SUSE has issued an advisory today (September 23): https://lists.suse.com/pipermail/sle-security-updates/2020-September/007471.html The issue is fixed upstream in 6.11: https://lists.samba.org/archive/samba-technical/2020-September/135747.html SUSE also added a fix for an invalid free: https://lkml.kernel.org/r/20190919121226.8756-1-pc@cjr.nz
Actually the invalid free was fixing a previous upstream fix that fixed a memory leak, and I'm guessing SUSE added the fixed fix for that (unless they had previously added the broken fix with the invalid free). cifs-utils-6.11-1.mga8 uploaded for Cauldron. Patched package uploaded for Mageia 7. Advisory: ======================== Updated cifs-utils packages fix security vulnerability: The mount.cifs utility has a shell injection issue where one can embed shell commands via the username mount option. Those commands will be run via popen() in the context of the user calling mount (CVE-2020-14342). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14342 https://lists.samba.org/archive/samba-technical/2020-September/135747.html ======================== Updated packages in core/updates_testing: ======================== cifs-utils-6.9-6.1.mga7 cifs-utils-devel-6.9-6.1.mga7 from cifs-utils-6.9-6.1.mga7.src.rpm
Assignee: bugsquad => qa-bugsVersion: Cauldron => 7
mga7, x86_64 CVE-2020-14342 https://lists.samba.org/archive/samba-technical/2020-September/135747.html # cd /usr/sbin root@difda:sbin # ll mount.cifs -rwxr-xr-x 1 root root 49176 Apr 15 2019 mount.cifs* $ nm /usr/sbin/mount.cifs | grep popen nm: /usr/sbin/mount.cifs: no symbols # nm /usr/sbin/mount.cifs | grep popen nm: /usr/sbin/mount.cifs: no symbols $ sudo mount.cifs -o username='`sh`' //1 /mnt sh-4.4# mount -a mount: /proc: permission denied. sh-4.4# exit exit Password for @//1: mount error(22): Invalid argument Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg) $ sudo mount.cifs -o username='`sh`' //1 /mnt sh-4.4# vi /etc/httpd/conf/conf.d/ssl.conf Vim: Warning: Output is not to a terminal sh-4.4# exit exit Password for @//1: **** mount error(22): Invalid argument Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg) $ Updated the two packages and ran the commands as above and saw the same results. Unsure of how to judge this but to the untrained eye it looked OK before and afterwards but feel a bit uneasy about vi accepting input, even if it is invisible. No Windows systems here and all network mounts are via NFS. Passing this over to the experts. The utilities available seem to be these: root@difda:sbin # ls *cifs* cifs.idmap* cifs.upcall* mount.cifs*
CC: (none) => tarazed25
We may not have been affected by this CVE as the SPEC file doesn't require systemd-devel.
MGA7-64 Plasma on Lenovo B50 No installation issues. I have samba server on my desktop PC, so # mount.cifs -o username=herman //mach1/beelden /mnt/samba/beelden/ Password for herman@//mach1/beelden: ******** No feedback should be an indication of success. # df -h Filesystem Size Used Avail Use% Mounted on devtmpfs 3.9G 0 3.9G 0% /dev tmpfs 3.9G 59M 3.8G 2% /dev/shm tmpfs 3.9G 2.1M 3.9G 1% /run /dev/sda11 29G 13G 15G 47% / tmpfs 3.9G 0 3.9G 0% /sys/fs/cgroup tmpfs 3.9G 16K 3.9G 1% /tmp /dev/sda1 256M 31M 226M 13% /boot/EFI /dev/sda10 484G 56G 429G 12% /mnt/realhome /dev/sda4 25G 3.2G 22G 13% /media/win_d /dev/sda3 199G 68G 131G 35% /media/win_c tmpfs 788M 16K 788M 1% /run/user/1000 //mach1/beelden 816G 281G 536G 35% /mnt/samba/beelden And # ls -als /mnt/samba/beelden/ total 6148 0 drwxr-xr-x 2 root root 0 Sep 24 11:45 ./ 4 drwxr-xr-x 3 root root 4096 Jul 25 15:39 ../ 0 drwxr-xr-x 2 root root 0 Aug 12 08:44 Afbeeldingen/ 0 drwxr-xr-x 2 root root 0 Feb 21 2019 fotos/ 1024 -rwxr-xr-x 1 root root 838418 Mar 20 2018 Huishouden* 1024 -rwxr-xr-x 1 root root 204561 Feb 1 2019 journalboot.log* 1024 -rwxr-xr-x 1 root root 214038 Feb 1 2019 journalnoboot.log* 0 drwxr-xr-x 2 root root 0 Dec 29 2013 lost+found/ 1024 -rwxr-xr-x 1 root root 33733 Aug 11 2018 parkoersen.pdf* 0 drwxr-xr-x 2 root root 0 Jan 12 2019 RawORF/ 1024 -rwxr-xr-x 1 root root 209872 Jan 6 2019 report.bug.xz* 0 drwxr-xr-x 2 root root 0 Nov 16 2016 rietmach2/ 0 drwxr-xr-x 2 root root 0 Jun 13 2018 .Trash-1000/ 0 drwxr-xr-x 2 root root 0 Feb 27 2014 usbsticks/ 1024 -rwxr-xr-x 1 root root 74337 Feb 1 2019 Xorg.0.log* So mount worked OK.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA7-64-OK
Validated update Adv and packages in Comment 1
Keywords: (none) => advisory, validated_updateCC: (none) => ouaurelien, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0376.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED