Bugzilla – Bug 1197216
VUL-0: CVE-2022-27239: cifs-utils: buffer overflow in commandline ip= handling
Last modified: 2024-05-13 19:16:37 UTC
Created attachment 857140 [details] proposed fix from bug reporter This hasn't gone full review yet, but looks good to me.
Created attachment 857141 [details] proposed fix, properly encoded
Mitre assigned CVE-2022-27239. How about Tuesday March 29th as embargo end, which is in 12 days?
(In reply to Marcus Meissner from comment #11) > Mitre assigned CVE-2022-27239. Thanks! > How about Tuesday March 29th as embargo end, which is in 12 days? Waiting to hear from upstream (MS, RH, et al.) about this proposal.
RH would prefer a bit more time. I proposed 4PM UTC on April 20. On Fri, 18 Mar 2022 17:41:54 +0100, David Disseldorp wrote: > On Fri, 18 Mar 2022 14:27:36 +0200, Alexander Bokovoy wrote: > > > On pe, 18 maalis 2022, David Disseldorp via samba-team wrote: > > > Hi, > > > > > > I heard back from our security team regarding the CVE: > > > > > > --- Comment #11 from Marcus Meissner <meissner@suse.com> --- > > > Mitre assigned CVE-2022-27239. > > > > > > How about Tuesday March 29th as embargo end, which is in 12 days? > > > > > > Does this embargo end date work for everyone (RH and other distros)? > > > > It will not work for Red Hat, sorry. It is too close for any meaningful > > fix verification to be done in under one work week for backports to > > several releases. > > > > It would be great to have it scheduled for mit April, for example. > > Alright, in that case let's plan for 4PM UTC on April 20 (after the > Easter break in some places).
CRD: 2022-04-20 16:00UTC Ok for me.
Created attachment 858158 [details] proposed fix The planned embargo end date is just under a week off. @Paulo: would you be able to prepare the internal build service submissions in the lead up? Please clearly label any ibs submit-requests as EMBARGOED until 2022-04-20 16:00UTC.
(In reply to David Disseldorp from comment #18) > Created attachment 858158 [details] > proposed fix > > The planned embargo end date is just under a week off. @Paulo: would you be > able to prepare the internal build service submissions in the lead up? > Please clearly label any ibs submit-requests as EMBARGOED until 2022-04-20 > 16:00UTC. Sure. I'll work on that. Thanks Dave!
Hi Dave, Follow SRs with embargoed fix: https://build.suse.de/request/show/270073 https://build.suse.de/request/show/270074 https://build.suse.de/request/show/270075 https://build.suse.de/request/show/270076 https://build.suse.de/request/show/270077 https://build.suse.de/request/show/270079 https://build.suse.de/request/show/270080 https://build.suse.de/request/show/270081
any news? we so far did not publish, I think we would prefer if you open the samba bugzilla entry first.
is public via https://github.com/piastry/cifs-utils/pull/7
SUSE-SU-2022:1428-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1197216 CVE References: CVE-2022-27239 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 8 (src): cifs-utils-6.9-9.18.1 SUSE OpenStack Cloud 8 (src): cifs-utils-6.9-9.18.1 SUSE Linux Enterprise Server for SAP 12-SP3 (src): cifs-utils-6.9-9.18.1 SUSE Linux Enterprise Server 12-SP3-LTSS (src): cifs-utils-6.9-9.18.1 SUSE Linux Enterprise Server 12-SP3-BCL (src): cifs-utils-6.9-9.18.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): cifs-utils-6.9-9.18.1 HPE Helion Openstack 8 (src): cifs-utils-6.9-9.18.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:1430-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1197216 CVE References: CVE-2022-27239 JIRA References: Sources used: openSUSE Leap 15.3 (src): cifs-utils-6.9-150100.5.15.1 SUSE Manager Server 4.1 (src): cifs-utils-6.9-150100.5.15.1 SUSE Manager Retail Branch Server 4.1 (src): cifs-utils-6.9-150100.5.15.1 SUSE Manager Proxy 4.1 (src): cifs-utils-6.9-150100.5.15.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): cifs-utils-6.9-150100.5.15.1 SUSE Linux Enterprise Server for SAP 15-SP1 (src): cifs-utils-6.9-150100.5.15.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): cifs-utils-6.9-150100.5.15.1 SUSE Linux Enterprise Server 15-SP2-BCL (src): cifs-utils-6.9-150100.5.15.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): cifs-utils-6.9-150100.5.15.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): cifs-utils-6.9-150100.5.15.1 SUSE Linux Enterprise Realtime Extension 15-SP2 (src): cifs-utils-6.9-150100.5.15.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): cifs-utils-6.9-150100.5.15.1 SUSE Linux Enterprise Micro 5.2 (src): cifs-utils-6.9-150100.5.15.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): cifs-utils-6.9-150100.5.15.1 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src): cifs-utils-6.9-150100.5.15.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): cifs-utils-6.9-150100.5.15.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): cifs-utils-6.9-150100.5.15.1 SUSE Enterprise Storage 7 (src): cifs-utils-6.9-150100.5.15.1 SUSE Enterprise Storage 6 (src): cifs-utils-6.9-150100.5.15.1 SUSE CaaS Platform 4.0 (src): cifs-utils-6.9-150100.5.15.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:1427-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1197216 CVE References: CVE-2022-27239 JIRA References: Sources used: SUSE Linux Enterprise Server for SAP 15 (src): cifs-utils-6.9-150000.3.17.1 SUSE Linux Enterprise Server 15-LTSS (src): cifs-utils-6.9-150000.3.17.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): cifs-utils-6.9-150000.3.17.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): cifs-utils-6.9-150000.3.17.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:14951-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1197216 CVE References: CVE-2022-27239 JIRA References: Sources used: SUSE Linux Enterprise Server 11-SP4-LTSS (src): cifs-utils-5.1-0.16.3.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): cifs-utils-5.1-0.16.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:14950-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1197216 CVE References: CVE-2022-27239 JIRA References: Sources used: SUSE Linux Enterprise Point of Sale 11-SP3 (src): cifs-utils-5.1-0.14.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:1429-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1197216 CVE References: CVE-2022-27239 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 9 (src): cifs-utils-6.9-13.20.1 SUSE OpenStack Cloud 9 (src): cifs-utils-6.9-13.20.1 SUSE Linux Enterprise Software Development Kit 12-SP5 (src): cifs-utils-6.9-13.20.1 SUSE Linux Enterprise Server for SAP 12-SP4 (src): cifs-utils-6.9-13.20.1 SUSE Linux Enterprise Server 12-SP5 (src): cifs-utils-6.9-13.20.1 SUSE Linux Enterprise Server 12-SP4-LTSS (src): cifs-utils-6.9-13.20.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:2378-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1197216 CVE References: CVE-2022-27239 JIRA References: Sources used: openSUSE Leap 15.4 (src): cifs-utils-6.15-150400.3.6.1 SUSE Linux Enterprise Module for Basesystem 15-SP4 (src): cifs-utils-6.15-150400.3.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.