[Bug 2099914] Re: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache
Released in Focal 5.4.0-218.238. ** Changed in: linux (Ubuntu Focal) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2099914 Title: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2099914/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2099914] Re: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache
This bug is awaiting verification that the linux-azure- fips/6.8.0-1034.39+fips1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-noble-linux-azure-fips' to 'verification-done-noble-linux-azure-fips'. If the problem still exists, change the tag 'verification-needed-noble-linux-azure-fips' to 'verification-failed-noble-linux-azure-fips'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: kernel-spammed-noble-linux-azure-fips-v2 verification-needed-noble-linux-azure-fips -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2099914 Title: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2099914/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2099914] Re: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache
This bug is awaiting verification that the linux-xilinx/6.8.0-1017.18 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-noble-linux-xilinx' to 'verification-done- noble-linux-xilinx'. If the problem still exists, change the tag 'verification-needed-noble-linux-xilinx' to 'verification-failed-noble- linux-xilinx'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: kernel-spammed-noble-linux-xilinx-v2 verification-needed-noble-linux-xilinx -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2099914 Title: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2099914/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2099914] Re: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache
This bug is awaiting verification that the linux-gcp- fips/6.8.0-1035.37+fips1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-noble-linux-gcp-fips' to 'verification-done-noble-linux-gcp-fips'. If the problem still exists, change the tag 'verification-needed-noble-linux-gcp-fips' to 'verification-failed-noble-linux-gcp-fips'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: kernel-spammed-noble-linux-gcp-fips-v2 verification-needed-noble-linux-gcp-fips -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2099914 Title: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2099914/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2099914] Re: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache
This bug is awaiting verification that the linux-aws- fips/6.8.0-1034.36+fips1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-noble-linux-aws-fips' to 'verification-done-noble-linux-aws-fips'. If the problem still exists, change the tag 'verification-needed-noble-linux-aws-fips' to 'verification-failed-noble-linux-aws-fips'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: kernel-spammed-noble-linux-aws-fips-v2 verification-needed-noble-linux-aws-fips -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2099914 Title: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2099914/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2099914] Re: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache
This bug is awaiting verification that the linux-fips/6.8.0-72.72+fips1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-noble-linux-fips' to 'verification-done-noble- linux-fips'. If the problem still exists, change the tag 'verification- needed-noble-linux-fips' to 'verification-failed-noble-linux-fips'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: kernel-spammed-noble-linux-fips-v2 verification-needed-noble-linux-fips -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2099914 Title: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2099914/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2099914] Re: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache
This bug is awaiting verification that the linux- nvidia-6.11/6.11.0-1012.12 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-noble-linux- nvidia-6.11' to 'verification-done-noble-linux-nvidia-6.11'. If the problem still exists, change the tag 'verification-needed-noble-linux- nvidia-6.11' to 'verification-failed-noble-linux-nvidia-6.11'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: kernel-spammed-noble-linux-nvidia-6.11-v2 verification-needed-noble-linux-nvidia-6.11 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2099914 Title: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2099914/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2099914] Re: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache
This bug is awaiting verification that the linux-nvidia- tegra/6.8.0-1007.7 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-noble-linux-nvidia-tegra' to 'verification-done-noble-linux-nvidia-tegra'. If the problem still exists, change the tag 'verification-needed-noble-linux-nvidia-tegra' to 'verification-failed-noble-linux-nvidia-tegra'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: kernel-spammed-noble-linux-nvidia-tegra-v2 verification-needed-noble-linux-nvidia-tegra -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2099914 Title: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2099914/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2099914] Re: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache
This bug is awaiting verification that the linux-intel- iotg-5.15/5.15.0-1083.89~20.04.1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal-linux- intel-iotg-5.15' to 'verification-done-focal-linux-intel-iotg-5.15'. If the problem still exists, change the tag 'verification-needed-focal- linux-intel-iotg-5.15' to 'verification-failed-focal-linux-intel- iotg-5.15'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: kernel-spammed-focal-linux-intel-iotg-5.15-v2 verification-needed-focal-linux-intel-iotg-5.15 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2099914 Title: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2099914/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2099914] Re: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache
This bug was fixed in the package linux - 6.11.0-28.28
---
linux (6.11.0-28.28) oracular; urgency=medium
* oracular/linux: 6.11.0-28.28 -proposed tracker (LP: #2110681)
* Oracular update: upstream stable patchset 2025-05-07 (LP: #2110173)
- drm/dp_mst: Factor out function to queue a topology probe work
- drm/dp_mst: Add a helper to queue a topology probe
- drm/amd/display: Don't write DP_MSTM_CTRL after LT
- watch_queue: fix pipe accounting mismatch
- x86/mm/pat: cpa-test: fix length for CPA_ARRAY test
- cpufreq: scpi: compare kHz instead of Hz
- smack: dont compile ipv6 code unless ipv6 is configured
- smack: ipv4/ipv6: tcp/dccp/sctp: fix incorrect child socket label
- sched: Cancel the slice protection of the idle entity
- cpufreq: governor: Fix negative 'idle_time' handling in dbs_update()
- EDAC/{skx_common,i10nm}: Fix some missing error reports on Emerald Rapids
- x86/fpu: Fix guest FPU state buffer allocation size
- x86/fpu: Avoid copying dynamic FP state from init_task in
arch_dup_task_struct()
- x86/platform: Only allow CONFIG_EISA for 32-bit
- [Config] updateconfigs for EISA
- x86/sev: Add missing RIP_REL_REF() invocations during sme_enable()
- lockdep/mm: Fix might_fault() lockdep check of current->mm->mmap_lock
- PM: sleep: Adjust check before setting power.must_resume
- cpufreq: tegra194: Allow building for Tegra234
- RISC-V: KVM: Disable the kernel perf counter during configure
- kunit/stackinit: Use fill byte different from Clang i386 pattern
- watchdog/hardlockup/perf: Fix perf_event memory leak
- selinux: Chain up tool resolving errors in install_policy.sh
- EDAC/ie31200: Fix the size of EDAC_MC_LAYER_CHIP_SELECT layer
- EDAC/ie31200: Fix the DIMM size mask for several SoCs
- EDAC/ie31200: Fix the error path order of ie31200_init()
- x86/resctrl: Fix allocation of cleanest CLOSID on platforms with no
monitors
- thermal: int340x: Add NULL check for adev
- PM: sleep: Fix handling devices with direct_complete set on errors
- lockdep: Don't disable interrupts on RT in disable_irq_nosync_lockdep.*()
- perf/ring_buffer: Allow the EPOLLRDNORM flag for poll
- x86/traps: Make exc_double_fault() consistently noreturn
- x86/fpu/xstate: Fix inconsistencies in guest FPU xfeatures
- x86/entry: Add __init to ia32_emulation_override_cmdline()
- regulator: pca9450: Fix enable register for LDO5
- auxdisplay: MAX6959 should select BITREVERSE
- media: verisilicon: HEVC: Initialize start_bit field
- media: platform: allgro-dvt: unregister v4l2_device on the error path
- auxdisplay: panel: Fix an API misuse in panel.c
- platform/x86: lenovo-yoga-tab2-pro-1380-fastcharger: Make symbol static
- platform/x86: dell-uart-backlight: Make dell_uart_bl_serdev_driver static
- platform/x86: dell-ddv: Fix temperature calculation
- ASoC: cs35l41: check the return value from spi_setup()
- ASoC: amd: acp: Fix for enabling DMIC on acp platforms via _DSD entry
- HID: remove superfluous (and wrong) Makefile entry for
CONFIG_INTEL_ISH_FIRMWARE_DOWNLOADER
- dt-bindings: vendor-prefixes: add GOcontroll
- ALSA: hda/realtek: Always honor no_shutup_pins
- ASoC: ti: j721e-evm: Fix clock configuration for ti,j7200-cpb-audio
compatible
- ALSA: timer: Don't take register_mutex with copy_from/to_user()
- drm/bridge: ti-sn65dsi86: Fix multiple instances
- drm/ssd130x: Set SPI .id_table to prevent an SPI core warning
- drm/ssd130x: fix ssd132x encoding
- drm/ssd130x: ensure ssd132x pitch is correct
- drm/dp_mst: Fix drm RAD print
- drm/bridge: it6505: fix HDCP V match check is not performed correctly
- drm: xlnx: zynqmp: Fix max dma segment size
- drm/vkms: Fix use after free and double free on init error
- gpu: cdns-mhdp8546: fix call balance of mhdp->clk handling routines
- drm/amdgpu: refine smu send msg debug log format
- drm/amdgpu/umsch: fix ucode check
- PCI: Use downstream bridges for distributing resources
- PCI: Remove add_align overwrite unrelated to size0
- drm/mediatek: mtk_hdmi: Unregister audio platform device on failure
- drm/mediatek: mtk_hdmi: Fix typo for aud_sampe_size member
- PCI/ASPM: Fix link state exit during switch upstream function removal
- drm/panel: ilitek-ili9882t: fix GPIO name in error message
- PCI/ACS: Fix 'pci=config_acs=' parameter
- drm/amd/display: fix an indent issue in DML21
- drm/msm/dpu: don't use active in atomic_check()
