Date: Monday, June 16, 2014 @ 12:42:46 Author: tpowa Revision: 215192
upgpkg: cifs-utils 6.3-2 fix #40789 CVE-2014-2830 Added: cifs-utils/trunk/0003-cifskey-better-use-snprintf.patch cifs-utils/trunk/0004-cifscreds-better-error-handling-when-key_search-fail.patch cifs-utils/trunk/0005-cifscreds-better-error-handling-for-key_add.patch Modified: cifs-utils/trunk/PKGBUILD -----------------------------------------------------------------+ 0003-cifskey-better-use-snprintf.patch | 49 ++++ 0004-cifscreds-better-error-handling-when-key_search-fail.patch | 85 ++++++++ 0005-cifscreds-better-error-handling-for-key_add.patch | 102 ++++++++++ PKGBUILD | 21 +- 4 files changed, 254 insertions(+), 3 deletions(-) Added: 0003-cifskey-better-use-snprintf.patch =================================================================== --- 0003-cifskey-better-use-snprintf.patch (rev 0) +++ 0003-cifskey-better-use-snprintf.patch 2014-06-16 10:42:46 UTC (rev 215192) @@ -0,0 +1,49 @@ +From 0c521d5060035da655107001374e08873ac5dde8 Mon Sep 17 00:00:00 2001 +From: Sebastian Krahmer <krah...@suse.de> +Date: Mon, 14 Apr 2014 11:39:41 +0200 +Subject: [PATCH] cifskey: better use snprintf() + +Prefer snprintf() over sprintf() in cifskey.c +Projects that fork the code (pam_cifscreds) can't rely on +the max-size parameters. + +[jlayton: removed unneeded initialization of "len" in key_add] + +Signed-off-by: Sebastian Krahmer <krah...@suse.de> +--- + cifskey.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/cifskey.c b/cifskey.c +index 7716c42..e89cacf 100644 +--- a/cifskey.c ++++ b/cifskey.c +@@ -29,7 +29,8 @@ key_search(const char *addr, char keytype) + { + char desc[INET6_ADDRSTRLEN + sizeof(KEY_PREFIX) + 4]; + +- sprintf(desc, "%s:%c:%s", KEY_PREFIX, keytype, addr); ++ if (snprintf(desc, sizeof(desc), "%s:%c:%s", KEY_PREFIX, keytype, addr) >= (int)sizeof(desc)) ++ return -1; + + return keyctl_search(DEST_KEYRING, CIFS_KEY_TYPE, desc, 0); + } +@@ -43,10 +44,13 @@ key_add(const char *addr, const char *user, const char *pass, char keytype) + char val[MOUNT_PASSWD_SIZE + MAX_USERNAME_SIZE + 2]; + + /* set key description */ +- sprintf(desc, "%s:%c:%s", KEY_PREFIX, keytype, addr); ++ if (snprintf(desc, sizeof(desc), "%s:%c:%s", KEY_PREFIX, keytype, addr) >= (int)sizeof(desc)) ++ return -1; + + /* set payload contents */ +- len = sprintf(val, "%s:%s", user, pass); ++ len = snprintf(val, sizeof(val), "%s:%s", user, pass); ++ if (len >= (int)sizeof(val)) ++ return -1; + + return add_key(CIFS_KEY_TYPE, desc, val, len + 1, DEST_KEYRING); + } +-- +1.8.4.2 + Added: 0004-cifscreds-better-error-handling-when-key_search-fail.patch =================================================================== --- 0004-cifscreds-better-error-handling-when-key_search-fail.patch (rev 0) +++ 0004-cifscreds-better-error-handling-when-key_search-fail.patch 2014-06-16 10:42:46 UTC (rev 215192) @@ -0,0 +1,85 @@ +From 3da4c43b575498be86c87a2ac3f3142e3cab1c59 Mon Sep 17 00:00:00 2001 +From: Jeff Layton <jlay...@samba.org> +Date: Sun, 20 Apr 2014 20:41:05 -0400 +Subject: [PATCH] cifscreds: better error handling when key_search fails + +If we ended up getting a bogus string that would have overflowed, then +make key_search set errno to EINVAL before returning. The callers can +then test to see if the returned error is what was expected or something +else and handle it appropriately. + +Cc: Sebastian Krahmer <krah...@suse.de> +Signed-off-by: Jeff Layton <jlay...