Debian Bug report logs -
#665923
file enumeration vulnerability via mount.cifs due to early use of chdir() and error message
Reported by: Nico Golde <nion@debian.org>
Date: Tue, 27 Mar 2012 02:45:01 UTC
Severity: important
Tags: security
Fixed in version cifs-utils/2:5.3-2
Done: Luk Claes <luk@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
:
Bug#665923
; Package samba
.
(Tue, 27 Mar 2012 02:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Nico Golde <nion@debian.org>
:
New Bug report received and forwarded. Copy sent to Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
.
(Tue, 27 Mar 2012 02:45:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: samba
Severity: grave
Tags: security
Hi,
it was discovered that mount.cifs is doing a chdir to the specified directory
before the fstab file is actually checked. Since mount.cifs is (also on
Debian) installed as setuid, this allows an attacker to use the program to
enumerate the existence of files/directories on the system by checking for the
existence of the error response.
I don't have time to write a patch now or to test that, but a quick look at
mount.cifs.c suggests that this can be fixed just by changing the order of the
execution.
Reference https://bugzilla.samba.org/show_bug.cgi?id=8821
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Bug reassigned from package 'samba' to 'cifs-utils'.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org
.
(Tue, 27 Mar 2012 03:03:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
:
Bug#665923
; Package cifs-utils
.
(Tue, 27 Mar 2012 03:33:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Steve Langasek <vorlon@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
.
(Tue, 27 Mar 2012 03:33:03 GMT) (full text, mbox, link).
Message #12 received at 665923@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
severity 665923 important
reassign 665923 cifs-utils
thanks
On Tue, Mar 27, 2012 at 04:43:41AM +0200, Nico Golde wrote:
> Hi, it was discovered that mount.cifs is doing a chdir to the specified
> directory before the fstab file is actually checked. Since mount.cifs is
> (also on Debian) installed as setuid, this allows an attacker to use the
> program to enumerate the existence of files/directories on the system by
> checking for the existence of the error response.
> I don't have time to write a patch now or to test that, but a quick look
> at mount.cifs.c suggests that this can be fixed just by changing the order
> of the execution.
How does an information leak about the names of files qualify as a "grave"
bug? This doesn't seem consistent with
<http://www.debian.org/Bugs/Developer#severities> to me.
Also, mount.cifs doesn't come from the samba source anymore; reassigning to
cifs-utils.
Thanks,
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek@ubuntu.com vorlon@debian.org
[signature.asc (application/pgp-signature, inline)]
Severity set to 'important' from 'grave'
Request was from Steve Langasek <vorlon@debian.org>
to control@bugs.debian.org
.
(Tue, 27 Mar 2012 03:33:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
:
Bug#665923
; Package cifs-utils
.
(Tue, 27 Mar 2012 05:18:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Nico Golde <nion@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
.
(Tue, 27 Mar 2012 05:18:03 GMT) (full text, mbox, link).
Message #19 received at 665923@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
* Steve Langasek <vorlon@debian.org> [2012-03-27 05:33]:
> On Tue, Mar 27, 2012 at 04:43:41AM +0200, Nico Golde wrote:
> > Hi, it was discovered that mount.cifs is doing a chdir to the specified
> > directory before the fstab file is actually checked. Since mount.cifs is
> > (also on Debian) installed as setuid, this allows an attacker to use the
> > program to enumerate the existence of files/directories on the system by
> > checking for the existence of the error response.
>
> > I don't have time to write a patch now or to test that, but a quick look
> > at mount.cifs.c suggests that this can be fixed just by changing the order
> > of the execution.
>
> How does an information leak about the names of files qualify as a "grave"
> bug? This doesn't seem consistent with
> <http://www.debian.org/Bugs/Developer#severities> to me.
Well it depends on your definition of access to accounts of users. Anyway, I
don't have any deep feelings about this, so no need to discuss this further.
> Also, mount.cifs doesn't come from the samba source anymore; reassigning to
> cifs-utils.
