file enumeration vulnerability via mount.cifs due to early use of chdir() and error message

Debian Bug report logs - #665923
file enumeration vulnerability via mount.cifs due to early use of chdir() and error message

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: submit@bugs.debian.org

Subject: file enumeration vulnerability via mount.cifs due to early use of chdir() and error message

Date: Tue, 27 Mar 2012 04:43:41 +0200

[Message part 1 (text/plain, inline)]

Package: samba
Severity: grave
Tags: security

Hi,
it was discovered that mount.cifs is doing a chdir to the specified directory 
before the fstab file is actually checked. Since mount.cifs is (also on 
Debian) installed as setuid, this allows an attacker to use the program to 
enumerate the existence of files/directories on the system by checking for the 
existence of the error response.

I don't have time to write a patch now or to test that, but a quick look at 
mount.cifs.c suggests that this can be fixed just by changing the order of the 
execution.

Reference https://bugzilla.samba.org/show_bug.cgi?id=8821

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #12 received at 665923@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: Nico Golde <nion@debian.org>, 665923@bugs.debian.org

Subject: Re: [Pkg-samba-maint] Bug#665923: file enumeration vulnerability via mount.cifs due to early use of chdir() and error message

Date: Mon, 26 Mar 2012 20:29:52 -0700

[Message part 1 (text/plain, inline)]

severity 665923 important
reassign 665923 cifs-utils
thanks

On Tue, Mar 27, 2012 at 04:43:41AM +0200, Nico Golde wrote:
> Hi, it was discovered that mount.cifs is doing a chdir to the specified
> directory before the fstab file is actually checked.  Since mount.cifs is
> (also on Debian) installed as setuid, this allows an attacker to use the
> program to enumerate the existence of files/directories on the system by
> checking for the existence of the error response.

> I don't have time to write a patch now or to test that, but a quick look
> at mount.cifs.c suggests that this can be fixed just by changing the order
> of the execution.

How does an information leak about the names of files qualify as a "grave"
bug?  This doesn't seem consistent with
<http://www.debian.org/Bugs/Developer#severities> to me.

Also, mount.cifs doesn't come from the samba source anymore; reassigning to
cifs-utils.

Thanks,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org

[signature.asc (application/pgp-signature, inline)]

Message #19 received at 665923@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: Steve Langasek <vorlon@debian.org>

Cc: 665923@bugs.debian.org

Subject: Re: [Pkg-samba-maint] Bug#665923: file enumeration vulnerability via mount.cifs due to early use of chdir() and error message

Date: Tue, 27 Mar 2012 07:15:10 +0200

[Message part 1 (text/plain, inline)]

Hi,
* Steve Langasek <vorlon@debian.org> [2012-03-27 05:33]:
> On Tue, Mar 27, 2012 at 04:43:41AM +0200, Nico Golde wrote:
> > Hi, it was discovered that mount.cifs is doing a chdir to the specified
> > directory before the fstab file is actually checked.  Since mount.cifs is
> > (also on Debian) installed as setuid, this allows an attacker to use the
> > program to enumerate the existence of files/directories on the system by
> > checking for the existence of the error response.
> 
> > I don't have time to write a patch now or to test that, but a quick look
> > at mount.cifs.c suggests that this can be fixed just by changing the order
> > of the execution.
> 
> How does an information leak about the names of files qualify as a "grave"
> bug?  This doesn't seem consistent with
> <http://www.debian.org/Bugs/Developer#severities> to me.

Well it depends on your definition of access to accounts of users. Anyway, I 
don't have any deep feelings about this, so no need to discuss this further.

> Also, mount.cifs doesn't come from the samba source anymore; reassigning to
> cifs-utils.

I noticed that right after filing the bug and reassigned it already myself.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #24 received at 665923@bugs.debian.org (full text, mbox, reply):

From: Christian PERRIER <bubulle@debian.org>

To: 665923@bugs.debian.org

Subject: Re: [Pkg-samba-maint] Bug#665923: Bug#665923: file enumeration vulnerability via mount.cifs due to early use of chdir() and error message

Date: Tue, 27 Mar 2012 06:58:30 +0200

[Message part 1 (text/plain, inline)]

Quoting Steve Langasek (vorlon@debian.org):
> severity 665923 important
> reassign 665923 cifs-utils
> thanks


Luk, are you in position to take care of this? Even though the bug is
not RC, fixing it would be nice. Also, aren't we late by one version
or something with cifs-utils?

[signature.asc (application/pgp-signature, inline)]

Message #29 received at 665923@bugs.debian.org (full text, mbox, reply):

From: Kurt Seifried <kseifried@redhat.com>

To: 665923@bugs.debian.org

Subject: Please use CVE-2012-1586 for this issue

Date: Tue, 27 Mar 2012 10:02:14 -0600

Please use CVE-2012-1586 for this issue as per
http://www.openwall.com/lists/oss-security/2012/03/27/6

-- 
Kurt Seifried Red Hat Security Response Team (SRT)

Message #34 received at 665923@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 665923@bugs.debian.org

Subject: got CVE-2012-1586

Date: Wed, 28 Mar 2012 08:06:17 +0200

[Message part 1 (text/plain, inline)]

Hi,
CVE-2012-1586 was assigned to this issue. Please reference this unique 
identifier in the changelog once you fix this problem.