- drm/msm/dsi/phy: Program clock inverters in correct register
- drm/msm/dsi: Use existing per-interface slice count in DSC timing
- drm/msm/dsi: Set PHY usescase (and mode) before registering DSI host
- drm/amdkfd: Fix Circular Locking Dependency in
'svm_range_cpu_invalidate_pagetables'
- PCI: cadence-ep: Fix the driver to send MSG TLP for INTx wi
[Bug 2099914] Re: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache
This bug was fixed in the package linux - 5.15.0-142.152 --- linux (5.15.0-142.152) jammy; urgency=medium * jammy/linux: 5.15.0-142.152 -proposed tracker (LP: #2110829) * Rotate the Canonical Livepatch key (LP: #2111244) - [Config] Prepare for Canonical Livepatch key rotation * Jammy generic-64k fails to initialize gVNIC devices (LP: #2109537) - gve: Perform adminq allocations through a dma_pool. - gve: Deprecate adminq_pfn for pci revision 0x1. - gve: Remove obsolete checks that rely on page size. - gve: Add page size register to the register_page_list command. - gve: Remove dependency on 4k page size. * CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache (LP: #2099914) // CVE-2025-2312 - CIFS: New mount option for cifs.upcall namespace resolution * [UBUNTU 22.04] net/smc: fix neighbour and rtable leak in smc_ib_find_route() (LP: #2109601) // CVE-2024-36945 - net/smc: fix neighbour and rtable leak in smc_ib_find_route() * Jammy update: v5.15.180 upstream stable release (LP: #2109355) - clockevents/drivers/i8253: Fix stop sequence for timer 0 - sched/isolation: Prevent boot crash when the boot CPU is nohz_full - fbdev: hyperv_fb: iounmap() the correct memory when removing a device - pinctrl: bcm281xx: Fix incorrect regmap max_registers value - netfilter: nft_ct: Use __refcount_inc() for per-CPU nft_ct_pcpu_template. - net: dsa: mv88e6xxx: Verify after ATU Load ops - netpoll: hold rcu read lock in __netpoll_send_skb() - Drivers: hv: vmbus: Don't release fb_mmio resource in vmbus_free_mmio() - ipvs: prevent integer overflow in do_ip_vs_get_ctl() - netfilter: nft_exthdr: fix offset with ipv4_find_option() - gre: Fix IPv6 link-local address generation. - slab: clean up function prototypes - slab: Introduce kmalloc_size_roundup() - openvswitch: Use kmalloc_size_roundup() to match ksize() usage - net: openvswitch: remove misbehaving actions length check - net/mlx5e: Prevent bridge link show failure for non-eswitch-allowed devices - nvme-fc: go straight to connecting state when initializing - hrtimers: Mark is_migration_base() with __always_inline - powercap: call put_device() on an error path in powercap_register_control_type() - scsi: core: Use GFP_NOIO to avoid circular locking dependency - ACPI: resource: IRQ override for Eluktronics MECH-17 - alpha/elf: Fix misc/setarch test of util-linux by removing 32bit support - vboxsf: fix building with GCC 15 - HID: intel-ish-hid: fix the length of MNG_SYNC_FW_CLOCK in doorbell - sched: Clarify wake_up_q()'s write to task->wake_q.next - s390/cio: Fix CHPID "configure" attribute caching - thermal/cpufreq_cooling: Remove structure member documentation - ASoC: rsnd: don't indicate warning on rsnd_kctrl_accept_runtime() - ASoC: arizona/madera: use fsleep() in up/down DAPM event delays. - ASoC: SOF: Intel: hda: add softdep pre to snd-hda-codec-hdmi module - net: wwan: mhi_wwan_mbim: Silence sequence number glitch errors - nvmet-rdma: recheck queue state is LIVE in state lock in recv done - sctp: Fix undefined behavior in left shift operation - nvme: only allow entering LIVE from CONNECTING state - ASoC: tas2770: Fix volume scale - ASoC: tas2764: Fix power control mask - ASoC: tas2764: Set the SDOUT polarity correctly - fuse: don't truncate cached, mutated symlink - x86/irq: Define trace events conditionally - mptcp: safety check before fallback - drm/nouveau: Do not override forced connector status - block: fix 'kmem_cache of name 'bio-108' already exists' - USB: serial: ftdi_sio: add support for Altera USB Blaster 3 - USB: serial: option: add Telit Cinterion FE990B compositions - USB: serial: option: fix Telit Cinterion FE990A name - USB: serial: option: match on interface class for Telit FN990B - drm/atomic: Filter out redundant DPMS calls - drm/amd/display: Restore correct backlight brightness after a GPU reset - qlcnic: fix memory leak issues in qlcnic_sriov_common.c - lib/buildid: Handle memfd_secret() files in build_id_parse() - tcp: fix races in tcp_abort() - ASoC: ops: Consistently treat platform_max as control value - drm/gma500: Add NULL check for pci_gfx_root in mid_get_vbt_data() - ASoC: codecs: wm0010: Fix error handling path in wm0010_spi_probe() - cifs: Fix integer overflow while processing actimeo mount option - i2c: ali1535: Fix an error handling path in ali1535_probe() - i2c: ali15x3: Fix an error handling path in ali15x3_probe() - i2c: sis630: Fix an error handling path in sis630_probe() - drm/amd/display: Check for invalid input params when building scaling params - smb: client: Fix match_session bug preventing session reuse - Revert "smb: client: fix potential UAF in cifs_debug_files_proc_show()" - smb: clien
[Bug 2099914] Re: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache
This bug was fixed in the package linux - 6.8.0-62.65
---
linux (6.8.0-62.65) noble; urgency=medium
* noble/linux: 6.8.0-62.65 -proposed tracker (LP: #2110737)
* Rotate the Canonical Livepatch key (LP: #2111244)
- [Config] Prepare for Canonical Livepatch key rotation
* KVM bug causes Firecracker crash when it runs the vCPU for the first time
(LP: #2109859)
- vhost: return task creation error instead of NULL
- kvm: retry nx_huge_page_recovery_thread creation
* CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache
(LP: #2099914) // CVE-2025-2312
- CIFS: New mount option for cifs.upcall namespace resolution
* Noble update: upstream stable patchset 2025-04-29 (LP: #2109640)
- ASoC: wm8994: Add depends on MFD core
- ASoC: samsung: Add missing selects for MFD_WM8994
- seccomp: Stub for !CONFIG_SECCOMP
- scsi: iscsi: Fix redundant response for ISCSI_UEVENT_GET_HOST_STATS
request
- of/unittest: Add test that of_address_to_resource() fails on non-
translatable address
- irqchip/sunxi-nmi: Add missing SKIP_WAKE flag
- hwmon: (drivetemp) Set scsi command timeout to 10s
- ASoC: samsung: Add missing depends on I2C
- ata: libata-core: Set ATA_QCFLAG_RTF_FILLED in fill_result_tf()
- Revert "libfs: fix infinite directory reads for offset dir"
- libfs: Replace simple_offset end-of-directory detection
- Revert "HID: multitouch: Add support for lenovo Y9000P Touchpad"
- ALSA: usb-audio: Add delay quirk for USB Audio Device
- Input: xpad - add support for Nacon Pro Compact
- Input: atkbd - map F23 key to support default copilot shortcut
- Input: xpad - add unofficial Xbox 360 wireless receiver clone
- Input: xpad - add QH Electronics VID/PID
- Input: xpad - improve name of 8BitDo controller 2dc8:3106
- Input: xpad - add support for Nacon Evol-X Xbox One Controller
- Input: xpad - add support for wooting two he (arm)
- ASoC: codecs: es8316: Fix HW rate calculation for 48Mhz MCLK
- ASoC: cs42l43: Add codec force suspend/resume ops
- ALSA: hda/realtek: Fix volume adjustment issue on Lenovo ThinkBook 16P
Gen5
- libfs: Return ENOSPC when the directory offset range is exhausted
- Revert "libfs: Add simple_offset_empty()"
- libfs: Use d_children list to iterate simple_offset directories
- wifi: rtl8xxxu: add more missing rtl8192cu USB IDs
- HID: wacom: Initialize brightness of LED trigger
- Upstream stable to v6.6.75, v6.12.12
* Noble update: upstream stable patchset 2025-04-29 (LP: #2109640) //
CVE-2025-21689
- USB: serial: quatech2: fix null-ptr-deref in qt2_process_read_urb()
* Noble update: upstream stable patchset 2025-04-29 (LP: #2109640) //
CVE-2025-21690
- scsi: storvsc: Ratelimit warning logs to prevent VM denial of service
* Noble update: upstream stable patchset 2025-04-29 (LP: #2109640) //
CVE-2025-21691
- cachestat: fix page cache statistics permission checking
* Noble update: upstream stable patchset 2025-04-29 (LP: #2109640) //
CVE-2025-21692
- net: sched: fix ets qdisc OOB Indexing
* Noble update: upstream stable patchset 2025-04-29 (LP: #2109640) //
CVE-2025-21699
- gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag
* Noble update: upstream stable patchset 2025-04-29 (LP: #2109640) //
CVE-2024-50157
- RDMA/bnxt_re: Avoid CPU lockups due fifo occupancy check loop
* rtw89: Support hardware rfkill (LP: #2077384)
- wifi: rtw89: add support for hardware rfkill
* Introduce configfs-based interface for gpio-aggregator (LP: #2103496)
- gpio: introduce utilities for synchronous fake device creation
- bitmap: Define a cleanup function for bitmaps
- gpio: aggregator: simplify aggr_parse() with scoped bitmap
- gpio: aggregator: protect driver attr handlers against module unload
- gpio: aggregator: reorder functions to prepare for configfs introduction
- gpio: aggregator: unify function naming
- gpio: aggregator: add gpio_aggregator_{alloc, free}()
- gpio: aggregator: introduce basic configfs interface
- [Config] Enable DEV_SYNC_PROBE as module
- SAUCE: gpio: aggregator: Fix error code in gpio_aggregator_activate()
- gpio: aggregator: rename 'name' to 'key' in gpio_aggregator_parse()
- gpio: aggregator: expose aggregator created via legacy sysfs to configfs
- SAUCE: gpio: aggregator: fix "_sysfs" prefix check in
gpio_aggregator_make_group()
- SAUCE: gpio: aggregator: Fix gpio_aggregator_line_alloc() checking
- SAUCE: gpio: aggregator: Return an error if there are no GPIOs in
gpio_aggregator_parse()
- SAUCE: gpio: aggregator: Fix leak in gpio_aggregator_parse()
- gpio: aggregator: cancel deferred probe for devices created via configfs
- Documentation: gpio: document configfs interface for gpio-aggregator
- selftests: gpio: add test cases for gpio-aggregator
-
[Bug 2099914] Re: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache
** Tags removed: verification-needed-noble-linux-azure-nvidia ** Tags added: verification-done-noble-linux-azure-nvidia -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2099914 Title: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2099914/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2099914] Re: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache
Bug covering the regression: https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2112614 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2099914 Title: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2099914/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2099914] Re: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache
This bug is awaiting verification that the linux-azure- nvidia/6.8.0-1018.19 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-noble-linux-azure-nvidia' to 'verification-done-noble-linux-azure-nvidia'. If the problem still exists, change the tag 'verification-needed-noble-linux-azure-nvidia' to 'verification-failed-noble-linux-azure-nvidia'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: kernel-spammed-noble-linux-azure-nvidia-v2 verification-needed-noble-linux-azure-nvidia -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2099914 Title: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2099914/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2099914] Re: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache
Re: comment#22 > Let me know if it fixes the issue. Thanks, I can confirm I can mount CIFS shares again with 2:6.14-1ubuntu0.2+sf407276v20250531b1 on jammy with Linux 6.8.0-60-generic (provided I don't pass a upcall_target mount option which is still rejected) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2099914 Title: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2099914/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2099914] Re: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache
Hi Stephane, or anyone else affected, I have some test packages that contain the fix: get_cachename_from_process_env((env_probe && (arg->upcall_target == UPTARGET_APP || arg->upcall_target == UPTARGET_UNSPECIFIED)) ? arg->pid : 0); in the following ppa: https://launchpad.net/~mruffell/+archive/ubuntu/sf407276-regression-test Please note this package is NOT SUPPORTED by Canonical, and is for TESTING PURPOSES ONLY. ONLY Install in a dedicated test environment. Instructions to Install (On a focal, jammy, noble, oracular, plucky system): 1) sudo add-apt-repository ppa:mruffell/sf407276-regression-test 2) sudo apt update 3) sudo apt install cifs-utils 4) sudo apt-cache policy cifs-utils | grep Installed Check for +sf407276v20250531b1 Let me know if it fixes the issue. I am currently testing this in my own lab, will write back if it fixes for me as soon as I can reproduce. Bharath left me some notes, which I am following: Seems like this bug may affect following scenarios while using KRB5CCNAME env variable to explicitly specify the credential cache: 1) When kernel does not include the relevant change AND 2) The mount operation is performed with either of below: a) the filesystem is mounted by a non-root user via sudo and/or specified uid=!0, or b) the multiuser mount option specified, or c) the cruid mount option specified Thanks, Matthew -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2099914 Title: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2099914/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2099914] Re: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache
Hi Stephane, I am speaking with Bharath and other cifs-utils developers. They are suggesting we can fix it with: get_cachename_from_process_env((env_probe && (arg->upcall_target == UPTARGET_APP || arg->upcall_target == UPTARGET_UNSPECIFIED)) ? arg->pid : 0); I agree that it should fix the issue. I am building new test packages right now. Will write back once they are ready. Thanks, Matthew -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2099914 Title: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2099914/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2099914] Re: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache
Hi Stephane, I sincerely apologise for causing this regression. I did try and cover all the combinations with patched / unpatched kernel and patched / unpatched cifs-utils, but it seems I missed this one. It seems I only tested kerberos credential caches in the default locations, and never hit the bug. It is also pretty unfortunate that the kernel rejects any unknown parameters, as it would have been an easy workaround. Are you okay with running 5.15.0-142-generic from jammy-proposed as a fix in the meantime? The SRU cycle is due to complete the week of 16th of June, https://kernel.ubuntu.com/, when it will likely be released to -updates. You can also downgrade cifs-utils to 2:6.14-1ubuntu0.1 in the meantime. I will speak to some of my colleagues and think about potentially changing + get_cachename_from_process_env((env_probe && (arg->upcall_target == UPTARGET_APP)) ? arg->pid : 0); to something a little more reasonable. I just need to balance regression risk, vs closing the actual CVE, to try not cause any further disruption. Again, I am sorry for any inconvenience caused. Thanks, Matthew -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2099914 Title: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2099914/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2099914] Re: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache
The change breaks CIFS mounts with Kerberos for me in jammy unless I
install Linux 5.15.0-142-generic from jammy-proposed.
The fix is missing the release of the new 5.15, 6.8 kernels in jammy at
least.
The debian/patches/CVE-2025-2312-1.patch has:
@@ -1384,7 +1423,7 @@
* look at the environ file.
*/
env_cachename =
- get_cachename_from_process_env(env_probe ? arg->pid : 0);
+ get_cachename_from_process_env((env_probe &&
(arg->upcall_target == UPTARGET_APP)) ? arg->pid : 0);
rc = setuid(uid);
if (rc == -1) {
Which means if the kernel hasn't been patched, cifs.upcall will look for
credential cache in default locations as arg->upcall_target won't be
UPTARGET_APP, and not in the environment of the calling process which has the
right value.
Also, passing -o upcall_target=anything as per the new mount.cifs man
page fails with invalid option (rejected by the kernel).
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2099914
Title:
CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials
cache
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2099914/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2099914] Re: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache
This bug was fixed in the package cifs-utils - 2:6.9-1ubuntu0.3 --- cifs-utils (2:6.9-1ubuntu0.3) focal-security; urgency=medium * Skip checking the Kerberos TGT if a valid service ticket is available. (LP: #2099917) - d/p/lp2099917-cifs-utils-Skip-TGT-check-if-valid-service.patch * SECURITY UPDATE: namespace confusion may lead to disclosing sensitive data from host Kerberos credentials cache. (LP: #2099914) - d/p/CVE-2025-2312-1.patch: CIFS.upcall to accomodate new namespace mount opt. - d/p/CVE-2025-2312-2.patch: cifs-utils: add documentation for upcall_target. - CVE-2025-2312 -- Matthew Ruffell Wed, 02 Apr 2025 17:10:02 +1300 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2099914 Title: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2099914/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2099914] Re: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache
This bug was fixed in the package cifs-utils - 2:7.0-2.1ubuntu0.1 --- cifs-utils (2:7.0-2.1ubuntu0.1) oracular-security; urgency=medium * Skip checking the Kerberos TGT if a valid service ticket is available. (LP: #2099917) - d/p/lp2099917-cifs-utils-Skip-TGT-check-if-valid-service.patch * SECURITY UPDATE: namespace confusion may lead to disclosing sensitive data from host Kerberos credentials cache. (LP: #2099914) - d/p/CVE-2025-2312-1.patch: CIFS.upcall to accomodate new namespace mount opt. - d/p/CVE-2025-2312-2.patch: cifs-utils: add documentation for upcall_target. - CVE-2025-2312 -- Matthew Ruffell Wed, 02 Apr 2025 15:48:31 +1300 ** Changed in: cifs-utils (Ubuntu Oracular) Status: In Progress => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-2312 ** Changed in: cifs-utils (Ubuntu Noble) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2099914 Title: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2099914/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2099914] Re: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache
This bug was fixed in the package cifs-utils - 2:6.14-1ubuntu0.2 --- cifs-utils (2:6.14-1ubuntu0.2) jammy-security; urgency=medium * Skip checking the Kerberos TGT if a valid service ticket is available. (LP: #2099917) - d/p/lp2099917-cifs-utils-Skip-TGT-check-if-valid-service.patch * SECURITY UPDATE: namespace confusion may lead to disclosing sensitive data from host Kerberos credentials cache. (LP: #2099914) - d/p/CVE-2025-2312-1.patch: CIFS.upcall to accomodate new namespace mount opt. - d/p/CVE-2025-2312-2.patch: cifs-utils: add documentation for upcall_target. - CVE-2025-2312 -- Matthew Ruffell Wed, 02 Apr 2025 16:56:51 +1300 ** Changed in: cifs-utils (Ubuntu Focal) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2099914 Title: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2099914/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2099914] Re: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache
This bug was fixed in the package cifs-utils - 2:7.0-2ubuntu0.1 --- cifs-utils (2:7.0-2ubuntu0.1) noble-security; urgency=medium * Skip checking the Kerberos TGT if a valid service ticket is available. (LP: #2099917) - d/p/lp2099917-cifs-utils-Skip-TGT-check-if-valid-service.patch * SECURITY UPDATE: namespace confusion may lead to disclosing sensitive data from host Kerberos credentials cache. (LP: #2099914) - d/p/CVE-2025-2312-1.patch: CIFS.upcall to accomodate new namespace mount opt. - d/p/CVE-2025-2312-2.patch: cifs-utils: add documentation for upcall_target. - CVE-2025-2312 -- Matthew Ruffell Wed, 02 Apr 2025 16:33:05 +1300 ** Changed in: cifs-utils (Ubuntu Jammy) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2099914 Title: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2099914/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2099914] Re: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache
Performing verification for focal. This will cover both the kernel and the cifs-utils package. both in -proposed. This is going to be long, as we need to test: * patched kernel, patched cifs-utils * patched kernel, existing cifs-utils * existing kernel, patched cifs-utils I started a fresh focal VM, with: kernel 5.4.0-216-generic from -updates cifs-utils 2:6.9-1ubuntu0.2 from -updates I then followed the instructions to about step 34. root@focal-dc:/home/ubuntu# kinit [email protected] Password for [email protected]: Warning: Your password will expire in 16 days on Wed Jun 11 06:13:06 2025 root@focal-dc:/home/ubuntu# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting ExpiresService principal 05/25/25 06:26:20 05/25/25 16:26:20 krbtgt/[email protected] renew until 05/26/25 06:26:17 root@focal-dc:/home/ubuntu# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1 root@focal-dc:/home/ubuntu# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting ExpiresService principal 05/25/25 06:26:20 05/25/25 16:26:20 krbtgt/[email protected] renew until 05/26/25 06:26:17 05/25/25 06:26:31 05/25/25 16:26:20 cifs/samba-dc.example.com@ renew until 05/26/25 06:26:17 05/25/25 06:26:31 05/25/25 16:26:20 cifs/[email protected] renew until 05/26/25 06:26:17 # journalctl -b0 kernel: Key type cifs.spnego registered kernel: Key type cifs.idmap registered kernel: CIFS: Attempting to mount //samba-dc.example.com/demo kernel: No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3), from CIFS (SMB1). To use the > cifs.upcall[2085]: key description: cifs.spnego;0;0;3901;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.27;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x80f cifs.upcall[2086]: ver=2 cifs.upcall[2086]: host=samba-dc.example.com cifs.upcall[2086]: ip=192.168.122.27 cifs.upcall[2086]: sec=1 cifs.upcall[2086]: uid=0 cifs.upcall[2086]: creduid=0 cifs.upcall[2086]: user=root cifs.upcall[2086]: pid=2063 cifs.upcall[2085]: get_cachename_from_process_env: pid == 0 cifs.upcall[2085]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0 cifs.upcall[2085]: handle_krb5_mech: getting service ticket for samba-dc.example.com cifs.upcall[2085]: handle_krb5_mech: obtained service ticket cifs.upcall[2085]: Exit status 0 root@focal-dc:/home/ubuntu# stat /mnt/testshare1 File: /mnt/testshare1 Size: 0 Blocks: 0 IO Block: 1048576 directory Device: 35h/53d Inode: 260995 Links: 2 Access: (0755/drwxr-xr-x) Uid: (0/root) Gid: (0/root) Access: 2025-04-30 06:16:07.32000 + Modify: 2025-04-30 06:16:07.32000 + Change: 2025-04-30 06:16:07.32000 + Birth: - # docker run -it -v /mnt/testshare1:/mnt/shared --name cifstest ubuntu:20.04 /bin/bash root@focal-dc:/home/ubuntu# docker start 2f1a7761412a 2f1a7761412a root@focal-dc:/home/ubuntu# docker exec -it 2f1a7761412a bash root@2f1a7761412a:/# stat /mnt/shared File: /mnt/shared Size: 0 Blocks: 0 IO Block: 1048576 directory Device: 35h/53d Inode: 260995 Links: 2 Access: (0755/drwxr-xr-x) Uid: (0/root) Gid: (0/root) Access: 2025-04-30 18:16:07.32000 +1200 Modify: 2025-04-30 18:16:07.32000 +1200 Change: 2025-04-30 18:16:07.32000 +1200 Birth: - root@fcec5b069772:/# vim /etc/krb5.conf default_ccache_name = /tmp/krb5cc_00%{uid} Now back on the host: root@focal-dc:/home/ubuntu# kdestroy -c /tmp/krb5cc_0 root@focal-dc:/home/ubuntu# ss -K dport 445 Netid State Recv-Q Send-Q Local Address:PortPeer Address:Port Process tcpESTAB 00 192.168.122.27:36352 192.168.122.27:microsoft-ds On the docker container: root@fcec5b069772:/# stat /mnt/shared stat: cannot statx '/mnt/shared': Required key not available On the host: # journalctl -f cifs.upcall[2305]: key description: cifs.spnego;0;0;3901;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.27;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x8ff cifs.upcall[2306]: ver=2 cifs.upcall[2306]: host=samba-dc.example.com cifs.upcall[2306]: ip=192.168.122.27 cifs.upcall[2306]: sec=1 cifs.upcall[2306]: uid=0 cifs.upcall[2306]: creduid=0 cifs.upcall[2306]: user=root cifs.upcall[2306]: pid=2303 cifs.upcall[2305]: get_cachename_from_process_env: pid == 0 cifs.upcall[2305]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_000 cifs.upcall[2305]: get_tgt_time: unable to get principal cifs.upcall[2305]: krb5_get_init_creds
[Bug 2099914] Re: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache
Performing verification for jammy. This will cover both the kernel and the cifs-utils package. both in -proposed. This is going to be long, as we need to test: * patched kernel, patched cifs-utils * patched kernel, existing cifs-utils * existing kernel, patched cifs-utils I started a fresh jammy VM, with: kernel 5.15.0-140-generic from -updates cifs-utils 2:6.14-1ubuntu0.1 from -updates I then followed the instructions to about step 34. root@jammy-dc:/home/ubuntu# kinit [email protected] Password for [email protected]: Warning: Your password will expire in 16 days on Wed Jun 11 05:39:46 2025 root@jammy-dc:/home/ubuntu# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting ExpiresService principal 05/25/25 05:44:44 05/25/25 15:44:44 krbtgt/[email protected] renew until 05/26/25 05:44:41 root@jammy-dc:/home/ubuntu# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1 root@jammy-dc:/home/ubuntu# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting ExpiresService principal 05/25/25 05:44:44 05/25/25 15:44:44 krbtgt/[email protected] renew until 05/26/25 05:44:41 05/25/25 05:44:56 05/25/25 15:44:44 cifs/samba-dc.example.com@ renew until 05/26/25 05:44:41 Ticket server: cifs/[email protected] # journalctl -b0 kernel: Key type cifs.spnego registered kernel: Key type cifs.idmap registered kernel: CIFS: No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3.1.1), from CIFS (SMB1). T> kernel: CIFS: enabling forceuid mount option implicitly because uid= option is specified kernel: CIFS: enabling forcegid mount option implicitly because gid= option is specified kernel: CIFS: Attempting to mount \\samba-dc.example.com\demo cifs.upcall[1689]: key description: cifs.spnego;0;0;3901;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.168;sec=krb5;uid=0x0;creduid=0x0> cifs.upcall[1690]: ver=2 cifs.upcall[1690]: host=samba-dc.example.com cifs.upcall[1690]: ip=192.168.122.168 cifs.upcall[1690]: sec=1 cifs.upcall[1690]: uid=0 cifs.upcall[1690]: creduid=0 cifs.upcall[1690]: user=root cifs.upcall[1690]: pid=1664 cifs.upcall[1689]: get_cachename_from_process_env: pid == 0 cifs.upcall[1689]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0 cifs.upcall[1689]: handle_krb5_mech: getting service ticket for samba-dc.example.com cifs.upcall[1689]: handle_krb5_mech: obtained service ticket cifs.upcall[1689]: Exit status 0 root@jammy-dc:/home/ubuntu# stat /mnt/testshare1 File: /mnt/testshare1 Size: 0 Blocks: 0 IO Block: 1048576 directory Device: 2ch/44d Inode: 261033 Links: 2 Access: (0755/drwxr-xr-x) Uid: (0/root) Gid: (0/root) Access: 2025-04-30 05:43:19.217555200 + Modify: 2025-04-30 05:42:30.507699600 + Change: 2025-04-30 05:42:30.507699600 + Birth: 2025-04-30 05:42:30.490607200 + # docker run -it -v /mnt/testshare1:/mnt/shared --name cifstest ubuntu:22.04 /bin/bash root@jammy-dc:/home/ubuntu# docker start 407b86c09871 407b86c09871 root@jammy-dc:/home/ubuntu# docker exec -it 407b86c09871 bash root@407b86c09871:/# stat /mnt/shared/ File: /mnt/shared/ Size: 0 Blocks: 0 IO Block: 1048576 directory Device: 2ch/44d Inode: 261033 Links: 2 Access: (0755/drwxr-xr-x) Uid: (0/root) Gid: (0/root) Access: 2025-04-30 05:43:19.217555200 + Modify: 2025-04-30 05:42:30.507699600 + Change: 2025-04-30 05:42:30.507699600 + Birth: 2025-04-30 05:42:30.490607200 + root@fcec5b069772:/# vim /etc/krb5.conf default_ccache_name = /tmp/krb5cc_00%{uid} Now back on the host: root@jammy-dc:/home/ubuntu# kdestroy -c /tmp/krb5cc_0 root@jammy-dc:/home/ubuntu# ss -K dport 445 Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process tcpESTAB 0 0 192.168.122.168:42936 192.168.122.168:microsoft-ds On the docker container: root@fcec5b069772:/# stat /mnt/shared stat: cannot statx '/mnt/shared': Required key not available On the host: # journalctl -f cifs.upcall[1829]: key description: cifs.spnego;0;0;3901;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.168;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x722 cifs.upcall[1830]: ver=2 cifs.upcall[1830]: host=samba-dc.example.com cifs.upcall[1830]: ip=192.168.122.168 cifs.upcall[1830]: sec=1 cifs.upcall[1830]: uid=0 cifs.upcall[1830]: creduid=0 cifs.upcall[1830]: user=root cifs.upcall[1830]: pid=1826 cifs.upcall[1829]: get_cachename_from_process_env
[Bug 2099914] Re: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache
Performing verification for noble. This will cover both the kernel and the cifs-utils package. both in -proposed. This is going to be long, as we need to test: * patched kernel, patched cifs-utils * patched kernel, existing cifs-utils * existing kernel, patched cifs-utils I started a fresh noble VM, with: kernel 6.8.0-60-generic from -updates cifs-utils 2:7.0-2build1 from -release I then followed the instructions to about step 34. root@samba-dc:/home/ubuntu# kinit [email protected] Password for [email protected]: Warning: Your password will expire in 39 days on Fri Jul 4 02:00:18 2025 root@samba-dc:/home/ubuntu# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting ExpiresService principal 05/25/25 04:46:37 05/25/25 14:46:37 krbtgt/[email protected] renew until 05/26/25 04:46:33 root@samba-dc:/home/ubuntu# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1 root@samba-dc:/home/ubuntu# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting ExpiresService principal 05/25/25 04:46:37 05/25/25 14:46:37 krbtgt/[email protected] renew until 05/26/25 04:46:33 05/25/25 04:46:54 05/25/25 14:46:37 cifs/samba-dc.example.com@ renew until 05/26/25 04:46:33 Ticket server: cifs/[email protected] # journalctl -b0 kernel: Key type cifs.spnego registered kernel: Key type cifs.idmap registered kernel: CIFS: No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3.1.1), from CIFS (SMB1). T> kernel: CIFS: enabling forceuid mount option implicitly because uid= option is specified kernel: CIFS: enabling forcegid mount option implicitly because gid= option is specified kernel: CIFS: Attempting to mount //samba-dc.example.com/demo cifs.upcall[1860]: key description: cifs.spnego;0;0;3901;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0> cifs.upcall[1861]: ver=2 cifs.upcall[1861]: host=samba-dc.example.com cifs.upcall[1861]: ip=192.168.122.124 cifs.upcall[1861]: sec=1 cifs.upcall[1861]: uid=0 cifs.upcall[1861]: creduid=0 cifs.upcall[1861]: user=root cifs.upcall[1861]: pid=1829 cifs.upcall[1860]: get_cachename_from_process_env: pid == 0 cifs.upcall[1860]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0 cifs.upcall[1860]: handle_krb5_mech: getting service ticket for samba-dc.example.com cifs.upcall[1860]: handle_krb5_mech: using native krb5 cifs.upcall[1860]: handle_krb5_mech: obtained service ticket cifs.upcall[1860]: Exit status 0 # stat /mnt/testshare1 File: /mnt/testshare1 Size: 0 Blocks: 0 IO Block: 1048576 directory Device: 0,41Inode: 297860 Links: 2 Access: (0755/drwxr-xr-x) Uid: (0/root) Gid: (0/root) Access: 2025-04-09 04:29:15.755959600 + Modify: 2025-04-09 02:54:45.26400 + Change: 2025-04-09 02:54:45.26400 + Birth: 2025-04-09 02:54:45.26400 + # docker run -it -v /mnt/testshare1:/mnt/shared --name cifstest ubuntu:24.04 /bin/bash root@685c7e420afc:/# stat /mnt/shared File: /mnt/shared Size: 0 Blocks: 0 IO Block: 1048576 directory Device: 0,41Inode: 297860 Links: 2 Access: (0755/drwxr-xr-x) Uid: (0/root) Gid: (0/root) Access: 2025-04-09 13:59:15.755959600 +0930 Modify: 2025-04-09 12:24:45.26400 +0930 Change: 2025-04-09 12:24:45.26400 +0930 Birth: 2025-04-09 12:24:45.26400 +0930 root@fcec5b069772:/# vim /etc/krb5.conf default_ccache_name = /tmp/krb5cc_00%{uid} Now back on the host: root@samba-dc:/home/ubuntu# kdestroy -c /tmp/krb5cc_0 root@samba-dc:/home/ubuntu# ss -K dport 445 Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process tcpESTAB 0 0 192.168.122.124:58156 192.168.122.124:microsoft-ds On the docker container: root@fcec5b069772:/# stat /mnt/shared stat: cannot statx '/mnt/shared': Required key not available cifs.upcall[2003]: key description: cifs.spnego;0;0;3901;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x7d2 cifs.upcall[2004]: ver=2 cifs.upcall[2004]: host=samba-dc.example.com cifs.upcall[2004]: ip=192.168.122.124 cifs.upcall[2004]: sec=1 cifs.upcall[2004]: uid=0 cifs.upcall[2004]: creduid=0 cifs.upcall[2004]: user=root cifs.upcall[2004]: pid=2002 cifs.upcall[2003]: get_cachename_from_process_env: pid == 0 cifs.upcall[2003]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_000 cifs.upcall[2003]: get_tgt_time: una
