Bugzilla – Bug 1198976
VUL-0: CVE-2022-29869: cifs-utils: cifs-utils with verbose logging can cause an information leak
Last modified: 2022-08-12 19:19:37 UTC
CVE-2022-29869 cifs-utils through 6.14, with verbose logging, can cause an information leak when a file contains = (equal sign) characters but is not a valid credentials file. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-29869 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29869 https://github.com/piastry/cifs-utils/commit/8acc963a2e7e9d63fe1f2e7f73f5a03f83d9c379 https://github.com/piastry/cifs-utils/pull/7
Affected: - SUSE:SLE-11-SP2:Update/cifs-utils 5.1 - SUSE:SLE-11-SP4:Update/cifs-utils 5.1 - SUSE:SLE-12-SP2:Update/cifs-utils 6.9 - SUSE:SLE-12-SP4:Update/cifs-utils 6.9 - SUSE:SLE-15-SP1:Update/cifs-utils 6.9 - SUSE:SLE-15:Update/cifs-utils 6.9 - SUSE:SLE-15-SP4:Update/cifs-utils 6.14 - openSUSE:Factory/cifs-utils 6.14
<sigh> I argued with the reporter upstream that this should be considered a regular bug, instead of a cifs-utils CVE... It seems that he went through with the CVE request anyway. IMO this should be handled as a regular (non-security) SLES bug, as we don't ship mount.cifs with setuid-root. This means that mount.cifs can only read (and info-leak) files which the invoking user has access to. I'll leave this up to the Samba team to deal with - @Enzo?
The upstream bug is https://bugzilla.samba.org/show_bug.cgi?id=15026 . I tried to make it public, but can't uncheck the "Only users in all of the selected groups can view this bug: [X] CifsVFS developers".
(In reply to David Disseldorp from comment #2) > <sigh> I argued with the reporter upstream that this should be considered a > regular bug, instead of a cifs-utils CVE... It seems that he went through > with the CVE request anyway. > > IMO this should be handled as a regular (non-security) SLES bug, as we don't > ship mount.cifs with setuid-root. This means that mount.cifs can only read > (and info-leak) files which the invoking user has access to. > > I'll leave this up to the Samba team to deal with - @Enzo? Since it turned into a CVE anyway, I'll backport it into our current maintained codestreams, but since it doesn't look like a CVSS >7.0 bug (no score yet), I'll skip LTSS/Extended -- unless any objections?
If it would be not much hassle, a backport to ltss would be appreciated, but if it is too much/complex, it is not a requirement :)
(In reply to Hu from comment #1) > Affected: > - SUSE:SLE-11-SP2:Update/cifs-utils 5.1 > - SUSE:SLE-11-SP4:Update/cifs-utils 5.1 > - SUSE:SLE-12-SP2:Update/cifs-utils 6.9 > - SUSE:SLE-12-SP4:Update/cifs-utils 6.9 > - SUSE:SLE-15-SP1:Update/cifs-utils 6.9 > - SUSE:SLE-15:Update/cifs-utils 6.9 > - SUSE:SLE-15-SP4:Update/cifs-utils 6.14 > - openSUSE:Factory/cifs-utils 6.14 Submitted to SLE-12-SP4 and newer. Older codestreams are out of LTSS. Sorry for the delay.
Hi Enzo, in case you missed it, the submission for 15-SP1 has been declined [0]. Could you please submit to this codestream again? We're also missing the fix for 15-SP4. Thanks! :) [0] https://smelt.suse.de/request/273165/
(In reply to Thomas Leroy from comment #11) > Hi Enzo, in case you missed it, the submission for 15-SP1 has been declined > [0]. Could you please submit to this codestream again? We're also missing > the fix for 15-SP4. Thanks! :) > > [0] https://smelt.suse.de/request/273165/ Thanks for the heads up. I got lost in the many submissions hehe As for 15-SP4, I've created https://build.suse.de/request/show/273124 It's in an accepted state. Is there anything wrong with it?
(In reply to Enzo Matsumiya from comment #12) > (In reply to Thomas Leroy from comment #11) > > Hi Enzo, in case you missed it, the submission for 15-SP1 has been declined > > [0]. Could you please submit to this codestream again? We're also missing > > the fix for 15-SP4. Thanks! :) > > > > [0] https://smelt.suse.de/request/273165/ > > Thanks for the heads up. I got lost in the many submissions hehe Forgot to say, I resubmitted as MR#275187
SUSE-SU-2022:2802-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1198976 CVE References: CVE-2022-29869 JIRA References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): cifs-utils-6.9-13.23.1 SUSE Linux Enterprise Server 12-SP5 (src): cifs-utils-6.9-13.23.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:2801-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1198976 CVE References: CVE-2022-29869 JIRA References: Sources used: openSUSE Leap 15.3 (src): cifs-utils-6.9-150100.5.18.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): cifs-utils-6.9-150100.5.18.1 SUSE Linux Enterprise Micro 5.2 (src): cifs-utils-6.9-150100.5.18.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.