Package: cifs-utils / 2:6.11-3.1+deb11u2

Metadata

Package Version Patches format
cifs-utils 2:6.11-3.1+deb11u2 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
0001 Fix fPIE casing.patch | (download)

configure.ac | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 
 [patch] fix -fpie casing

-fpie seems to work, but bhlc complains that -fPIE is missing

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14061
0002 Install hook relative to DESTDIR.patch | (download)

Makefile.am | 8 4 + 4 - 0 !
1 file changed, 4 insertions(+), 4 deletions(-)

 
 [patch] install hook relative to $(destdir)
0003 Change script shbangs to python3.patch | (download)

smb2-quota | 2 1 + 1 - 0 !
smb2-secdesc | 2 1 + 1 - 0 !
2 files changed, 2 insertions(+), 2 deletions(-)

 
 [patch] change script shbangs to python3
0010 CVE 2021 20208.patch | (download)

cifs.upcall.c | 172 172 + 0 - 0 !
1 file changed, 172 insertions(+)

 
 [patch] cifs.upcall: try to use container ipc/uts/net/pid/mnt/user
 namespaces

In certain scenarios (e.g. kerberos multimount), when a process does
syscalls, the kernel sometimes has to query information or trigger
some actions in userspace. To do so it calls the cifs.upcall binary
with information on the process that triggered the syscall in the
first place.

ls(pid=10) ====> open("foo") ====> kernel

                                   that user doesn't have an SMB
                                   session, lets create one using his
                                   kerberos credential cache

                                   call cifs.upcall and ask for krb info
                                   for whoever owns pid=10
                                                         |
                  cifs.upcall --pid 10 <=================+

               ...gather info...
                  return binary blob used
                  when establishing SMB session
                        ===================> kernel
                                              open SMB session, handle
                                              open() syscall
ls <===================================   return open() result to ls

On a system using containers, the kernel is still calling the host
cifs.upcall and using the host configuration (for network, pid, etc).

This patch changes the behaviour of cifs.upcall so that it uses the
calling process namespaces (ls in the example) when doing its
job.

Note that the kernel still calls the binary in the host, but the
binary will place itself the contexts of the calling process
namespaces.

This code makes use of (but shouldn't require) the following kernel
config options and syscall flags:

approx. year   |
introduced     |  config/flags
0011 fix regression for CVE 2021 20208.patch | (download)

cifs.upcall.c | 214 139 + 75 - 0 !
1 file changed, 139 insertions(+), 75 deletions(-)

 
 [patch v4] cifs.upcall: fix regression in kerberos mount

The fix for CVE-2021-20208 in commit e461afd ("cifs.upcall: try to use
container ipc/uts/net/pid/mnt/user namespaces") introduced a
regression for kerberos mounts when cifs-utils is built with
libcap-ng. It makes mount fail with ENOKEY "Required key not
available".

Current state:

mount.cifs
 '
CVE 2022 27239 mount.cifs fix length check for ip op.patch | (download)

mount.cifs.c | 5 3 + 2 - 0 !
1 file changed, 3 insertions(+), 2 deletions(-)

 
 cve-2022-27239: mount.cifs: fix length check for ip option parsing
mount.cifs fix verbose messages on option parsing.patch | (download)

mount.cifs.c | 6 1 + 5 - 0 !
1 file changed, 1 insertion(+), 5 deletions(-)

 
 mount.cifs: fix verbose messages on option parsing
root_sbindir hook.patch | (download)

Makefile.am | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 
---