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #39 received at 665923@bugs.debian.org (full text, mbox, reply):

From: Luk Claes <luk@debian.org>

To: Nico Golde <nion@debian.org>, 665923@bugs.debian.org

Subject: Re: [Pkg-samba-maint] Bug#665923: file enumeration vulnerability via mount.cifs due to early use of chdir() and error message

Date: Wed, 28 Mar 2012 08:22:15 +0200

On 03/27/2012 04:43 AM, Nico Golde wrote:

> Hi,

Hi Nico

> it was discovered that mount.cifs is doing a chdir to the specified directory 
> before the fstab file is actually checked. Since mount.cifs is (also on 
> Debian) installed as setuid, this allows an attacker to use the program to 
> enumerate the existence of files/directories on the system by checking for the 
> existence of the error response.
> 
> I don't have time to write a patch now or to test that, but a quick look at 
> mount.cifs.c suggests that this can be fixed just by changing the order of the 
> execution.

It's not that easy, as that would mean that another security issue gets
reintroduced.

Upstream is looking at it now and very probaby they will just make sure
that the error responses are all the same.

Cheers

Luk

Message #44 received at 665923@bugs.debian.org (full text, mbox, reply):

From: Luk Claes <luk@debian.org>

To: 665923@bugs.debian.org

Subject: Re: [Pkg-samba-maint] Bug#665923: Bug#665923: Bug#665923: file enumeration vulnerability via mount.cifs due to early use of chdir() and error message

Date: Wed, 28 Mar 2012 08:29:47 +0200

On 03/27/2012 06:58 AM, Christian PERRIER wrote:
> Quoting Steve Langasek (vorlon@debian.org):

> Luk, are you in position to take care of this? Even though the bug is
> not RC, fixing it would be nice. Also, aren't we late by one version
> or something with cifs-utils?

Upstream is working on the bug.

cifs-utils is up-to-date with stable upstream. Upload happened whitin a
week after upstream's release as usual.

Cheers

Luk

Message #49 received at 665923-close@bugs.debian.org (full text, mbox, reply):

From: Luk Claes <luk@debian.org>

To: 665923-close@bugs.debian.org

Subject: Bug#665923: fixed in cifs-utils 2:5.3-2

Date: Thu, 29 Mar 2012 18:32:40 +0000

Source: cifs-utils
Source-Version: 2:5.3-2

We believe that the bug you reported is fixed in the latest version of
cifs-utils, which is due to be installed in the Debian FTP archive:

cifs-utils_5.3-2.debian.tar.gz
  to main/c/cifs-utils/cifs-utils_5.3-2.debian.tar.gz
cifs-utils_5.3-2.dsc
  to main/c/cifs-utils/cifs-utils_5.3-2.dsc
cifs-utils_5.3-2_i386.deb
  to main/c/cifs-utils/cifs-utils_5.3-2_i386.deb
smbfs_5.3-2_i386.deb
  to main/c/cifs-utils/smbfs_5.3-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 665923@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luk Claes <luk@debian.org> (supplier of updated cifs-utils package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 29 Mar 2012 20:15:27 +0200
Source: cifs-utils
Binary: cifs-utils smbfs
Architecture: source i386
Version: 2:5.3-2
Distribution: unstable
Urgency: high
Maintainer: Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
Changed-By: Luk Claes <luk@debian.org>
Description: 
 cifs-utils - Common Internet File System utilities
 smbfs      - Common Internet File System utilities - compatibility package
Closes: 665923
Changes: 
 cifs-utils (2:5.3-2) unstable; urgency=high
 .
   * Drop capabilities instead of having mount.cifs setuid
     (Closes: #665923).
Checksums-Sha1: 
 7245f3c9c6738f588b44be3a399d5caf34b08959 1570 cifs-utils_5.3-2.dsc
 864d326a54e883406e089071994eb2bacc956800 5053 cifs-utils_5.3-2.debian.tar.gz
 57952797defd5b3ff08ebce689414ffe07786a52 72574 cifs-utils_5.3-2_i386.deb
 bcfaeebcff92229c7b524d3a54654bbed08e7d63 5062 smbfs_5.3-2_i386.deb
Checksums-Sha256: 
 1613cca9a6598f2c155f0188058e68e50298547fe0e0e41bb8531d02c4a00eaf 1570 cifs-utils_5.3-2.dsc
 fe0cf787272f9051e0ab29815b1ad53fa3a84acf312d79ad477daf8d13b37e31 5053 cifs-utils_5.3-2.debian.tar.gz
 5d43b0e1494a4be27c0c23909545e9e4a5ce6c50b0eaace545e89812d33e7a45 72574 cifs-utils_5.3-2_i386.deb
 07a23d46d5df9b6c0e4f4dd05a5640861663e2c4e26697fb06fb96d6890f8fb5 5062 smbfs_5.3-2_i386.deb
Files: 
 5650d0eb08c60feb06f470f2c1669ff6 1570 otherosfs optional cifs-utils_5.3-2.dsc
 cd32ee5e2bb40d325d7bf6c8d09eb571 5053 otherosfs optional cifs-utils_5.3-2.debian.tar.gz
 0cf70799d826f9b87483007489f83c68 72574 otherosfs optional cifs-utils_5.3-2_i386.deb
 322537143f0982cfaf9d72b5bd062c1e 5062 otherosfs optional smbfs_5.3-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAk90p2UACgkQ5UTeB5t8Mo0bJACfdiuJZmsdoOVGQjWdHk1hqnjn
sXgAoLZd/ncQEzvickQEg+eyqklYPDMm
=hbu7
-----END PGP SIGNATURE-----

Message #58 received at 665923@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>

To: 665923@bugs.debian.org

Subject: Re: file enumeration vulnerability via mount.cifs due to early use of chdir() and error message

Date: Sun, 08 Jul 2012 19:15:04 -0000

Dear maintainer,

Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:

squeeze (6.0.6) - use target "stable"

Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.

I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.

For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].

0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/665923/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc

Thanks,

with his security hat on:
--
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Send a report that this bug log contains spam.