifscreds.c
+@@ -188,6 +188,15 @@ static int cifscreds_add(struct cmdarg *arg)
+ return EXIT_FAILURE;
+ }
+
++ switch(errno) {
++ case ENOKEY:
++ /* success */
++ break;
++ default:
++ printf("Key search failed: %s\n", strerror(errno));
++ return EXIT_FAILURE;
++ }
++
+ currentaddress = nextaddress;
+ if (currentaddress) {
+ *(currentaddress - 1) = ',';
+diff --git a/cifskey.c b/cifskey.c
+index e89cacf..4f01ed0 100644
+--- a/cifskey.c
++++ b/cifskey.c
+@@ -20,6 +20,7 @@
+ #include <sys/types.h>
+ #include <keyutils.h>
+ #include <stdio.h>
++#include <errno.h>
+ #include "cifskey.h"
+ #include "resolve_host.h"
+
+@@ -29,8 +30,10 @@ key_search(const char *addr, char keytype)
+ {
+ char desc[INET6_ADDRSTRLEN + sizeof(KEY_PREFIX) + 4];
+
+- if (snprintf(desc, sizeof(desc), "%s:%c:%s", KEY_PREFIX, keytype, addr)
>= (int)sizeof(desc))
++ if (snprintf(desc, sizeof(desc), "%s:%c:%s", KEY_PREFIX, keytype, addr)
>= (int)sizeof(desc)) {
++ errno = EINVAL;
+ return -1;
++ }
+
+ return keyctl_search(DEST_KEYRING, CIFS_KEY_TYPE, desc, 0);
+ }
+diff --git a/pam_cifscreds.c b/pam_cifscreds.c
+index e0d8a55..fb23117 100644
+--- a/pam_cifscreds.c
++++ b/pam_cifscreds.c
+@@ -206,6 +206,15 @@ static int cifscreds_pam_add(pam_handle_t *ph, const char
*user, const char *pas
+ return PAM_SERVICE_ERR;
+ }
+
++ switch(errno) {
++ case ENOKEY:
++ break;
++ default:
++ pam_syslog(ph, LOG_ERR, "Unable to search keyring for
%s (%s)",
++ currentaddress, strerror(errno));
++ return PAM_SERVICE_ERR;
++ }
++
+ currentaddress = nextaddress;
+ if (currentaddress) {
+ *(currentaddress - 1) = ',';
+--
+1.8.4.2
+
Copied:
cifs-utils/repos/extra-x86_64/0005-cifscreds-better-error-handling-for-key_add.patch
(from rev 215192,
cifs-utils/trunk/0005-cifscreds-better-error-handling-for-key_add.patch)
===================================================================
--- extra-x86_64/0005-cifscreds-better-error-handling-for-key_add.patch
(rev 0)
+++ extra-x86_64/0005-cifscreds-better-error-handling-for-key_add.patch
2014-06-16 10:42:57 UTC (rev 215193)
@@ -0,0 +1,102 @@
+From 382ec63757c1d8d4d399d17ccc927c4897d4cfc9 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlay...@samba.org>
+Date: Sun, 20 Apr 2014 20:41:05 -0400
+Subject: [PATCH] cifscreds: better error handling for key_add
+
+If the string buffers would have been overrun, set errno to EINVAL
+before returning. Then, have the callers report the errors to
+stderr or syslog as appropriate.