I noticed that right after filing the bug and reassigned it already myself.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
:
Bug#665923
; Package cifs-utils
.
(Tue, 27 Mar 2012 07:45:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Christian PERRIER <bubulle@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
.
(Tue, 27 Mar 2012 07:45:09 GMT) (full text, mbox, link).
Message #24 received at 665923@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Quoting Steve Langasek (vorlon@debian.org):
> severity 665923 important
> reassign 665923 cifs-utils
> thanks
Luk, are you in position to take care of this? Even though the bug is
not RC, fixing it would be nice. Also, aren't we late by one version
or something with cifs-utils?
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
:
Bug#665923
; Package cifs-utils
.
(Tue, 27 Mar 2012 16:06:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Kurt Seifried <kseifried@redhat.com>
:
Extra info received and forwarded to list. Copy sent to Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
.
(Tue, 27 Mar 2012 16:06:02 GMT) (full text, mbox, link).
Message #29 received at 665923@bugs.debian.org (full text, mbox, reply):
Please use CVE-2012-1586 for this issue as per
http://www.openwall.com/lists/oss-security/2012/03/27/6
--
Kurt Seifried Red Hat Security Response Team (SRT)
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
:
Bug#665923
; Package cifs-utils
.
(Wed, 28 Mar 2012 06:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Nico Golde <nion@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
.
(Wed, 28 Mar 2012 06:09:04 GMT) (full text, mbox, link).
Message #34 received at 665923@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
CVE-2012-1586 was assigned to this issue. Please reference this unique
identifier in the changelog once you fix this problem.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
:
Bug#665923
; Package cifs-utils
.
(Wed, 28 Mar 2012 06:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Luk Claes <luk@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
.
(Wed, 28 Mar 2012 06:27:04 GMT) (full text, mbox, link).
Message #39 received at 665923@bugs.debian.org (full text, mbox, reply):
On 03/27/2012 04:43 AM, Nico Golde wrote:
> Hi,
Hi Nico
> it was discovered that mount.cifs is doing a chdir to the specified directory
> before the fstab file is actually checked. Since mount.cifs is (also on
> Debian) installed as setuid, this allows an attacker to use the program to
> enumerate the existence of files/directories on the system by checking for the
> existence of the error response.
>
> I don't have time to write a patch now or to test that, but a quick look at
> mount.cifs.c suggests that this can be fixed just by changing the order of the
> execution.
It's not that easy, as that would mean that another security issue gets
reintroduced.
Upstream is looking at it now and very probaby they will just make sure
that the error responses are all the same.
Cheers
Luk
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
:
Bug#665923
; Package cifs-utils
.
(Wed, 28 Mar 2012 06:33:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Luk Claes <luk@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
.
(Wed, 28 Mar 2012 06:33:05 GMT) (full text, mbox, link).
Message #44 received at 665923@bugs.debian.org (full text, mbox, reply):
On 03/27/2012 06:58 AM, Christian PERRIER wrote:
> Quoting Steve Langasek (vorlon@debian.org):
> Luk, are you in position to take care of this? Even though the bug is
> not RC, fixing it would be nice. Also, aren't we late by one version
> or something with cifs-utils?
Upstream is working on the bug.
cifs-utils is up-to-date with stable upstream. Upload happened whitin a
week after upstream's release as usual.
Cheers
Luk
Reply sent
to Luk Claes <luk@debian.org>
:
You have taken responsibility.
(Thu, 29 Mar 2012 18:33:16 GMT) (full text, mbox, link).
Notification sent
to Nico Golde <nion@debian.org>
:
Bug acknowledged by developer.
(Thu, 29 Mar 2012 18:33:16 GMT) (full text, mbox, link).