@samba.org> +--- + cifscreds.c | 9 +++++++++ + cifskey.c | 5 ++++- + pam_cifscreds.c | 9 +++++++++ + 3 files changed, 22 insertions(+), 1 deletion(-) + +diff --git a/cifscreds.c b/cifscreds.c +index fa05dc8..64d55b0 100644 +--- a/cifscreds.c ++++ b/cifscreds.c +@@ -188,6 +188,15 @@ static int cifscreds_add(struct cmdarg *arg) + return EXIT_FAILURE; + } + ++ switch(errno) { ++ case ENOKEY: ++ /* success */ ++ break; ++ default: ++ printf("Key search failed: %s\n", strerror(errno)); ++ return EXIT_FAILURE; ++ } ++ + currentaddress = nextaddress; + if (currentaddress) { + *(currentaddress - 1) = ','; +diff --git a/cifskey.c b/cifskey.c +index e89cacf..4f01ed0 100644 +--- a/cifskey.c ++++ b/cifskey.c +@@ -20,6 +20,7 @@ + #include <sys/types.h> + #include <keyutils.h> + #include <stdio.h> ++#include <errno.h> + #include "cifskey.h" + #include "resolve_host.h" + +@@ -29,8 +30,10 @@ key_search(const char *addr, char keytype) + { + char desc[INET6_ADDRSTRLEN + sizeof(KEY_PREFIX) + 4]; + +- if (snprintf(desc, sizeof(desc), "%s:%c:%s", KEY_PREFIX, keytype, addr) >= (int)sizeof(desc)) ++ if (snprintf(desc, sizeof(desc), "%s:%c:%s", KEY_PREFIX, keytype, addr) >= (int)sizeof(desc)) { ++ errno = EINVAL; + return -1; ++ } + + return keyctl_search(DEST_KEYRING, CIFS_KEY_TYPE, desc, 0); + } +diff --git a/pam_cifscreds.c b/pam_cifscreds.c +index e0d8a55..fb23117 100644 +--- a/pam_cifscreds.c ++++ b/pam_cifscreds.c +@@ -206,6 +206,15 @@ static int cifscreds_pam_add(pam_handle_t *ph, const char *user, const char *pas + return PAM_SERVICE_ERR; + } + ++ switch(errno) { ++ case ENOKEY: ++ break; ++ default: ++ pam_syslog(ph, LOG_ERR, "Unable to search keyring for %s (%s)", ++ currentaddress, strerror(errno)); ++ return PAM_SERVICE_ERR; ++ } ++ + currentaddress = nextaddress; + if (currentaddress) { + *(currentaddress - 1) = ','; +-- +1.8.4.2 + Added: 0005-cifscreds-better-error-handling-for-key_add.patch =================================================================== --- 0005-cifscreds-better-error-handling-for-key_add.patch (rev 0) +++ 0005-cifscreds-better-error-handling-for-key_add.patch 2014-06-16 10:42:46 UTC (rev 215192) @@ -0,0 +1,102 @@ +From 382ec63757c1d8d4d399d17ccc927c4897d4cfc9 Mon Sep 17 00:00:00 2001 +From: Jeff Layton <jlay...@samba.org> +Date: Sun, 20 Apr 2014 20:41:05 -0400 +Subject: [PATCH] cifscreds: better error handling for key_add + +If the string buffers would have been overrun, set errno to EINVAL +before returning. Then, have the callers report the errors to +stderr or syslog as appropriate. + +Cc: Sebastian Krahmer <krah...@suse.de> +Signed-off-by: Jeff Layton <jlay...@samba.org> +--- + cifscreds.c | 6 +++--- + cifskey.c | 8 ++++++-- + pam_cifscreds.c | 9 +++++---- + 3 files changed, 14 insertions(+), 9 deletions(-) + +diff --git a/cifscreds.c b/cifscreds.c +index 64d55b0..5d84c3c 100644 +--- a/cifscreds.c ++++ b/cifscreds.c +@@ -220,8 +220,8 @@ static int cifscreds_add(struct cmdarg *arg) + while (currentaddress) { + key_serial_t key = key_add(currentaddress, arg->user, pass, arg->keytype); + if (key <= 0) { +- fprintf(stderr, "error: Add credential key for %s\n", +- currentaddress); ++ fprintf(stderr, "error: Add credential key for %s: %s\n", ++ currentaddress, strerror(errno)); + } else { + if (keyctl(KEYCTL_SETPERM, key, CIFS_KEY_PERMS) < 0) { + fprintf(stderr, "error: Setting permissons " +@@ -422,7 +422,7 @@ static int cifscreds_update(struct cmdarg *arg) + key_serial_t key = key_add(addrs[id], arg->user, pass, arg->keytype); + if (key <= 0) + fprintf(stderr, "error: Update credential key " +- "for %s\n", addrs[id]); ++ "for %s: %s\n", addrs[id], strerror(errno)); + } + + return EXIT_SUCCESS; +diff --git a/cifskey.c b/cifskey.c +index 4f01ed0..919540f 100644 +--- a/cifskey.c ++++ b/cifskey.c +@@ -47,13 +47,17 @@ key_add(const char *addr, const char *user, const char *pass, char keytype) + char val[MOUNT_PASSWD_SIZE + MAX_USERNAME_SIZE + 2]; + + /* set key description */ +- if (snprintf(desc, sizeof(desc), "%s:%c:%s", KEY_PREFIX, keytype, addr) >= (int)sizeof(desc)) ++ if (snprintf(desc, sizeof(desc), "%s:%c:%s", KEY_PREFIX, keytype, addr) >= (int)sizeof(desc)) { ++ errno = EINVAL; + return -1; ++ } + + /* set payload contents */ + len = snprintf(val, sizeof(val), "%s:%s", user, pass); +- if (len >= (int)sizeof(val)) ++ if (len >= (int)sizeof(val)) { ++ errno = EINVAL; + return -1; ++ } + + return add_key(CIFS_KEY_TYPE, desc, val, len + 1, DEST_KEYRING); + } +diff --git a/pam_cifscreds.c b/pam_cifscreds.c +index fb23117..5d99c2d 100644 +--- a/pam_cifscreds.c ++++ b/pam_cifscreds.c +@@ -208,6 +208,7 @@ static int cifscreds_pam_add(pam_handle_t *ph, const char *user, const char *pas + + switch(errno) { + case ENOKEY: ++ /* success */ + break; + default: + pam_syslog(ph, LOG_ERR, "Unable to search keyring for %s (%s)", +@@ -233,8 +234,8 @@ static int cifscreds_pam_add(pam_handle_t *ph, const char *user, const char *pas + while (currentaddress) { + key_serial_t key = key_add(currentaddress, user, password, keytype); + if (key <= 0) { +- pam_syslog(ph, LOG_ERR, "error: Add credential key for %s", +- currentaddress); ++ pam_syslog(ph, LOG_ERR, "error: Add credential key for %s: %s", ++ currentaddress, strerror(errno)); + } else { + if ((args & ARG_DEBUG) == ARG_DEBUG) { + pam_syslog(ph, LOG_DEBUG, "credential key for \\\\%s\\%s added", +@@ -336,8 +337,8 @@ static int cifscreds_pam_update(pam_handle_t *ph, const char *user, const char * + for (id = 0; id < count; id++) { + key_serial_t key = key_add(currentaddress, user, password, keytype); + if (key <= 0) { +- pam_syslog(ph, LOG_ERR, "error: Update credential key for %s", +- currentaddress); ++ pam_syslog(ph, LOG_ERR, "error: Update credential key for %s: %s", ++ currentaddress, strerror(errno)); + } + } + +-- +1.8.4.2 + Modified: PKGBUILD =================================================================== --- PKGBUILD 2014-06-16 09:52:50 UTC (rev 215191) +++ PKGBUILD 2014-06-16 10:42:46 UTC (rev 215192) @@ -2,14 +2,26 @@ # Maintainer: Tobias Powalowski <tp...@archlinux.org> pkgname=cifs-utils pkgver=6.3 -pkgrel=1 +pkgrel=2 pkgdesc="CIFS filesystem user-space tools" arch=(i686 x86_64) url="http://wiki.samba.org/index.php/LinuxCIFS_utils" license=('GPL') depends=('libcap-ng' 'keyutils' 'krb5' 'talloc' 'libwbclient' 'pam') -source=(ftp://ftp.samba.org/pub/linux-cifs/cifs-utils/$pkgname-$pkgver.tar.bz2) +source=(ftp://ftp.samba.org/pub/linux-cifs/cifs-utils/$pkgname-$pkgver.tar.bz2 + '0003-cifskey-better-use-snprintf.patch' + '0004-cifscreds-better-error-handling-when-key_search-fail.patch' + '0005-cifscreds-better-error-handling-for-key_add.patch') +prepare() { + cd "$srcdir/$pkgname-$pkgver" + # add fedora patches + # 40789 CVE-2014-2830 + patch -Np1 -i "$srcdir/0003-cifskey-better-use-snprintf.patch" + patch -Np1 -i "$srcdir/0004-cifscreds-better-error-handling-when-key_search-fail.patch" + patch -Np1 -i "$srcdir/0005-cifscreds-better-error-handling-for-key_add.patch" +} + build() { cd "$srcdir/$pkgname-$pkgver" # systemd support is broken in mount.cifs @@ -27,4 +39,7 @@ # set mount.cifs uid, to enable none root mounting form fstab chmod +s $pkgdir/usr/bin/mount.cifs } -md5sums=('93697dbc043cb4d5c66e15e281f872e5') +md5sums=('93697dbc043cb4d5c66e15e281f872e5' + 'cc13c6d1b734a446d0f4384e0ce32748' + '350491f336dc931f9b192228909e5924' + 'ac2b3367363fbc79f8f7fdfcae008a8c')