[Bug 2099914] Re: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache
Performing verification for oracular. This will cover both the kernel and the cifs-utils package. both in -proposed. This is going to be long, as we need to test: * patched kernel, patched cifs-utils * patched kernel, existing cifs-utils * existing kernel, patched cifs-utils I started a fresh Oracular VM, with: kernel 6.11.0-26-generic from -updates cifs-utils 2:7.0-2.1 from -release I then followed the instructions to about step 34. root@oracular-dc:/home/ubuntu# kinit [email protected] Password for [email protected]: Warning: Your password will expire in 17 days on Wed Jun 11 05:01:22 2025 root@oracular-dc:/home/ubuntu# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting ExpiresService principal 05/25/25 03:03:03 05/25/25 13:03:03 krbtgt/[email protected] renew until 05/26/25 03:03:00 root@oracular-dc:/home/ubuntu# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1 root@oracular-dc:/home/ubuntu# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting ExpiresService principal 05/25/25 03:03:03 05/25/25 13:03:03 krbtgt/[email protected] renew until 05/26/25 03:03:00 05/25/25 03:03:22 05/25/25 13:03:03 cifs/samba-dc.example.com@ renew until 05/26/25 03:03:00 Ticket server: cifs/[email protected] # journalctl -b0 kernel: Key type cifs.spnego registered kernel: Key type cifs.idmap registered kernel: CIFS: No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3.1.1), from CIFS (SMB1)> kernel: CIFS: enabling forceuid mount option implicitly because uid= option is specified kernel: CIFS: enabling forcegid mount option implicitly because gid= option is specified kernel: CIFS: Attempting to mount //samba-dc.example.com/demo cifs.upcall[2342]: key description: cifs.spnego;0;0;3901;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.191;sec=krb5;uid=0x0;creduid=> cifs.upcall[2343]: ver=2 cifs.upcall[2343]: host=samba-dc.example.com cifs.upcall[2343]: ip=192.168.122.191 cifs.upcall[2343]: sec=1 cifs.upcall[2343]: uid=0 cifs.upcall[2343]: creduid=0 cifs.upcall[2343]: user=root cifs.upcall[2343]: pid=2312 cifs.upcall[2342]: get_cachename_from_process_env: pid == 0 cifs.upcall[2342]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0 cifs.upcall[2342]: handle_krb5_mech: getting service ticket for samba-dc.example.com cifs.upcall[2342]: handle_krb5_mech: using native krb5 cifs.upcall[2342]: handle_krb5_mech: obtained service ticket cifs.upcall[2342]: Exit status 0 # stat /mnt/testshare1 File: /mnt/testshare1 Size: 0 Blocks: 0 IO Block: 1048576 directory Device: 0,50Inode: 289426 Links: 2 Access: (0755/drwxr-xr-x) Uid: (0/root) Gid: (0/root) Access: 2025-05-12 11:59:53.829982200 + Modify: 2025-04-30 05:04:07.15400 + Change: 2025-04-30 05:04:07.15400 + Birth: 2025-04-30 05:04:07.15400 + # docker run -it -v /mnt/testshare1:/mnt/shared --name cifstest ubuntu:24.04 /bin/bash root@fcec5b069772:/# stat /mnt/shared File: /mnt/shared Size: 0 Blocks: 0 IO Block: 1048576 directory Device: 0,50Inode: 289426 Links: 2 Access: (0755/drwxr-xr-x) Uid: (0/root) Gid: (0/root) Access: 2025-05-12 23:59:53.829982200 +1200 Modify: 2025-04-30 17:04:07.15400 +1200 Change: 2025-04-30 17:04:07.15400 +1200 Birth: 2025-04-30 17:04:07.15400 +1200 root@fcec5b069772:/# vim /etc/krb5.conf default_ccache_name = /tmp/krb5cc_00%{uid} Now back on the host: root@oracular-dc:/home/ubuntu# kdestroy -c /tmp/krb5cc_0 root@oracular-dc:/home/ubuntu# ss -K dport 445 NetidStateRecv-QSend-Q Local Address:Port Peer Address:Port tcp ESTAB0 0 192.168.122.191:55542 192.168.122.191:microsoft-ds On the docker container: root@fcec5b069772:/# stat /mnt/shared stat: cannot statx '/mnt/shared': Required key not available cifs.upcall[2564]: key description: cifs.spnego;0;0;3901;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.191;sec=krb5;uid=0x0;creduid=> cifs.upcall[2565]: ver=2 cifs.upcall[2565]: host=samba-dc.example.com cifs.upcall[2565]: ip=192.168.122.191 cifs.upcall[2565]: sec=1 cifs.upcall[2565]: uid=0 cifs.upcall[2565]: creduid=0 cifs.upcall[2565]: user=root cifs.upcall[2565]: pid=2563 cifs.upcall[2564]: get_cachename_from_process_env: pid == 0 cifs.upcall[2564]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_000 cifs.upcall[2564]: get_tgt_time: unable to
[Bug 2099914] Re: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache
This bug is awaiting verification that the linux/5.15.0-142.152 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux' to 'verification-done-jammy-linux'. If the problem still exists, change the tag 'verification-needed-jammy- linux' to 'verification-failed-jammy-linux'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: kernel-spammed-jammy-linux-v2 verification-needed-jammy-linux -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2099914 Title: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2099914/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2099914] Re: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache
This bug is awaiting verification that the linux/5.4.0-218.238 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal-linux' to 'verification-done-focal-linux'. If the problem still exists, change the tag 'verification-needed-focal- linux' to 'verification-failed-focal-linux'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: kernel-spammed-focal-linux-v2 verification-needed-focal-linux -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2099914 Title: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2099914/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2099914] Re: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache
This bug is awaiting verification that the linux/6.11.0-28.28 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-oracular-linux' to 'verification-done-oracular- linux'. If the problem still exists, change the tag 'verification- needed-oracular-linux' to 'verification-failed-oracular-linux'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: kernel-spammed-oracular-linux-v2 verification-needed-oracular-linux -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2099914 Title: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2099914/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2099914] Re: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache
This bug is awaiting verification that the linux/6.8.0-62.65 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-noble-linux' to 'verification-done-noble-linux'. If the problem still exists, change the tag 'verification-needed-noble- linux' to 'verification-failed-noble-linux'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: kernel-spammed-noble-linux-v2 verification-needed-noble-linux -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2099914 Title: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2099914/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2099914] Re: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache
Vinicius Peixoto has submitted the kernel patches for -generic to the Kernel Team mailing list: Cover letter: https://lists.ubuntu.com/archives/kernel-team/2025-April/159465.html Patches: https://lists.ubuntu.com/archives/kernel-team/2025-April/159466.html https://lists.ubuntu.com/archives/kernel-team/2025-April/159467.html https://lists.ubuntu.com/archives/kernel-team/2025-April/159468.html https://lists.ubuntu.com/archives/kernel-team/2025-April/159469.html -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2099914 Title: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2099914/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2099914] Re: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache
** Changed in: linux (Ubuntu Focal) Status: In Progress => Fix Committed ** Changed in: linux (Ubuntu Jammy) Status: In Progress => Fix Committed ** Changed in: linux (Ubuntu Noble) Status: In Progress => Fix Committed ** Changed in: linux (Ubuntu Oracular) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2099914 Title: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2099914/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2099914] Re: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache
** Description changed: BugLink: https://bugs.launchpad.net/bugs/2099914 [Impact] This is CVE-2025-2312, where namespace confusion by cifs.upcall may lead to disclosing sensitive data from the host or container Kerberos credentials cache by accessing the wrong credential cache that doesn't belong to the current user. Consider the following scenario: A CIFS/SMB file share is mounted on a host node using Kerberos authentication. During the session setup phase, the Linux kernel's cifs.ko module makes an upcall to user space to retrieve the Kerberos service ticket from the credential cache. In typical (non-container) environments, this process works correctly, but in containerized environments, the upcall may be directed to a different namespace than intended, leading to issues. For example: a) The file share is mounted on the host node at /mnt/testshare1, meaning the Kerberos credential cache is stored in the host's namespace. b) A Docker container is created, and the file share path /mnt/testshare1 is exported to the container at /sharedpath. c) When the service ticket expires and the SMB connection is lost, before the ticket is refreshed in the credential cache, an application inside the container performs a file operation. This triggers the kernel to attempt a session reconnect. d) During the session setup, a Kerberos ticket is needed, so the kernel invokes the cifs.upcall binary using the request_key function. However, cifs.upcall switches to the namespace of the caller (i.e., the container), causing it to attempt to read the credential cache from the container's namespace. But since the original mount happened in the host namespace, the credential cache is located on the host, not in the container. This results in the upcall failing to access the correct credential cache or accessinng credential cache which doesn't belong to correct user. [Fix] The fix adds a "upcall_target" mount parameter that needs to be present in both the kernel and cifs-utils. "upcall_target" specifies what namespace to find the kerberos credential cache, and takes options "mount" being the host namespace, or "app", being the container namespace. The language is intended to suit Kubernetes based usecases. The kernel requires the following commit: commit db363b0a1d9e6b9dc556296f1b1007aeb496a8cf Author: Ritvik Budhiraja Date: Mon Nov 11 11:43:51 2024 + Subject: CIFS: New mount option for cifs.upcall namespace resolution Link: https://github.com/torvalds/linux/commit/db363b0a1d9e6b9dc556296f1b1007aeb496a8cf This landed in 6.13 mainline, and is already in plucky. Oracular is a clean cherry pick, noble and jammy requires a context adjustment backport and focal needed a heavy backport. Test packages are available in the following ppa: https://launchpad.net/~vpeixoto/+archive/ubuntu/cifs-backport In addition, a userspace fix is also needed in cifs-utils, with the following commits: commit 89b679228cc1be9739d54203d28289b03352c174 From: Ritvik Budhiraja Date: Tue, 19 Nov 2024 06:07:58 + Subject: CIFS.upcall to accomodate new namespace mount opt Link: https://git.samba.org/?p=cifs-utils.git;a=commit;h=89b679228cc1be9739d54203d28289b03352c174 commit cf63240489431e98033e599a7c9437b59494a2e4 From: Ritvik Budhiraja Date: Thu, 30 Jan 2025 14:13:10 + Subject: cifs-utils: add documentation for upcall_target Link: https://git.samba.org/?p=cifs-utils.git;a=commit;h=cf63240489431e98033e599a7c9437b59494a2e4 These were a part of 7.2 upstream. Plucky already has this release, so we just need to fix oracular, noble, jammy and focal. Test packages are available in the following ppa: https://launchpad.net/~mruffell/+archive/ubuntu/sf407276-test If you install the test packages, you can now use the upcall_target argument with either "mount" or "app" options. [Testcase] Some knowledge of kerberos will go a long way to help you make this all work. We should be able to do all testing on the same VM. 1) Create a fresh VM 2) sudo apt update 3) sudo apt upgrade 4) sudo hostnamectl set-hostname samba-dc 5) sudo vim /etc/hosts Add an entry with its IP address, e.g.: 192.168.122.124 samba-dc samba-dc.example.com 6) sudo apt install -y samba smbclient winbind libpam-winbind libnss-winbind krb5-kdc libpam-krb5 cifs-utils + Focal: + sudo apt install keyutils + Oracular: + sudo apt install samba-ad-dc Note: skip config of kerberos KDC. 7) sudo rm /etc/krb5.conf 8) sudo rm /etc/samba/smb.conf 9) sudo samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm=samba-dc.EXAMPLE.COM --domain=SAMBA --adminpass=Password1 10) sudo cp /var/lib/samba/private/krb5.conf /etc/krb5.conf 11) sudo systemctl mask smbd nmbd winbind 12) sudo systemctl disable smbd nmbd winbind 13) s
[Bug 2099914] Re: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache
** Description changed: BugLink: https://bugs.launchpad.net/bugs/2099914 [Impact] This is CVE-2025-2312, where namespace confusion by cifs.upcall may lead to disclosing sensitive data from the host or container Kerberos credentials cache by accessing the wrong credential cache that doesn't belong to the current user. Consider the following scenario: A CIFS/SMB file share is mounted on a host node using Kerberos authentication. During the session setup phase, the Linux kernel's cifs.ko module makes an upcall to user space to retrieve the Kerberos service ticket from the credential cache. In typical (non-container) environments, this process works correctly, but in containerized environments, the upcall may be directed to a different namespace than intended, leading to issues. For example: a) The file share is mounted on the host node at /mnt/testshare1, meaning the Kerberos credential cache is stored in the host's namespace. b) A Docker container is created, and the file share path /mnt/testshare1 is exported to the container at /sharedpath. c) When the service ticket expires and the SMB connection is lost, before the ticket is refreshed in the credential cache, an application inside the container performs a file operation. This triggers the kernel to attempt a session reconnect. d) During the session setup, a Kerberos ticket is needed, so the kernel invokes the cifs.upcall binary using the request_key function. However, cifs.upcall switches to the namespace of the caller (i.e., the container), causing it to attempt to read the credential cache from the container's namespace. But since the original mount happened in the host namespace, the credential cache is located on the host, not in the container. This results in the upcall failing to access the correct credential cache or accessinng credential cache which doesn't belong to correct user. [Fix] The fix adds a "upcall_target" mount parameter that needs to be present in both the kernel and cifs-utils. "upcall_target" specifies what namespace to find the kerberos credential cache, and takes options "mount" being the host namespace, or "app", being the container namespace. The language is intended to suit Kubernetes based usecases. The kernel requires the following commit: commit db363b0a1d9e6b9dc556296f1b1007aeb496a8cf Author: Ritvik Budhiraja Date: Mon Nov 11 11:43:51 2024 + Subject: CIFS: New mount option for cifs.upcall namespace resolution Link: https://github.com/torvalds/linux/commit/db363b0a1d9e6b9dc556296f1b1007aeb496a8cf This landed in 6.13 mainline, and is already in plucky. Oracular is a clean cherry pick, noble and jammy requires a context adjustment backport and focal needed a heavy backport. Test packages are available in the following ppa: https://launchpad.net/~vpeixoto/+archive/ubuntu/cifs-backport In addition, a userspace fix is also needed in cifs-utils, with the following commits: commit 89b679228cc1be9739d54203d28289b03352c174 From: Ritvik Budhiraja Date: Tue, 19 Nov 2024 06:07:58 + Subject: CIFS.upcall to accomodate new namespace mount opt Link: https://git.samba.org/?p=cifs-utils.git;a=commit;h=89b679228cc1be9739d54203d28289b03352c174 commit cf63240489431e98033e599a7c9437b59494a2e4 From: Ritvik Budhiraja Date: Thu, 30 Jan 2025 14:13:10 + Subject: cifs-utils: add documentation for upcall_target Link: https://git.samba.org/?p=cifs-utils.git;a=commit;h=cf63240489431e98033e599a7c9437b59494a2e4 These were a part of 7.2 upstream. Plucky already has this release, so we just need to fix oracular, noble, jammy and focal. Test packages are available in the following ppa: https://launchpad.net/~mruffell/+archive/ubuntu/sf407276-test If you install the test packages, you can now use the upcall_target argument with either "mount" or "app" options. [Testcase] Some knowledge of kerberos will go a long way to help you make this all work. We should be able to do all testing on the same VM. 1) Create a fresh VM 2) sudo apt update 3) sudo apt upgrade 4) sudo hostnamectl set-hostname samba-dc 5) sudo vim /etc/hosts Add an entry with its IP address, e.g.: 192.168.122.124 samba-dc samba-dc.example.com 6) sudo apt install -y samba smbclient winbind libpam-winbind libnss-winbind krb5-kdc libpam-krb5 cifs-utils Note: skip config of kerberos KDC. 7) sudo rm /etc/krb5.conf 8) sudo rm /etc/samba/smb.conf 9) sudo samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm=samba-dc.EXAMPLE.COM --domain=SAMBA --adminpass=Password1 10) sudo cp /var/lib/samba/private/krb5.conf /etc/krb5.conf 11) sudo systemctl mask smbd nmbd winbind 12) sudo systemctl disable smbd nmbd winbind 13) sudo systemctl stop smbd nmbd winbind 14) sudo systemctl unmask samba-ad-dc 1
[Bug 2099914] Re: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache
** Description changed: BugLink: https://bugs.launchpad.net/bugs/2099914 [Impact] This is CVE-2025-2312, where namespace confusion by cifs.upcall may lead to disclosing sensitive data from the host or container Kerberos credentials cache by accessing the wrong credential cache that doesn't belong to the current user. Consider the following scenario: A CIFS/SMB file share is mounted on a host node using Kerberos authentication. During the session setup phase, the Linux kernel's cifs.ko module makes an upcall to user space to retrieve the Kerberos service ticket from the credential cache. In typical (non-container) environments, this process works correctly, but in containerized environments, the upcall may be directed to a different namespace than intended, leading to issues. For example: a) The file share is mounted on the host node at /mnt/testshare1, meaning the Kerberos credential cache is stored in the host's namespace. b) A Docker container is created, and the file share path /mnt/testshare1 is exported to the container at /sharedpath. c) When the service ticket expires and the SMB connection is lost, before the ticket is refreshed in the credential cache, an application inside the container performs a file operation. This triggers the kernel to attempt a session reconnect. d) During the session setup, a Kerberos ticket is needed, so the kernel invokes the cifs.upcall binary using the request_key function. However, cifs.upcall switches to the namespace of the caller (i.e., the container), causing it to attempt to read the credential cache from the container's namespace. But since the original mount happened in the host namespace, the credential cache is located on the host, not in the container. This results in the upcall failing to access the correct