A security issue fixed upstream in cifs-utils has been announced on April 27: https://www.openwall.com/lists/oss-security/2022/04/27/5 The upstream commit that fixed the issue is linked in the message above. Our compiler flags limit the impact to a crash. Mageia 8 is also affected.
Status comment: (none) => Patch available from upstreamWhiteboard: (none) => MGA8TOO
openSUSE has issued an advsiory for this on April 27: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/QMGM2N6RR7GOZR7OP37QJTCTTLTTIWUN/
No consistent recent maintainer visible, so have to assign this globally.
Assignee: bugsquad => pkg-bugs
Fedora has issued an advisory for this today (May 7): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QIYZ4L6SLSYJQ446VJAO2VGAESURQNSP/ This issue, and another issue, are fixed upstream in 6.15.
Summary: cifs-utils new security issue CVE-2022-27239 => cifs-utils new security issues CVE-2022-27239 and CVE-2022-29869Status comment: Patch available from upstream => Fixed upstream in 6.15
Suggested advisory: ======================== The updated packages fix security vulnerabilities: In cifs-utils through 6.14, a stack-based buffer overflow when parsing the mount.cifs ip= command-line argument could lead to local attackers gaining root privileges. (CVE-2022-27239) cifs-utils through 6.14, with verbose logging, can cause an information leak when a file contains = (equal sign) characters but is not a valid credentials file. (CVE-2022-29869) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27239 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29869 https://www.openwall.com/lists/oss-security/2022/04/27/5 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/QMGM2N6RR7GOZR7OP37QJTCTTLTTIWUN/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QIYZ4L6SLSYJQ446VJAO2VGAESURQNSP/ ======================== Updated packages in core/updates_testing: ======================== cifs-utils-6.11-2.2.mga8 cifs-utils-devel-6.11-2.2.mga8 from SRPM: cifs-utils-6.11-2.2.mga8.src.rpm
Assignee: pkg-bugs => qa-bugsCVE: (none) => CVE-2022-27239, CVE-2022-29869CC: (none) => nicolas.salgueroSource RPM: cifs-utils-6.13-3.mga9.src.rpm => cifs-utils-6.11-2.1.mga8.src.rpmVersion: Cauldron => 8Whiteboard: MGA8TOO => (none)Status: NEW => ASSIGNEDStatus comment: Fixed upstream in 6.15 => (none)
MGA8-64 Plasma on Lenovo B50 No installation issues. Ref bug 27315for testing I have samba server on my desktop PC, so # mount.cifs //mach1/beelden /mnt/cifstest/ -o domain=WORKGROUP -o username=herman Password for herman@//mach1/beelden: # ls -als /mnt/cifstest/ totaal 1108 0 drwxr-xr-x 2 root root 0 jan 11 15:00 ./ 4 drwxr-xr-x 8 root root 4096 mei 10 14:12 ../ 0 drwxr-xr-x 2 root root 0 jul 27 2020 accessbasis/ 0 drwxr-xr-x 2 root root 0 jul 27 2020 accessfinesses/ 0 drwxr-xr-x 2 root root 0 mrt 28 11:36 Afbeeldingen/ 0 drwxr-xr-x 2 root root 0 dec 3 15:30 fotos/ 820 -rwxr-xr-x 1 root root 838418 mrt 20 2018 Huishouden* 0 drwxr-xr-x 2 root root 0 aug 23 2021 lost+found/ 0 drwxr-xr-x 2 root root 0 jan 12 2019 RawORF/ 208 -rwxr-xr-x 1 root root 209872 jan 6 2019 report.bug.xz* 0 drwxr-xr-x 2 root root 0 nov 16 2016 rietmach2/ 0 drwxr-xr-x 2 root root 0 aug 23 2021 usbsticks/ 76 -rwxr-xr-x 1 root root 74337 feb 1 2019 Xorg.0.log* That works OK.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA8-64-OK
Validating Advisory in Comment 4.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0170.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED