Bug 27315 - cifs-utils new security issue CVE-2020-14342
Summary: cifs-utils new security issue CVE-2020-14342
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2020-09-23 21:34 CEST by David Walser
Modified: 2020-09-27 22:08 CEST (History)
4 users (show)

See Also:
Source RPM: cifs-utils-6.9-6.mga7.src.rpm
Status comment:


Description David Walser 2020-09-23 21:34:22 CEST
SUSE has issued an advisory today (September 23):

The issue is fixed upstream in 6.11:

SUSE also added a fix for an invalid free:
Comment 1 David Walser 2020-09-23 22:21:15 CEST
Actually the invalid free was fixing a previous upstream fix that fixed a memory leak, and I'm guessing SUSE added the fixed fix for that (unless they had previously added the broken fix with the invalid free).

cifs-utils-6.11-1.mga8 uploaded for Cauldron.

Patched package uploaded for Mageia 7.


Updated cifs-utils packages fix security vulnerability:

The mount.cifs utility has a shell injection issue where one can embed shell
commands via the username mount option. Those commands will be run via popen()
in the context of the user calling mount (CVE-2020-14342).


Updated packages in core/updates_testing:

from cifs-utils-6.9-6.1.mga7.src.rpm

Assignee: bugsquad => qa-bugs
Version: Cauldron => 7

Comment 2 Len Lawrence 2020-09-24 19:18:28 CEST
mga7, x86_64

# cd /usr/sbin
root@difda:sbin # ll mount.cifs
-rwxr-xr-x 1 root root 49176 Apr 15  2019 mount.cifs*
$ nm /usr/sbin/mount.cifs | grep popen
nm: /usr/sbin/mount.cifs: no symbols
# nm /usr/sbin/mount.cifs | grep popen
nm: /usr/sbin/mount.cifs: no symbols

$ sudo mount.cifs -o username='`sh`' //1 /mnt
sh-4.4# mount -a
mount: /proc: permission denied.
sh-4.4# exit
Password for @//1:  
mount error(22): Invalid argument
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)

$ sudo mount.cifs -o username='`sh`' //1 /mnt
sh-4.4# vi /etc/httpd/conf/conf.d/ssl.conf
Vim: Warning: Output is not to a terminal
sh-4.4# exit
Password for @//1:  ****
mount error(22): Invalid argument
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)

Updated the two packages and ran the commands as above and saw the same results.
Unsure of how to judge this but to the untrained eye it looked OK before and afterwards but feel a bit uneasy about vi accepting input, even if it is invisible.

No Windows systems here and all network mounts are via NFS.
Passing this over to the experts.
The utilities available seem to be these:
root@difda:sbin # ls *cifs*
cifs.idmap*  cifs.upcall*  mount.cifs*

CC: (none) => tarazed25

Comment 3 David Walser 2020-09-24 21:48:14 CEST
We may not have been affected by this CVE as the SPEC file doesn't require systemd-devel.
Comment 4 Herman Viaene 2020-09-26 14:03:22 CEST
MGA7-64 Plasma on Lenovo B50
No installation issues.
I have samba server on my desktop PC, so
# mount.cifs -o username=herman //mach1/beelden /mnt/samba/beelden/
Password for herman@//mach1/beelden:  ********
No feedback should be an indication of success.
# df -h
Filesystem       Size  Used Avail Use% Mounted on
devtmpfs         3.9G     0  3.9G   0% /dev
tmpfs            3.9G   59M  3.8G   2% /dev/shm
tmpfs            3.9G  2.1M  3.9G   1% /run
/dev/sda11        29G   13G   15G  47% /
tmpfs            3.9G     0  3.9G   0% /sys/fs/cgroup
tmpfs            3.9G   16K  3.9G   1% /tmp
/dev/sda1        256M   31M  226M  13% /boot/EFI
/dev/sda10       484G   56G  429G  12% /mnt/realhome
/dev/sda4         25G  3.2G   22G  13% /media/win_d
/dev/sda3        199G   68G  131G  35% /media/win_c
tmpfs            788M   16K  788M   1% /run/user/1000
//mach1/beelden  816G  281G  536G  35% /mnt/samba/beelden

# ls -als /mnt/samba/beelden/
total 6148
   0 drwxr-xr-x 2 root root      0 Sep 24 11:45 ./
   4 drwxr-xr-x 3 root root   4096 Jul 25 15:39 ../
   0 drwxr-xr-x 2 root root      0 Aug 12 08:44 Afbeeldingen/
   0 drwxr-xr-x 2 root root      0 Feb 21  2019 fotos/
1024 -rwxr-xr-x 1 root root 838418 Mar 20  2018 Huishouden*
1024 -rwxr-xr-x 1 root root 204561 Feb  1  2019 journalboot.log*
1024 -rwxr-xr-x 1 root root 214038 Feb  1  2019 journalnoboot.log*
   0 drwxr-xr-x 2 root root      0 Dec 29  2013 lost+found/
1024 -rwxr-xr-x 1 root root  33733 Aug 11  2018 parkoersen.pdf*
   0 drwxr-xr-x 2 root root      0 Jan 12  2019 RawORF/
1024 -rwxr-xr-x 1 root root 209872 Jan  6  2019 report.bug.xz*
   0 drwxr-xr-x 2 root root      0 Nov 16  2016 rietmach2/
   0 drwxr-xr-x 2 root root      0 Jun 13  2018 .Trash-1000/
   0 drwxr-xr-x 2 root root      0 Feb 27  2014 usbsticks/
1024 -rwxr-xr-x 1 root root  74337 Feb  1  2019 Xorg.0.log*

So mount worked OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 5 Aurelien Oudelet 2020-09-27 19:53:46 CEST
Validated update
Adv and packages in Comment 1

Keywords: (none) => advisory, validated_update
CC: (none) => ouaurelien, sysadmin-bugs

Comment 6 Mageia Robot 2020-09-27 22:08:03 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.