credential cache or accessinng credential cache which doesn't belong to correct user. [Fix] The fix adds a "upcall_target" mount parameter that needs to be present in both the kernel and cifs-utils. "upcall_target" specifies what namespace to find the kerberos credential cache, and takes options "mount" being the host namespace, or "app", being the container namespace. The language is intended to suit Kubernetes based usecases. The kernel requires the following commit: commit db363b0a1d9e6b9dc556296f1b1007aeb496a8cf Author: Ritvik Budhiraja Date: Mon Nov 11 11:43:51 2024 + Subject: CIFS: New mount option for cifs.upcall namespace resolution Link: https://github.com/torvalds/linux/commit/db363b0a1d9e6b9dc556296f1b1007aeb496a8cf This landed in 6.13 mainline, and is already in plucky. Oracular is a clean cherry pick, noble and jammy requires a context adjustment backport and focal needed a heavy backport. Test packages are available in the following ppa: https://launchpad.net/~vpeixoto/+archive/ubuntu/cifs-backport In addition, a userspace fix is also needed in cifs-utils, with the following commits: commit 89b679228cc1be9739d54203d28289b03352c174 From: Ritvik Budhiraja Date: Tue, 19 Nov 2024 06:07:58 + Subject: CIFS.upcall to accomodate new namespace mount opt Link: https://git.samba.org/?p=cifs-utils.git;a=commit;h=89b679228cc1be9739d54203d28289b03352c174 commit cf63240489431e98033e599a7c9437b59494a2e4 From: Ritvik Budhiraja Date: Thu, 30 Jan 2025 14:13:10 + Subject: cifs-utils: add documentation for upcall_target Link: https://git.samba.org/?p=cifs-utils.git;a=commit;h=cf63240489431e98033e599a7c9437b59494a2e4 These were a part of 7.2 upstream. Plucky already has this release, so we just need to fix oracular, noble, jammy and focal. Test packages are available in the following ppa: https://launchpad.net/~mruffell/+archive/ubuntu/sf407276-test If you install the test packages, you can now use the upcall_target argument with either "mount" or "app" options. [Testcase] Some knowledge of kerberos will go a long way to help you make this all work. We should be able to do all testing on the same VM. 1) Create a fresh VM 2) sudo apt update 3) sudo apt upgrade 4) sudo hostnamectl set-hostname samba-dc 5) sudo vim /etc/hosts Add an entry with its IP address, e.g.: 192.168.122.124 samba-dc samba-dc.example.com 6) sudo apt install -y samba smbclient winbind libpam-winbind libnss-winbind krb5-kdc libpam-krb5 cifs-utils Note: skip config of kerberos KDC. 7) sudo rm /etc/krb5.conf 8) sudo rm /etc/samba/smb.conf 9) sudo samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm=samba-dc.EXAMPLE.COM --domain=SAMBA --adminpass=Password1 10) sudo cp /var/lib/samba/private/krb5.conf /etc/krb5.conf 11) sudo systemctl mask smbd nmbd winbind 12) sudo systemctl disable smbd nmbd winbind 13) sudo systemctl stop smbd nmbd winbind 14) sudo systemctl unmask samba-ad-dc 1
[Bug 2099914] Re: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache
** Description changed: BugLink: https://bugs.launchpad.net/bugs/2099914 [Impact] This is CVE-2025-2312, where namespace confusion by cifs.upcall may lead to disclosing sensitive data from the host or container Kerberos credentials cache by accessing the wrong credential cache that doesn't belong to the current user. Consider the following scenario: A CIFS/SMB file share is mounted on a host node using Kerberos authentication. During the session setup phase, the Linux kernel's cifs.ko module makes an upcall to user space to retrieve the Kerberos service ticket from the credential cache. In typical (non-container) environments, this process works correctly, but in containerized environments, the upcall may be directed to a different namespace than intended, leading to issues. For example: a) The file share is mounted on the host node at /mnt/testshare1, meaning the Kerberos credential cache is stored in the host's namespace. b) A Docker container is created, and the file share path /mnt/testshare1 is exported to the container at /sharedpath. c) When the service ticket expires and the SMB connection is lost, before the ticket is refreshed in the credential cache, an application inside the container performs a file operation. This triggers the kernel to attempt a session reconnect. d) During the session setup, a Kerberos ticket is needed, so the kernel invokes the cifs.upcall binary using the request_key function. However, cifs.upcall switches to the namespace of the caller (i.e., the container), causing it to attempt to read the credential cache from the container's namespace. But since the original mount happened in the host namespace, the credential cache is located on the host, not in the container. This results in the upcall failing to access the correct credential cache or accessinng credential cache which doesn't belong to correct user. [Fix] The fix adds a "upcall_target" mount parameter that needs to be present in both the kernel and cifs-utils. "upcall_target" specifies what namespace to find the kerberos credential cache, and takes options "mount" being the host namespace, or "app", being the container namespace. The language is intended to suit Kubernetes based usecases. The kernel requires the following commit: commit db363b0a1d9e6b9dc556296f1b1007aeb496a8cf Author: Ritvik Budhiraja Date: Mon Nov 11 11:43:51 2024 + Subject: CIFS: New mount option for cifs.upcall namespace resolution Link: https://github.com/torvalds/linux/commit/db363b0a1d9e6b9dc556296f1b1007aeb496a8cf This landed in 6.13 mainline, and is already in plucky. Oracular is a clean cherry pick, noble and jammy requires a context adjustment backport and focal needed a heavy backport. Test packages are available in the following ppa: https://launchpad.net/~vpeixoto/+archive/ubuntu/cifs-backport In addition, a userspace fix is also needed in cifs-utils, with the following commits: commit 89b679228cc1be9739d54203d28289b03352c174 From: Ritvik Budhiraja Date: Tue, 19 Nov 2024 06:07:58 + Subject: CIFS.upcall to accomodate new namespace mount opt Link: https://git.samba.org/?p=cifs-utils.git;a=commit;h=89b679228cc1be9739d54203d28289b03352c174 commit cf63240489431e98033e599a7c9437b59494a2e4 From: Ritvik Budhiraja Date: Thu, 30 Jan 2025 14:13:10 + Subject: cifs-utils: add documentation for upcall_target Link: https://git.samba.org/?p=cifs-utils.git;a=commit;h=cf63240489431e98033e599a7c9437b59494a2e4 These were a part of 7.2 upstream. Plucky already has this release, so we just need to fix oracular, noble, jammy and focal. Test packages are available in the following ppa: https://launchpad.net/~mruffell/+archive/ubuntu/sf407276-test If you install the test packages, you can now use the upcall_target argument with either "mount" or "app" options. [Testcase] Some knowledge of kerberos will go a long way to help you make this all work. We should be able to do all testing on the same VM. 1) Create a fresh VM 2) sudo apt update 3) sudo apt upgrade 4) sudo hostnamectl set-hostname samba-dc 5) sudo vim /etc/hosts Add an entry with its IP address, e.g.: 192.168.122.124 samba-dc samba-dc.example.com 6) sudo apt install -y samba smbclient winbind libpam-winbind libnss-winbind krb5-kdc libpam-krb5 cifs-utils Note: skip config of kerberos KDC. 7) sudo rm /etc/krb5.conf 8) sudo rm /etc/samba/smb.conf 9) sudo samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm=samba-dc.EXAMPLE.COM --domain=SAMBA --adminpass=Password1 10) sudo cp /var/lib/samba/private/krb5.conf /etc/krb5.conf 11) sudo systemctl mask smbd nmbd winbind 12) sudo systemctl disable smbd nmbd winbind 13) sudo systemctl stop smbd nmbd winbind 14) sudo systemctl unmask samba-ad-dc 1
[Bug 2099914] Re: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache
** Description changed: BugLink: https://bugs.launchpad.net/bugs/2099914 [Impact] This is CVE-2025-2312, where namespace confusion by cifs.upcall may lead to disclosing sensitive data from the host or container Kerberos credentials cache by accessing the wrong credential cache that doesn't belong to the current user. Consider the following scenario: A CIFS/SMB file share is mounted on a host node using Kerberos authentication. During the session setup phase, the Linux kernel's cifs.ko module makes an upcall to user space to retrieve the Kerberos service ticket from the credential cache. In typical (non-container) environments, this process works correctly, but in containerized environments, the upcall may be directed to a different namespace than intended, leading to issues. For example: a) The file share is mounted on the host node at /mnt/testshare1, meaning the Kerberos credential cache is stored in the host's namespace. b) A Docker container is created, and the file share path /mnt/testshare1 is exported to the container at /sharedpath. c) When the service ticket expires and the SMB connection is lost, before the ticket is refreshed in the credential cache, an application inside the container performs a file operation. This triggers the kernel to attempt a session reconnect. d) During the session setup, a Kerberos ticket is needed, so the kernel invokes the cifs.upcall binary using the request_key function. However, cifs.upcall switches to the namespace of the caller (i.e., the container), causing it to attempt to read the credential cache from the container's namespace. But since the original mount happened in the host namespace, the credential cache is located on the host, not in the container. This results in the upcall failing to access the correct credential cache or accessinng credential cache which doesn't belong to correct user. [Fix] The fix adds a "upcall_target" mount parameter that needs to be present in both the kernel and cifs-utils. "upcall_target" specifies what namespace to find the kerberos credential cache, and takes options "mount" being the host namespace, or "app", being the container namespace. The language is intended to suit Kubernetes based usecases. The kernel requires the following commit: commit db363b0a1d9e6b9dc556296f1b1007aeb496a8cf Author: Ritvik Budhiraja Date: Mon Nov 11 11:43:51 2024 + Subject: CIFS: New mount option for cifs.upcall namespace resolution Link: https://github.com/torvalds/linux/commit/db363b0a1d9e6b9dc556296f1b1007aeb496a8cf This landed in 6.13 mainline, and is already in plucky. Oracular is a clean cherry pick, noble and jammy requires a context adjustment backport and focal needed a heavy backport. Test packages are available in the following ppa: https://launchpad.net/~vpeixoto/+archive/ubuntu/cifs-backport