Dear maintainer, I've prepared an NMU for cifs-utils (versioned as 2:6.11-3.1). The diff is attached to this message.
Regards. -- Sebastian Ramacher
diff -Nru cifs-utils-6.11/debian/changelog cifs-utils-6.11/debian/changelog
--- cifs-utils-6.11/debian/changelog 2021-05-06 21:24:29.000000000 +0200
+++ cifs-utils-6.11/debian/changelog 2021-07-26 23:16:25.000000000 +0200
@@ -1,3 +1,13 @@
+cifs-utils (2:6.11-3.1) unstable; urgency=medium
+
+ * Non-maintainer upload
+
+ [ Hideki Yamane ]
+ * debian/patches
+ - Add 0011-fix-regression-for-CVE-2021-20208.patch (Closes: #989080)
+
+ -- Sebastian Ramacher <sramac...@debian.org> Mon, 26 Jul 2021 23:16:25 +0200
+
cifs-utils (2:6.11-3) unstable; urgency=high
* CVE-2021-20208: cifs.upcall kerberos auth leak in container
diff -Nru cifs-utils-6.11/debian/patches/0011-fix-regression-for-CVE-2021-20208.patch cifs-utils-6.11/debian/patches/0011-fix-regression-for-CVE-2021-20208.patch
--- cifs-utils-6.11/debian/patches/0011-fix-regression-for-CVE-2021-20208.patch 1970-01-01 01:00:00.000000000 +0100
+++ cifs-utils-6.11/debian/patches/0011-fix-regression-for-CVE-2021-20208.patch 2021-07-26 23:16:21.000000000 +0200
@@ -0,0 +1,490 @@
+From 4ca235223d948fe4f3392da28b1471bce36e88d4 Mon Sep 17 00:00:00 2001
+From: Aurelien Aptel <aap...@suse.com>
+Date: Wed, 21 Apr 2021 16:22:15 +0200
+Subject: [PATCH v4] cifs.upcall: fix regression in kerberos mount
+
+The fix for CVE-2021-20208 in commit e461afd ("cifs.upcall: try to use
+container ipc/uts/net/pid/mnt/user namespaces") introduced a
+regression for kerberos mounts when cifs-utils is built with
+libcap-ng. It makes mount fail with ENOKEY "Required key not
+available".
+
+Current state:
+
+mount.cifs
+ '---> mount() ---> kernel
+ negprot, session setup (need security blob for krb)
+ request_key("cifs.spnego", payload="pid=%d;username=...")
+ upcall
+ /sbin/request-key <--------------'
+ reads /etc/request-keys.conf
+ dispatch cifs.spnego request
+ calls /usr/sbin/cifs.upcall <key id>
+ - drop privileges (capabilities)
+ - fetch keyid
+ - parse payload
+ - switch to mount.cifs namespaces
+ - call krb5_xxx() funcs
+ - generate security blob
+ - set key value to security blob
+ '-----------------------------------> kernel
+ put blob in session setup packet
+ continue auth
+ open tcon
+ get share root
+ setup superblock
+mount.cifs mount() returns <-----------'
+
+By the time cifs.upcall tries to switch to namespaces, enough
+capabilities have dropped in trim_capabilities() that it makes setns()
+fail with EPERM.
+
+setns() requires CAP_SYS_ADMIN.
+
+With libcap trim_capabilities() is a no-op.
+
+This fix:
+
+- moves the namespace switch earlier so that operations like
+ setgroups(), setgid(), scanning of pid environment, ... happens in the
+ contained namespaces.
+- moves trim_capabilities() after the namespace switch
+- moves the string processing to decode the key request payload in a
+ child process with minimum capabilities. the decoded data is shared
+ with the parent process via shared memory obtained with mmap().
+
+Fixes: e461afd ("cifs.upcall: try to use container ipc/uts/net/pid/mnt/user namespaces")
+Signed-off-by: Aurelien Aptel <aap...@suse.com>
+---
+ cifs.upcall.c | 214 ++++++++++++++++++++++++++++++++------------------
+ 1 file changed, 139 insertions(+), 75 deletions(-)
+
+Index: cifs-utils/cifs.upcall.c
+===================================================================
+--- cifs-utils.orig/cifs.upcall.c
++++ cifs-utils/cifs.upcall.c
+@@ -52,6 +52,9 @@
+ #include <stdbool.h>
+ #include <errno.h>
+ #include <sched.h>
++#include <sys/mman.h>
++#include <sys/types.h>
++#include <sys/wait.h>
+
+ #include "data_blob.h"
+ #include "spnego.h"
+@@ -777,6 +780,25 @@ handle_krb5_mech(const char *oid, const
+ return retval;
+ }
+
++
++
++struct decoded_args {
++ int ver;
++ char hostname[NI_MAXHOST + 1];
++ char ip[NI_MAXHOST + 1];
++
++/* Max user name length. */
++#define MAX_USERNAME_SIZE 256
++ char username[MAX_USERNAME_SIZE + 1];
++
++ uid_t uid;
++ uid_t creduid;
++ pid_t pid;
++ sectype_t sec;
++
++/*
++ * Flags to keep track of what was provided
++ */
+ #define DKD_HAVE_HOSTNAME 0x1
+ #define DKD_HAVE_VERSION 0x2
+ #define DKD_HAVE_SEC 0x4
+@@ -786,23 +808,13 @@ handle_krb5_mech(const char *oid, const
+ #define DKD_HAVE_CREDUID 0x40
+ #define DKD_HAVE_USERNAME 0x80
+ #define DKD_MUSTHAVE_SET (DKD_HAVE_HOSTNAME|DKD_HAVE_VERSION|DKD_HAVE_SEC)
+-
+-struct decoded_args {
+- int ver;
+- char *hostname;
+- char *ip;
+- char *username;
+- uid_t uid;
+- uid_t creduid;
+- pid_t pid;
+- sectype_t sec;
++ int have;
+ };
+
+ static unsigned int
+-decode_key_description(const char *desc, struct decoded_args *arg)
++__decode_key_description(const char *desc, struct decoded_args *arg)
+ {
+- int len;
+- int retval = 0;
++ size_t len;
+ char *pos;
+ const char *tkn = desc;
+
+@@ -816,13 +828,13 @@ decode_key_description(const char *desc,
+ len = pos - tkn;
+
+ len -= 5;
+- free(arg->hostname);
+- arg->hostname = strndup(tkn + 5, len);
+- if (arg->hostname == NULL) {
+- syslog(LOG_ERR, "Unable to allocate memory");
++ if (len > sizeof(arg->hostname)-1) {
++ syslog(LOG_ERR, "host= value too long for buffer");
+ return 1;
+ }
+- retval |= DKD_HAVE_HOSTNAME;
++ memset(arg->hostname, 0, sizeof(arg->hostname));
++ strncpy(arg->hostname, tkn + 5, len);
++ arg->have |= DKD_HAVE_HOSTNAME;
+ syslog(LOG_DEBUG, "host=%s", arg->hostname);
+ } else if (!strncmp(tkn, "ip4=", 4) || !strncmp(tkn, "ip6=", 4)) {
+ if (pos == NULL)
+@@ -831,13 +843,13 @@ decode_key_description(const char *desc,
+ len = pos - tkn;
+
+ len -= 4;
+- free(arg->ip);
+- arg->ip = strndup(tkn + 4, len);
+- if (arg->ip == NULL) {
+- syslog(LOG_ERR, "Unable to allocate memory");
++ if (len > sizeof(arg->ip)-1) {
++ syslog(LOG_ERR, "ip[46]= value too long for buffer");
+ return 1;
+ }
+- retval |= DKD_HAVE_IP;
++ memset(arg->ip, 0, sizeof(arg->ip));
++ strncpy(arg->ip, tkn + 4, len);
++ arg->have |= DKD_HAVE_IP;
+ syslog(LOG_DEBUG, "ip=%s", arg->ip);
+ } else if (strncmp(tkn, "user=", 5) == 0) {
+ if (pos == NULL)
+@@ -846,13 +858,13 @@ decode_key_description(const char *desc,
+ len = pos - tkn;
+
+ len -= 5;
+- free(arg->username);
+- arg->username = strndup(tkn + 5, len);
+- if (arg->username == NULL) {
+- syslog(LOG_ERR, "Unable to allocate memory");
++ if (len > sizeof(arg->username)-1) {
++ syslog(LOG_ERR, "user= value too long for buffer");
+ return 1;
+ }
+- retval |= DKD_HAVE_USERNAME;
++ memset(arg->username, 0, sizeof(arg->username));
++ strncpy(arg->username, tkn + 5, len);
++ arg->have |= DKD_HAVE_USERNAME;
+ syslog(LOG_DEBUG, "user=%s", arg->username);
+ } else if (strncmp(tkn, "pid=", 4) == 0) {
+ errno = 0;
+@@ -863,13 +875,13 @@ decode_key_description(const char *desc,
+ return 1;
+ }
+ syslog(LOG_DEBUG, "pid=%u", arg->pid);
+- retval |= DKD_HAVE_PID;
++ arg->have |= DKD_HAVE_PID;
+ } else if (strncmp(tkn, "sec=", 4) == 0) {
+ if (strncmp(tkn + 4, "krb5", 4) == 0) {
+- retval |= DKD_HAVE_SEC;
++ arg->have |= DKD_HAVE_SEC;
+ arg->sec = KRB5;
+ } else if (strncmp(tkn + 4, "mskrb5", 6) == 0) {
+- retval |= DKD_HAVE_SEC;
++ arg->have |= DKD_HAVE_SEC;
+ arg->sec = MS_KRB5;
+ }
+ syslog(LOG_DEBUG, "sec=%d", arg->sec);
+@@ -881,7 +893,7 @@ decode_key_description(const char *desc,
+ strerror(errno));
+ return 1;
+ }
+- retval |= DKD_HAVE_UID;
++ arg->have |= DKD_HAVE_UID;
+ syslog(LOG_DEBUG, "uid=%u", arg->uid);
+ } else if (strncmp(tkn, "creduid=", 8) == 0) {
+ errno = 0;
+@@ -891,7 +903,7 @@ decode_key_description(const char *desc,
+ strerror(errno));
+ return 1;
+ }
+- retval |= DKD_HAVE_CREDUID;
++ arg->have |= DKD_HAVE_CREDUID;
+ syslog(LOG_DEBUG, "creduid=%u", arg->creduid);
+ } else if (strncmp(tkn, "ver=", 4) == 0) { /* if version */
+ errno = 0;
+@@ -901,14 +913,56 @@ decode_key_description(const char *desc,
+ strerror(errno));
+ return 1;
+ }
+- retval |= DKD_HAVE_VERSION;
++ arg->have |= DKD_HAVE_VERSION;
+ syslog(LOG_DEBUG, "ver=%d", arg->ver);
+ }
+ if (pos == NULL)
+ break;
+ tkn = pos + 1;
+ } while (tkn);
+- return retval;
++ return 0;
++}
++
++static unsigned int
++decode_key_description(const char *desc, struct decoded_args **arg)
++{
++ pid_t pid;
++ pid_t rc;
++ int status;
++
++ /*
++ * Do all the decoding/string processing in a child process
++ * with low privileges.
++ */
++
++ *arg = mmap(NULL, sizeof(struct decoded_args), PROT_READ | PROT_WRITE,
++ MAP_ANONYMOUS | MAP_SHARED, -1, 0);
++ if (*arg == MAP_FAILED) {
++ syslog(LOG_ERR, "%s: mmap failed: %s", __func__, strerror(errno));
++ return -1;
++ }
++
++ pid = fork();
++ if (pid < 0) {
++ syslog(LOG_ERR, "%s: fork failed: %s", __func__, strerror(errno));
++ munmap(*arg, sizeof(struct decoded_args));
++ *arg = NULL;
++ return -1;
++ }
++ if (pid == 0) {
++ /* do the parsing in child */
++ drop_all_capabilities();
++ exit(__decode_key_description(desc, *arg));
++ }
++
++ rc = waitpid(pid, &status, 0);
++ if (rc < 0 || !WIFEXITED(status) || WEXITSTATUS(status) != 0) {
++ munmap(*arg, sizeof(struct decoded_args));
++ *arg = NULL;
++ return 1;
++ }
++
++ return 0;
+ }
+
+ static int setup_key(const key_serial_t key, const void *data, size_t datalen)
+@@ -1088,7 +1142,7 @@ int main(const int argc, char *const arg
+ bool try_dns = false, legacy_uid = false , env_probe = true;
+ char *buf;
+ char hostbuf[NI_MAXHOST], *host;
+- struct decoded_args arg;
++ struct decoded_args *arg = NULL;
+ const char *oid;
+ uid_t uid;
+ char *keytab_name = NULL;
+@@ -1099,7 +1153,6 @@ int main(const int argc, char *const arg
+ const char *key_descr = NULL;
+
+ hostbuf[0] = '\0';
+- memset(&arg, 0, sizeof(arg));
+
+ openlog(prog, 0, LOG_DAEMON);
+
+@@ -1140,9 +1193,6 @@ int main(const int argc, char *const arg
+ }
+ }
+
+- if (trim_capabilities(env_probe))
+- goto out;
+-
+ /* is there a key? */
+ if (argc <= optind) {
+ usage();
+@@ -1168,6 +1218,10 @@ int main(const int argc, char *const arg
+
+ syslog(LOG_DEBUG, "key description: %s", buf);
+
++ /*
++ * If we are requested a simple DNS query, do it and exit
++ */
++
+ if (strncmp(buf, "cifs.resolver", sizeof("cifs.resolver") - 1) == 0)
+ key_descr = ".cifs.resolver";
+ else if (strncmp(buf, "dns_resolver", sizeof("dns_resolver") - 1) == 0)
+@@ -1177,33 +1231,42 @@ int main(const int argc, char *const arg
+ goto out;
+ }
+
+- have = decode_key_description(buf, &arg);
++ /*
++ * Otherwise, it's a spnego key request
++ */
++
++ rc = decode_key_description(buf, &arg);
+ free(buf);
+- if ((have & DKD_MUSTHAVE_SET) != DKD_MUSTHAVE_SET) {
++ if (rc) {
++ syslog(LOG_ERR, "failed to decode key description");
++ goto out;
++ }
++
++ if ((arg->have & DKD_MUSTHAVE_SET) != DKD_MUSTHAVE_SET) {
+ syslog(LOG_ERR, "unable to get necessary params from key "
+ "description (0x%x)", have);
+ rc = 1;
+ goto out;
+ }
+
+- if (arg.ver > CIFS_SPNEGO_UPCALL_VERSION) {
++ if (arg->ver > CIFS_SPNEGO_UPCALL_VERSION) {
+ syslog(LOG_ERR, "incompatible kernel upcall version: 0x%x",
+- arg.ver);
++ arg->ver);
+ rc = 1;
+ goto out;
+ }
+
+- if (strlen(arg.hostname) >= NI_MAXHOST) {
++ if (strlen(arg->hostname) >= NI_MAXHOST) {
+ syslog(LOG_ERR, "hostname provided by kernel is too long");
+ rc = 1;
+ goto out;
+
+ }
+
+- if (!legacy_uid && (have & DKD_HAVE_CREDUID))
+- uid = arg.creduid;
+- else if (have & DKD_HAVE_UID)
+- uid = arg.uid;
++ if (!legacy_uid && (arg->have & DKD_HAVE_CREDUID))
++ uid = arg->creduid;
++ else if (arg->have & DKD_HAVE_UID)
++ uid = arg->uid;
+ else {
+ /* no uid= or creduid= parm -- something is wrong */
+ syslog(LOG_ERR, "No uid= or creduid= parm specified");
+@@ -1212,6 +1275,21 @@ int main(const int argc, char *const arg
+ }
+
+ /*
++ * Change to the process's namespace. This means that things will work
++ * acceptably in containers, because we'll be looking at the correct
++ * filesystem and have the correct network configuration.
++ */
++ rc = switch_to_process_ns(arg->pid);
++ if (rc == -1) {
++ syslog(LOG_ERR, "unable to switch to process namespace: %s", strerror(errno));
++ rc = 1;
++ goto out;
++ }
++
++ if (trim_capabilities(env_probe))
++ goto out;
++
++ /*
+ * The kernel doesn't pass down the gid, so we resort here to scraping
+ * one out of the passwd nss db. Note that this might not reflect the
+ * actual gid of the process that initiated the upcall. While we could
+@@ -1256,20 +1334,7 @@ int main(const int argc, char *const arg
+ * look at the environ file.