Message #49 received at 665923-close@bugs.debian.org (full text, mbox, reply):
Source: cifs-utils
Source-Version: 2:5.3-2
We believe that the bug you reported is fixed in the latest version of
cifs-utils, which is due to be installed in the Debian FTP archive:
cifs-utils_5.3-2.debian.tar.gz
to main/c/cifs-utils/cifs-utils_5.3-2.debian.tar.gz
cifs-utils_5.3-2.dsc
to main/c/cifs-utils/cifs-utils_5.3-2.dsc
cifs-utils_5.3-2_i386.deb
to main/c/cifs-utils/cifs-utils_5.3-2_i386.deb
smbfs_5.3-2_i386.deb
to main/c/cifs-utils/smbfs_5.3-2_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 665923@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Luk Claes <luk@debian.org> (supplier of updated cifs-utils package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 29 Mar 2012 20:15:27 +0200
Source: cifs-utils
Binary: cifs-utils smbfs
Architecture: source i386
Version: 2:5.3-2
Distribution: unstable
Urgency: high
Maintainer: Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
Changed-By: Luk Claes <luk@debian.org>
Description:
cifs-utils - Common Internet File System utilities
smbfs - Common Internet File System utilities - compatibility package
Closes: 665923
Changes:
cifs-utils (2:5.3-2) unstable; urgency=high
.
* Drop capabilities instead of having mount.cifs setuid
(Closes: #665923).
Checksums-Sha1:
7245f3c9c6738f588b44be3a399d5caf34b08959 1570 cifs-utils_5.3-2.dsc
864d326a54e883406e089071994eb2bacc956800 5053 cifs-utils_5.3-2.debian.tar.gz
57952797defd5b3ff08ebce689414ffe07786a52 72574 cifs-utils_5.3-2_i386.deb
bcfaeebcff92229c7b524d3a54654bbed08e7d63 5062 smbfs_5.3-2_i386.deb
Checksums-Sha256:
1613cca9a6598f2c155f0188058e68e50298547fe0e0e41bb8531d02c4a00eaf 1570 cifs-utils_5.3-2.dsc
fe0cf787272f9051e0ab29815b1ad53fa3a84acf312d79ad477daf8d13b37e31 5053 cifs-utils_5.3-2.debian.tar.gz
5d43b0e1494a4be27c0c23909545e9e4a5ce6c50b0eaace545e89812d33e7a45 72574 cifs-utils_5.3-2_i386.deb
07a23d46d5df9b6c0e4f4dd05a5640861663e2c4e26697fb06fb96d6890f8fb5 5062 smbfs_5.3-2_i386.deb
Files:
5650d0eb08c60feb06f470f2c1669ff6 1570 otherosfs optional cifs-utils_5.3-2.dsc
cd32ee5e2bb40d325d7bf6c8d09eb571 5053 otherosfs optional cifs-utils_5.3-2.debian.tar.gz
0cf70799d826f9b87483007489f83c68 72574 otherosfs optional cifs-utils_5.3-2_i386.deb
322537143f0982cfaf9d72b5bd062c1e 5062 otherosfs optional smbfs_5.3-2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAk90p2UACgkQ5UTeB5t8Mo0bJACfdiuJZmsdoOVGQjWdHk1hqnjn
sXgAoLZd/ncQEzvickQEg+eyqklYPDMm
=hbu7
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 29 Apr 2012 07:34:49 GMT) (full text, mbox, link).
Bug unarchived.
Request was from jmw@debian.org
to control@bugs.debian.org
.
(Sun, 08 Jul 2012 16:22:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
:
Bug#665923
; Package cifs-utils
.
(Mon, 09 Jul 2012 00:42:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonathan Wiltshire <jmw@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
.
(Mon, 09 Jul 2012 00:42:03 GMT) (full text, mbox, link).
Message #58 received at 665923@bugs.debian.org (full text, mbox, reply):
Dear maintainer,
Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:
squeeze (6.0.6) - use target "stable"
Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.
I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.
For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].
0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/665923/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc
Thanks,
with his security hat on:
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 06 Aug 2012 07:28:26 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:27:52 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.