Bug 1198976 - (CVE-2022-29869) VUL-0: CVE-2022-29869: cifs-utils: cifs-utils with verbose logging can cause an information leak
(CVE-2022-29869)
VUL-0: CVE-2022-29869: cifs-utils: cifs-utils with verbose logging can cause ...
Status: IN_PROGRESS
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Novell Samba Team
Security Team bot
https://smash.suse.de/issue/330241/
CVSSv3.1:SUSE:CVE-2022-29869:4.3:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-04-28 12:10 UTC by Hu
Modified: 2022-10-05 13:20 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hu 2022-04-28 12:10:40 UTC
CVE-2022-29869

cifs-utils through 6.14, with verbose logging, can cause an information leak
when a file contains = (equal sign) characters but is not a valid credentials
file.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-29869
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29869
https://github.com/piastry/cifs-utils/commit/8acc963a2e7e9d63fe1f2e7f73f5a03f83d9c379
https://github.com/piastry/cifs-utils/pull/7
Comment 1 Hu 2022-04-28 12:10:49 UTC
Affected:
 - SUSE:SLE-11-SP2:Update/cifs-utils    5.1
 - SUSE:SLE-11-SP4:Update/cifs-utils    5.1
 - SUSE:SLE-12-SP2:Update/cifs-utils    6.9
 - SUSE:SLE-12-SP4:Update/cifs-utils    6.9
 - SUSE:SLE-15-SP1:Update/cifs-utils    6.9
 - SUSE:SLE-15:Update/cifs-utils        6.9
 - SUSE:SLE-15-SP4:Update/cifs-utils   6.14
 - openSUSE:Factory/cifs-utils         6.14
Comment 2 David Disseldorp 2022-04-28 12:23:25 UTC
<sigh> I argued with the reporter upstream that this should be considered a regular bug, instead of a cifs-utils CVE... It seems that he went through with the CVE request anyway.

IMO this should be handled as a regular (non-security) SLES bug, as we don't ship mount.cifs with setuid-root. This means that mount.cifs can only read (and info-leak) files which the invoking user has access to.

I'll leave this up to the Samba team to deal with - @Enzo?
Comment 3 David Disseldorp 2022-04-28 12:59:47 UTC
The upstream bug is https://bugzilla.samba.org/show_bug.cgi?id=15026 .
I tried to make it public, but can't uncheck the "Only users in all of the selected groups can view this bug: [X] CifsVFS developers".
Comment 4 Enzo Matsumiya 2022-04-28 15:39:01 UTC
(In reply to David Disseldorp from comment #2)
> <sigh> I argued with the reporter upstream that this should be considered a
> regular bug, instead of a cifs-utils CVE... It seems that he went through
> with the CVE request anyway.
> 
> IMO this should be handled as a regular (non-security) SLES bug, as we don't
> ship mount.cifs with setuid-root. This means that mount.cifs can only read
> (and info-leak) files which the invoking user has access to.
> 
> I'll leave this up to the Samba team to deal with - @Enzo?

Since it turned into a CVE anyway, I'll backport it into our current maintained codestreams, but since it doesn't look like a CVSS >7.0 bug (no score yet), I'll skip LTSS/Extended -- unless any objections?
Comment 5 Hu 2022-04-29 07:33:06 UTC
If it would be not much hassle, a backport to ltss would be appreciated, but if it is too much/complex, it is not a requirement :)
Comment 6 Enzo Matsumiya 2022-05-27 15:16:19 UTC
(In reply to Hu from comment #1)
> Affected:
>  - SUSE:SLE-11-SP2:Update/cifs-utils    5.1
>  - SUSE:SLE-11-SP4:Update/cifs-utils    5.1
>  - SUSE:SLE-12-SP2:Update/cifs-utils    6.9
>  - SUSE:SLE-12-SP4:Update/cifs-utils    6.9
>  - SUSE:SLE-15-SP1:Update/cifs-utils    6.9
>  - SUSE:SLE-15:Update/cifs-utils        6.9
>  - SUSE:SLE-15-SP4:Update/cifs-utils   6.14
>  - openSUSE:Factory/cifs-utils         6.14

Submitted to SLE-12-SP4 and newer. Older codestreams are out of LTSS.

Sorry for the delay.
Comment 11 Thomas Leroy 2022-07-05 14:41:54 UTC
Hi Enzo, in case you missed it, the submission for 15-SP1 has been declined [0]. Could you please submit to this codestream again? We're also missing the fix for 15-SP4. Thanks! :)

[0] https://smelt.suse.de/request/273165/
Comment 12 Enzo Matsumiya 2022-07-05 15:23:29 UTC
(In reply to Thomas Leroy from comment #11)
> Hi Enzo, in case you missed it, the submission for 15-SP1 has been declined
> [0]. Could you please submit to this codestream again? We're also missing
> the fix for 15-SP4. Thanks! :)
> 
> [0] https://smelt.suse.de/request/273165/

Thanks for the heads up. I got lost in the many submissions hehe

As for 15-SP4, I've created https://build.suse.de/request/show/273124

It's in an accepted state. Is there anything wrong with it?
Comment 13 Enzo Matsumiya 2022-07-05 15:24:14 UTC
(In reply to Enzo Matsumiya from comment #12)
> (In reply to Thomas Leroy from comment #11)
> > Hi Enzo, in case you missed it, the submission for 15-SP1 has been declined
> > [0]. Could you please submit to this codestream again? We're also missing
> > the fix for 15-SP4. Thanks! :)
> > 
> > [0] https://smelt.suse.de/request/273165/
> 
> Thanks for the heads up. I got lost in the many submissions hehe

Forgot to say, I resubmitted as MR#275187
Comment 15 Swamp Workflow Management 2022-08-12 19:15:04 UTC
SUSE-SU-2022:2802-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1198976
CVE References: CVE-2022-29869
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    cifs-utils-6.9-13.23.1
SUSE Linux Enterprise Server 12-SP5 (src):    cifs-utils-6.9-13.23.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Swamp Workflow Management 2022-08-12 19:19:37 UTC
SUSE-SU-2022:2801-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1198976
CVE References: CVE-2022-29869
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    cifs-utils-6.9-150100.5.18.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    cifs-utils-6.9-150100.5.18.1
SUSE Linux Enterprise Micro 5.2 (src):    cifs-utils-6.9-150100.5.18.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Thomas Leroy 2022-08-31 14:21:49 UTC
(In reply to Enzo Matsumiya from comment #13)
> (In reply to Enzo Matsumiya from comment #12)
> > (In reply to Thomas Leroy from comment #11)
> > > Hi Enzo, in case you missed it, the submission for 15-SP1 has been declined
> > > [0]. Could you please submit to this codestream again? We're also missing
> > > the fix for 15-SP4. Thanks! :)
> > > 
> > > [0] https://smelt.suse.de/request/273165/
> > 
> > Thanks for the heads up. I got lost in the many submissions hehe
> 
> Forgot to say, I resubmitted as MR#275187

Thanks Enzo. We miss a fix for the following codestreams, could you please take of that?
- SUSE:SLE-11-SP2:Update
- SUSE:SLE-12-SP2:Update
- SUSE:SLE-15-SP4:Update

sle11 and sle12 are actually not LTSS only since they have a TD channel, where we should ship every fix, no matter the CVSS...
Comment 18 Swamp Workflow Management 2022-09-01 13:53:04 UTC
openSUSE-SU-2022:2801-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1198976
CVE References: CVE-2022-29869
JIRA References: 
Sources used:
openSUSE Leap Micro 5.2 (src):    cifs-utils-6.9-150100.5.18.1
Comment 19 Enzo Matsumiya 2022-09-12 17:20:59 UTC
(In reply to Thomas Leroy from comment #17)
> Thanks Enzo. We miss a fix for the following codestreams, could you please
> take of that?
> - SUSE:SLE-11-SP2:Update

MR#279460

> - SUSE:SLE-12-SP2:Update

MR#279461

> - SUSE:SLE-15-SP4:Update

SLE15-SP4 already had the fix via a version update, but I submitted MR#279459 to include the references to this bug and CVE ID in the changes file.

> sle11 and sle12 are actually not LTSS only since they have a TD channel,
> where we should ship every fix, no matter the CVSS...

Let me know if I missed anything else.
Comment 21 Robert Frohl 2022-09-27 09:23:34 UTC
(In reply to Enzo Matsumiya from comment #19)
> (In reply to Thomas Leroy from comment #17)
> 
> > sle11 and sle12 are actually not LTSS only since they have a TD channel,
> > where we should ship every fix, no matter the CVSS...
> 
> Let me know if I missed anything else.

No, all looks good. Thanks!
Comment 22 Swamp Workflow Management 2022-10-05 13:20:17 UTC
SUSE-SU-2022:3525-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1198976
CVE References: CVE-2022-29869
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    cifs-utils-6.15-150400.3.9.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    cifs-utils-6.15-150400.3.9.1
SUSE Linux Enterprise Micro 5.3 (src):    cifs-utils-6.15-150400.3.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.