Bug 29056 - cifs-utils new security issue CVE-2021-20208
Summary: cifs-utils new security issue CVE-2021-20208
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7TOO MGA7-64-OK MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-05-30 23:46 CEST by David Walser
Modified: 2021-06-23 19:14 CEST (History)
6 users (show)

See Also:
Source RPM: cifs-utils-6.11-2.mga8.src.rpm
CVE: CVE-2021-20208
Status comment:


Attachments

Description David Walser 2021-05-30 23:46:43 CEST
openSUSE has issued an advisory on May 1:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/65NUX6IGI72XJIWLCF5QOKIKAWWJUMEY/

The issue is fixed upstream in 6.13:
https://bugzilla.samba.org/show_bug.cgi?id=14651

Mageia 7 and Mageia 8 are also affected.
David Walser 2021-05-30 23:46:57 CEST

Whiteboard: (none) => MGA8TOO, MGA7TOO
Status comment: (none) => Fixed upstream in 6.13

Comment 1 Nicolas Lécureuil 2021-05-31 15:18:48 CEST
fixed in cauldron

Version: Cauldron => 8
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
CC: (none) => mageia

Comment 2 Nicolas Lécureuil 2021-05-31 16:07:18 CEST
Fixed in mga7/8

      src:
          - cifs-utils-6.9-6.2.mga7
          - cifs-utils-6.11-2.1.mga8

Assignee: bugsquad => qa-bugs

Comment 3 David Walser 2021-05-31 19:43:27 CEST
RPMS:
cifs-utils-6.9-6.2.mga7
cifs-utils-devel-6.9-6.2.mga7
cifs-utils-devel-6.11-2.1.mga8
cifs-utils-6.11-2.1.mga8

Status comment: Fixed upstream in 6.13 => (none)

Comment 4 Guillaume Royer 2021-05-31 20:51:05 CEST
MAGA 8 XFCE, Disc mounted with fstab and cifs-utils on my network.

Cifs updated with QA repo and rpms:

cifs-utils-devel-6.11-2.1.mga8
cifs-utils-6.11-2.1.mga8

After reboot all is ok, disc is always reachable and files are always readable.

CC: (none) => guillaume.royer

Comment 5 Herman Viaene 2021-06-16 14:41:12 CEST
MGA7-64 Plasma on Lenovo B50
No installation issues.
Ref bug 27315for testing
I have samba server on my desktop PC, so
# mount.cifs -o username=herman //mach1/beelden /mnt/beeldencifs/
Password for herman@//mach1/beelden:  ********
# ls -als /mnt/beeldencifs/
total 1108
  0 drwxr-xr-x  2 root root      0 Apr  7 13:43 ./
  4 drwxr-xr-x 12 root root   4096 Jun 16 14:28 ../
  0 drwxr-xr-x  2 root root      0 Jul 27  2020 accessbasis/
  0 drwxr-xr-x  2 root root      0 Jul 27  2020 accessfinesses/
  0 drwxr-xr-x  2 root root      0 May 12 08:41 Afbeeldingen/
  0 drwxr-xr-x  2 root root      0 Apr  6 12:18 datakopie/
  0 drwxr-xr-x  2 root root      0 May 14 08:43 fotos/
820 -rwxr-xr-x  1 root root 838418 Mar 20  2018 Huishouden*
  0 drwxr-xr-x  2 root root      0 Dec 29  2013 lost+found/
  0 drwxr-xr-x  2 root root      0 Jan 12  2019 RawORF/
208 -rwxr-xr-x  1 root root 209872 Jan  6  2019 report.bug.xz*
  0 drwxr-xr-x  2 root root      0 Nov 16  2016 rietmach2/
  0 drwxr-xr-x  2 root root      0 Jun 13  2018 .Trash-1000/
  0 drwxr-xr-x  2 root root      0 Feb 27  2014 usbsticks/
 76 -rwxr-xr-x  1 root root  74337 Feb  1  2019 Xorg.0.log*
So, moount command works OK.

Sidenote: when I try to do the mounting using MCC, the mount hangs for a while, and at the CLI I see the feedback
Password entry required for 'Password for %@//mach1/beelden:' (PID 10603).
Please enter password with the systemd-tty-ask-password-agent tool.
But Where is that supposed to be???

CC: (none) => herman.viaene
Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK

Comment 6 Herman Viaene 2021-06-18 14:54:16 CEST
MGA8-64 Plasma on Lenovo B50
No installation issues.
same commands as above, all works OK.

Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK

Comment 7 Thomas Andrews 2021-06-18 23:43:09 CEST
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 8 Aurelien Oudelet 2021-06-22 20:59:08 CEST
Advisory:
========================

Updated cifs-utils packages fix a security vulnerability:

A flaw was found in cifs-utils in versions before 6.13. A user when mounting a krb5 CIFS file system from within a container can use Kerberos credentials of the host. The highest threat from this vulnerability is to data confidentiality and integrity (CVE-2021-20208).

References:
 - https://bugs.mageia.org/show_bug.cgi?id=29056
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20208
 - https://bugzilla.samba.org/show_bug.cgi?id=14651
 - https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/65NUX6IGI72XJIWLCF5QOKIKAWWJUMEY/
========================

Updated packages in core/updates_testing:
========================
cifs-utils-6.9-6.2.mga7
cifs-utils-devel-6.9-6.2.mga7

cifs-utils-6.11-2.1.mga8
cifs-utils-devel-6.11-2.1.mga8

from SRPMs:
cifs-utils-6.9-6.2.mga7.src.rpm
cifs-utils-6.11-2.1.mga8.src.rpm

Keywords: (none) => advisory
CVE: (none) => CVE-2021-20208
Source RPM: cifs-utils-6.12-1.mga9.src.rpm => cifs-utils-6.11-2.mga8.src.rpm
CC: (none) => ouaurelien

Comment 9 Mageia Robot 2021-06-23 19:14:48 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0277.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.