+
+Cc: Sebastian Krahmer <krah...@suse.de>
+Signed-off-by: Jeff Layton <jlay...@samba.org>
+---
+ cifscreds.c | 6 +++---
+ cifskey.c | 8 ++++++--
+ pam_cifscreds.c | 9 +++++----
+ 3 files changed, 14 insertions(+), 9 deletions(-)
+
+diff --git a/cifscreds.c b/cifscreds.c
+index 64d55b0..5d84c3c 100644
+--- a/cifscreds.c
++++ b/cifscreds.c
+@@ -220,8 +220,8 @@ static int cifscreds_add(struct cmdarg *arg)
+ while (currentaddress) {
+ key_serial_t key = key_add(currentaddress, arg->user, pass,
arg->keytype);
+ if (key <= 0) {
+- fprintf(stderr, "error: Add credential key for %s\n",
+- currentaddress);
++ fprintf(stderr, "error: Add credential key for %s:
%s\n",
++ currentaddress, strerror(errno));
+ } else {
+ if (keyctl(KEYCTL_SETPERM, key, CIFS_KEY_PERMS) < 0) {
+ fprintf(stderr, "error: Setting permissons "
+@@ -422,7 +422,7 @@ static int cifscreds_update(struct cmdarg *arg)
+ key_serial_t key = key_add(addrs[id], arg->user, pass,
arg->keytype);
+ if (key <= 0)
+ fprintf(stderr, "error: Update credential key "
+- "for %s\n", addrs[id]);
++ "for %s: %s\n", addrs[id], strerror(errno));
+ }
+
+ return EXIT_SUCCESS;
+diff --git a/cifskey.c b/cifskey.c
+index 4f01ed0..919540f 100644
+--- a/cifskey.c
++++ b/cifskey.c
+@@ -47,13 +47,17 @@ key_add(const char *addr, const char *user, const char
*pass, char keytype)
+ char val[MOUNT_PASSWD_SIZE + MAX_USERNAME_SIZE + 2];
+
+ /* set key description */
+- if (snprintf(desc, sizeof(desc), "%s:%c:%s", KEY_PREFIX, keytype, addr)
>= (int)sizeof(desc))
++ if (snprintf(desc, sizeof(desc), "%s:%c:%s", KEY_PREFIX, keytype, addr)
>= (int)sizeof(desc)) {
++ errno = EINVAL;
+ return -1;
++ }
+
+ /* set payload contents */
+ len = snprintf(val, sizeof(val), "%s:%s", user, pass);
+- if (len >= (int)sizeof(val))
++ if (len >= (int)sizeof(val)) {
++ errno = EINVAL;
+ return -1;
++ }
+
+ return add_key(CIFS_KEY_TYPE, desc, val, len + 1, DEST_KEYRING);
+ }
+diff --git a/pam_cifscreds.c b/pam_cifscreds.c
+index fb23117..5d99c2d 100644
+--- a/pam_cifscreds.c
++++ b/pam_cifscreds.c
+@@ -208,6 +208,7 @@ static int cifscreds_pam_add(pam_handle_t *ph, const char
*user, const char *pas
+
+ switch(errno) {
+ case ENOKEY:
++ /* success */
+ break;
+ default:
+ pam_syslog(ph, LOG_ERR, "Unable to search keyring for
%s (%s)",
+@@ -233,8 +234,8 @@ static int cifscreds_pam_add(pam_handle_t *ph, const char
*user, const char *pas
+ while (currentaddress) {
+ key_serial_t key = key_add(currentaddress, user, password,
keytype);
+ if (key <= 0) {
+- pam_syslog(ph, LOG_ERR, "error: Add credential key for
%s",
+- currentaddress);
++ pam_syslog(ph, LOG_ERR, "error: Add credential key for
%s: %s",
++ currentaddress, strerror(errno));
+ } else {
+ if ((args & ARG_DEBUG) == ARG_DEBUG) {
+ pam_syslog(ph, LOG_DEBUG, "credential key for
\\\\%s\\%s added",
+@@ -336,8 +337,8 @@ static int cifscreds_pam_update(pam_handle_t *ph, const
char *user, const char *
+ for (id = 0; id < count; id++) {
+ key_serial_t key = key_add(currentaddress, user, password,
keytype);
+ if (key <= 0) {
+- pam_syslog(ph, LOG_ERR, "error: Update credential key
for %s",
+- currentaddress);
++ pam_syslog(ph, LOG_ERR, "error: Update credential key
for %s: %s",
++ currentaddress, strerror(errno));
+ }
+ }
+
+--
+1.8.4.2
+
Deleted: extra-x86_64/PKGBUILD
===================================================================
--- extra-x86_64/PKGBUILD 2014-06-16 10:42:46 UTC (rev 215192)
+++ extra-x86_64/PKGBUILD 2014-06-16 10:42:57 UTC (rev 215193)
@@ -1,30 +0,0 @@
-# $Id$
-# Maintainer: Tobias Powalowski <tp...@archlinux.org>
-pkgname=cifs-utils
-pkgver=6.3
-pkgrel=1
-pkgdesc="CIFS filesystem user-space tools"
-arch=(i686 x86_64)
-url="http://wiki.samba.org/index.php/LinuxCIFS_utils";
-license=('GPL')
-depends=('libcap-ng' 'keyutils' 'krb5' 'talloc' 'libwbclient' 'pam')
-source=(ftp://ftp.samba.org/pub/linux-cifs/cifs-utils/$pkgname-$pkgver.tar.bz2)
-
-build() {
- cd "$srcdir/$pkgname-$pkgver"
- # systemd support is broken in mount.cifs
- # https://bugs.archlinux.org/task/30958
- ./configure --prefix=/usr --sbindir=/usr/bin --disable-systemd
- make
-}
-
-package() {
- cd "$srcdir/$pkgname-$pkgver"
- make DESTDIR="$pkgdir" ROOTSBINDIR=/usr/bin install
- mkdir -p $pkgdir/etc/request-key.d
- install -m 644 contrib/request-key.d/cifs.idmap.conf
$pkgdir/etc/request-key.d
- install -m 644 contrib/request-key.d/cifs.spnego.conf
$pkgdir/etc/request-key.d
- # set mount.cifs uid, to enable none root mounting form fstab
- chmod +s $pkgdir/usr/bin/mount.cifs
-}
-md5sums=('93697dbc043cb4d5c66e15e281f872e5')
Copied: cifs-utils/repos/extra-x86_64/PKGBUILD (from rev 215192,
cifs-utils/trunk/PKGBUILD)
===================================================================
--- extra-x86_64/PKGBUILD (rev 0)
+++ extra-x86_64/PKGBUILD 2014-06-16 10:42:57 UTC (rev 215193)
@@ -0,0 +1,45 @@
+# $Id$
+# Maintainer: Tobias Powalowski <tp...@archlinux.org>
+pkgname=cifs-utils
+pkgver=6.3
+pkgrel=2
+pkgdesc="CIFS filesystem user-space tools"
+arch=(i686 x86_64)
+url="http://wiki.samba.org/index.php/LinuxCIFS_utils";
+license=('GPL')
+depends=('libcap-ng' 'keyutils' 'krb5' 'talloc' 'libwbclient' 'pam')
+source=(ftp://ftp.samba.org/pub/linux-cifs/cifs-utils/$pkgname-$pkgver.tar.bz2
+ '0003-cifskey-better-use-snprintf.patch'
+ '0004-cifscreds-better-error-handling-when-key_search-fail.patch'
+ '0005-cifscreds-better-error-handling-for-key_add.patch')
+
+prepare() {
+ cd "$srcdir/$pkgname-$pkgver"
+ # add fedora patches
+ # 40789 CVE-2014-2830
+ patch -Np1 -i "$srcdir/0003-cifskey-better-use-snprintf.patch"
+ patch -Np1 -i
"$srcdir/0004-cifscreds-better-error-handling-when-key_search-fail.patch"
+ patch -Np1 -i
"$srcdir/0005-cifscreds-better-error-handling-for-key_add.patch"