+ */
+ env_cachename =
+- get_cachename_from_process_env(env_probe ? arg.pid : 0);
+-
+- /*
+- * Change to the process's namespace. This means that things will work
+- * acceptably in containers, because we'll be looking at the correct
+- * filesystem and have the correct network configuration.
+- */
+- rc = switch_to_process_ns(arg.pid);
+- if (rc == -1) {
+- syslog(LOG_ERR, "unable to switch to process namespace: %s",
+- strerror(errno));
+- rc = 1;
+- goto out;
+- }
++ get_cachename_from_process_env(env_probe ? arg->pid : 0);
+
+ rc = setuid(uid);
+ if (rc == -1) {
+@@ -1291,18 +1356,18 @@ int main(const int argc, char *const arg
+
+ ccache = get_existing_cc(env_cachename);
+ /* Couldn't find credcache? Try to use keytab */
+- if (ccache == NULL && arg.username != NULL)
+- ccache = init_cc_from_keytab(keytab_name, arg.username);
++ if (ccache == NULL && arg->username[0] != '\0')
++ ccache = init_cc_from_keytab(keytab_name, arg->username);
+
+ if (ccache == NULL) {
+ rc = 1;
+ goto out;
+ }
+
+- host = arg.hostname;
++ host = arg->hostname;
+
+ // do mech specific authorization
+- switch (arg.sec) {
++ switch (arg->sec) {
+ case MS_KRB5:
+ case KRB5:
+ /*
+@@ -1318,7 +1383,7 @@ int main(const int argc, char *const arg
+ * TRY only:
+ * cifs/bar.example.com@REALM
+ */
+- if (arg.sec == MS_KRB5)
++ if (arg->sec == MS_KRB5)
+ oid = OID_KERBEROS5_OLD;
+ else
+ oid = OID_KERBEROS5;
+@@ -1375,10 +1440,10 @@ retry_new_hostname:
+ break;
+ }
+
+- if (!try_dns || !(have & DKD_HAVE_IP))
++ if (!try_dns || !(arg->have & DKD_HAVE_IP))
+ break;
+
+- rc = ip_to_fqdn(arg.ip, hostbuf, sizeof(hostbuf));
++ rc = ip_to_fqdn(arg->ip, hostbuf, sizeof(hostbuf));
+ if (rc)
+ break;
+
+@@ -1386,7 +1451,7 @@ retry_new_hostname:
+ host = hostbuf;
+ goto retry_new_hostname;
+ default:
+- syslog(LOG_ERR, "sectype: %d is not implemented", arg.sec);
++ syslog(LOG_ERR, "sectype: %d is not implemented", arg->sec);
+ rc = 1;
+ break;
+ }
+@@ -1404,7 +1469,7 @@ retry_new_hostname:
+ rc = 1;
+ goto out;
+ }
+- keydata->version = arg.ver;
++ keydata->version = arg->ver;
+ keydata->flags = 0;
+ keydata->sesskey_len = sess_key.length;
+ keydata->secblob_len = secblob.length;
+@@ -1430,11 +1495,10 @@ out:
+ krb5_cc_close(context, ccache);
+ if (context)
+ krb5_free_context(context);
+- free(arg.hostname);
+- free(arg.ip);
+- free(arg.username);
+ free(keydata);
+ free(env_cachename);
++ if (arg)
++ munmap(arg, sizeof(*arg));
+ syslog(LOG_DEBUG, "Exit status %ld", rc);
+ return rc;
+ }
diff -Nru cifs-utils-6.11/debian/patches/series cifs-utils-6.11/debian/patches/series
--- cifs-utils-6.11/debian/patches/series 2021-05-06 21:23:29.000000000 +0200
+++ cifs-utils-6.11/debian/patches/series 2021-07-26 23:16:21.000000000 +0200
@@ -2,3 +2,4 @@
0002-Install-hook-relative-to-DESTDIR.patch
0003-Change-script-shbangs-to-python3.patch
0010-CVE-2021-20208.patch
+0011-fix-regression-for-CVE-2021-20208.patch
signature.asc
Description: PGP signature