+}
+
+build() {
+ cd "$srcdir/$pkgname-$pkgver"
+ # systemd support is broken in mount.cifs
+ # https://bugs.archlinux.org/task/30958
+ ./configure --prefix=/usr --sbindir=/usr/bin --disable-systemd
+ make
+}
+
+package() {
+ cd "$srcdir/$pkgname-$pkgver"
+ make DESTDIR="$pkgdir" ROOTSBINDIR=/usr/bin install
+ mkdir -p $pkgdir/etc/request-key.d
+ install -m 644 contrib/request-key.d/cifs.idmap.conf
$pkgdir/etc/request-key.d
+ install -m 644 contrib/request-key.d/cifs.spnego.conf
$pkgdir/etc/request-key.d
+ # set mount.cifs uid, to enable none root mounting form fstab
+ chmod +s $pkgdir/usr/bin/mount.cifs
+}
+md5sums=('93697dbc043cb4d5c66e15e281f872e5'
+ 'cc13c6d1b734a446d0f4384e0ce32748'
+ '350491f336dc931f9b192228909e5924'
+ 'ac2b3367363fbc79f8f7fdfcae008a8c')
Deleted: extra-x86_64/fix-5.9-credentials.patch
===================================================================
--- extra-x86_64/fix-5.9-credentials.patch 2014-06-16 10:42:46 UTC (rev
215192)
+++ extra-x86_64/fix-5.9-credentials.patch 2014-06-16 10:42:57 UTC (rev
215193)
@@ -1,16 +0,0 @@
-X-Git-Url:
https://git.samba.org/?p=cifs-utils.git;a=blobdiff_plain;f=mount.cifs.c;h=40b77e92e3f734c606f522ccf279a0508ad64eab;hp=c7c3055cb890764937193b1d50d1f0fb7ae18826;hb=1a01f7c4b90695211d12291d7a24bec05b1f2922;hpb=739289ad3ce915e1ee2705ecd7ac4e907cd91405
-
-diff --git a/mount.cifs.c b/mount.cifs.c
-index c7c3055..40b77e9 100644
---- a/mount.cifs.c
-+++ b/mount.cifs.c
-@@ -581,7 +581,8 @@ static int open_cred_file(char *file_name,
- switch (parse_cred_line(line_buf + i, &temp_val)) {
- case CRED_USER:
- strlcpy(parsed_info->username, temp_val,
-- sizeof(parsed_info->domain));
-+ sizeof(parsed_info->username));
-+ parsed_info->got_user = 1;
- break;
- case CRED_PASS:
- i = set_password(parsed_info, temp_val);
Copied: cifs-utils/repos/extra-x86_64/fix-5.9-credentials.patch (from rev
215192, cifs-utils/trunk/fix-5.9-credentials.patch)
===================================================================
--- extra-x86_64/fix-5.9-credentials.patch (rev 0)
+++ extra-x86_64/fix-5.9-credentials.patch 2014-06-16 10:42:57 UTC (rev
215193)
@@ -0,0 +1,16 @@
+X-Git-Url:
https://git.samba.org/?p=cifs-utils.git;a=blobdiff_plain;f=mount.cifs.c;h=40b77e92e3f734c606f522ccf279a0508ad64eab;hp=c7c3055cb890764937193b1d50d1f0fb7ae18826;hb=1a01f7c4b90695211d12291d7a24bec05b1f2922;hpb=739289ad3ce915e1ee2705ecd7ac4e907cd91405
+
+diff --git a/mount.cifs.c b/mount.cifs.c
+index c7c3055..40b77e9 100644
+--- a/mount.cifs.c
++++ b/mount.cifs.c
+@@ -581,7 +581,8 @@ static int open_cred_file(char *file_name,
+ switch (parse_cred_line(line_buf + i, &temp_val)) {
+ case CRED_USER:
+ strlcpy(parsed_info->username, temp_val,
+- sizeof(parsed_info->domain));
++ sizeof(parsed_info->username));
++ parsed_info->got_user = 1;
+ break;
+ case CRED_PASS:
+ i = set_password(parsed_info, temp_val);