In addition, a userspace fix is also needed in cifs-utils, with the following commits: commit 89b679228cc1be9739d54203d28289b03352c174 From: Ritvik Budhiraja Date: Tue, 19 Nov 2024 06:07:58 + Subject: CIFS.upcall to accomodate new namespace mount opt Link: https://git.samba.org/?p=cifs-utils.git;a=commit;h=89b679228cc1be9739d54203d28289b03352c174 commit cf63240489431e98033e599a7c9437b59494a2e4 From: Ritvik Budhiraja Date: Thu, 30 Jan 2025 14:13:10 + Subject: cifs-utils: add documentation for upcall_target Link: https://git.samba.org/?p=cifs-utils.git;a=commit;h=cf63240489431e98033e599a7c9437b59494a2e4 These were a part of 7.2 upstream. Plucky already has this release, so we just need to fix oracular, noble, jammy and focal. Test packages are available in the following ppa: https://launchpad.net/~mruffell/+archive/ubuntu/sf407276-test If you install the test packages, you can now use the upcall_target argument with either "mount" or "app" options. [Testcase] Some knowledge of kerberos will go a long way to help you make this all work. We should be able to do all testing on the same VM. 1) Create a fresh VM 2) sudo apt update 3) sudo apt upgrade 4) sudo hostnamectl set-hostname samba-dc 5) sudo vim /etc/hosts Add an entry with its IP address, e.g.: 192.168.122.124 samba-dc samba-dc.example.com 6) sudo apt install -y samba smbclient winbind libpam-winbind libnss-winbind krb5-kdc libpam-krb5 cifs-utils Note: skip config of kerberos KDC. 7) sudo rm /etc/krb5.conf 8) sudo rm /etc/samba/smb.conf 9) sudo samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm=samba-dc.EXAMPLE.COM --domain=SAMBA --adminpass=Password1 10) sudo cp /var/lib/samba/private/krb5.conf /etc/krb5.conf 11) sudo systemctl mask smbd nmbd winbind 12) sudo systemctl disable smbd nmbd winbind 13) sudo systemctl stop smbd nmbd winbind 14) sudo systemctl unmask samba-ad-dc 1
[Bug 2099914] Re: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache
** Description changed: BugLink: https://bugs.launchpad.net/bugs/2099914 [Impact] This is CVE-2025-2312, where namespace confusion by cifs.upcall may lead to disclosing sensitive data from the host or container Kerberos credentials cache by accessing the wrong credential cache that doesn't belong to the current user. Consider the following scenario: A CIFS/SMB file share is mounted on a host node using Kerberos authentication. During the session setup phase, the Linux kernel's cifs.ko module makes an upcall to user space to retrieve the Kerberos service ticket from the credential cache. In typical (non-container) environments, this process works correctly, but in containerized environments, the upcall may be directed to a different namespace than intended, leading to issues. For example: a) The file share is mounted on the host node at /mnt/testshare1, meaning the Kerberos credential cache is stored in the host's namespace. b) A Docker container is created, and the file share path /mnt/testshare1 is exported to the container at /sharedpath. c) When the service ticket expires and the SMB connection is lost, before the ticket is refreshed in the credential cache, an application inside the container performs a file operation. This triggers the kernel to attempt a session reconnect. d) During the session setup, a Kerberos ticket is needed, so the kernel invokes the cifs.upcall binary using the request_key function. However, cifs.upcall switches to the namespace of the caller (i.e., the container), causing it to attempt to read the credential cache from the container's namespace. But since the original mount happened in the host namespace, the credential cache is located on the host, not in the container. This results in the upcall failing to access the correct credential cache or accessinng credential cache which doesn't belong to correct user. [Fix] The fix adds a "upcall_target" mount parameter that needs to be present in both the kernel and cifs-utils. "upcall_target" specifies what namespace to find the kerberos credential cache, and takes options "mount" being the host namespace, or "app", being the container namespace. The language is intended to suit Kubernetes based usecases. The kernel requires the following commit: commit db363b0a1d9e6b9dc556296f1b1007aeb496a8cf Author: Ritvik Budhiraja Date: Mon Nov 11 11:43:51 2024 + Subject: CIFS: New mount option for cifs.upcall namespace resolution Link: https://github.com/torvalds/linux/commit/db363b0a1d9e6b9dc556296f1b1007aeb496a8cf This landed in 6.13 mainline, and is already in plucky. Oracular is a clean cherry pick, noble and jammy requires a context adjustment backport and focal needed a heavy backport. Test packages are available in the following ppa: https://launchpad.net/~vpeixoto/+archive/ubuntu/cifs-backport In addition, a userspace fix is also needed in cifs-utils, with the following commits: commit 89b679228cc1be9739d54203d28289b03352c174 From: Ritvik Budhiraja Date: Tue, 19 Nov 2024 06:07:58 + Subject: CIFS.upcall to accomodate new namespace mount opt Link: https://git.samba.org/?p=cifs-utils.git;a=commit;h=89b679228cc1be9739d54203d28289b03352c174 commit cf63240489431e98033e599a7c9437b59494a2e4 From: Ritvik Budhiraja Date: Thu, 30 Jan 2025 14:13:10 + Subject: cifs-utils: add documentation for upcall_target Link: https://git.samba.org/?p=cifs-utils.git;a=commit;h=cf63240489431e98033e599a7c9437b59494a2e4 These were a part of 7.2 upstream. Plucky already has this release, so we just need to fix oracular, noble, jammy and focal. Test packages are available in the following ppa: https://launchpad.net/~mruffell/+archive/ubuntu/sf407276-test If you install the test packages, you can now use the upcall_target argument with either "mount" or "app" options. [Testcase] Some knowledge of kerberos will go a long way to help you make this all work. We should be able to do all testing on the same VM. 1) Create a fresh VM 2) sudo apt update 3) sudo apt upgrade 4) sudo hostnamectl set-hostname samba-dc 5) sudo vim /etc/hosts Add an entry with its IP address, e.g.: 192.168.122.124 samba-dc samba-dc.example.com 6) sudo apt install -y samba smbclient winbind libpam-winbind libnss-winbind krb5-kdc libpam-krb5 cifs-utils Note: skip config of kerberos KDC. 7) sudo rm /etc/krb5.conf 8) sudo rm /etc/samba/smb.conf 9) sudo samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm=samba-dc.EXAMPLE.COM --domain=SAMBA --adminpass=Password1 10) sudo cp /var/lib/samba/private/krb5.conf /etc/krb5.conf 11) sudo systemctl mask smbd nmbd winbind 12) sudo systemctl disable smbd nmbd winbind 13) sudo systemctl stop smbd nmbd winbind 14) sudo systemctl unmask samba-ad-dc 1
[Bug 2099914] Re: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache
** Description changed: BugLink: https://bugs.launchpad.net/bugs/2099914 [Impact] This is CVE-2025-2312, where namespace confusion by cifs.upcall may lead to disclosing sensitive data from the host or container Kerberos credentials cache by accessing the wrong credential cache that doesn't belong to the current user. Consider the following scenario: A CIFS/SMB file share is mounted on a host node using Kerberos authentication. During the session setup phase, the Linux kernel's cifs.ko module makes an upcall to user space to retrieve the Kerberos service ticket from the credential cache. In typical (non-container) environments, this process works correctly, but in containerized environments, the upcall may be directed to a different namespace than intended, leading to issues. For example: a) The file share is mounted on the host node at /mnt/testshare1, meaning the Kerberos credential cache is stored in the host's namespace. b) A Docker container is created, and the file share path /mnt/testshare1 is exported to the container at /sharedpath. c) When the service ticket expires and the SMB connection is lost, before the ticket is refreshed in the credential cache, an application inside the container performs a file operation. This triggers the kernel to attempt a session reconnect. d) During the session setup, a Kerberos ticket is needed, so the kernel invokes the cifs.upcall binary using the request_key function. However, cifs.upcall switches to the namespace of the caller (i.e., the container), causing it to attempt to read the credential cache from the container's namespace. But since the original mount happened in the host namespace, the credential cache is located on the host, not in the container. This results in the upcall failing to access the correct credential cache or accessinng credential cache which doesn't belong to correct user. [Fix] The fix adds a "upcall_target" mount parameter that needs to be present in both the kernel and cifs-utils. "upcall_target" specifies what namespace to find the kerberos credential cache, and takes options "mount" being the host namespace, or "app", being the container namespace. The language is intended to suit Kubernetes based usecases. The kernel requires the following commit: commit db363b0a1d9e6b9dc556296f1b1007aeb496a8cf Author: Ritvik Budhiraja Date: Mon Nov 11 11:43:51 2024 + Subject: CIFS: New mount option for cifs.upcall namespace resolution Link: https://github.com/torvalds/linux/commit/db363b0a1d9e6b9dc556296f1b1007aeb496a8cf This landed in 6.13 mainline, and is already in plucky. Oracular is a clean cherry pick, noble and jammy requires a context adjustment backport and focal needed a heavy backport. Test packages are available in the following ppa: https://launchpad.net/~vpeixoto/+archive/ubuntu/cifs-backport In addition, a userspace fix is also needed in cifs-utils, with the following commits: commit 89b679228cc1be9739d54203d28289b03352c174 From: Ritvik Budhiraja Date: Tue, 19 Nov 2024 06:07:58 + Subject: CIFS.upcall to accomodate new namespace mount opt Link: https://git.samba.org/?p=cifs-utils.git;a=commit;h=89b679228cc1be9739d54203d28289b03352c174 commit cf63240489431e98033e599a7c9437b59494a2e4 From: Ritvik Budhiraja Date: Thu, 30 Jan 2025 14:13:10 + Subject: cifs-utils: add documentation for upcall_target Link: https://git.samba.org/?p=cifs-utils.git;a=commit;h=cf63240489431e98033e599a7c9437b59494a2e4 These were a part of 7.2 upstream. Plucky already has this release, so we just need to fix oracular, noble, jammy and focal. Test packages are available in the following ppa: https://launchpad.net/~mruffell/+archive/ubuntu/sf407276-test If you install the test packages, you can now use the upcall_target argument with either "mount" or "app" options. [Testcase] Some knowledge of kerberos will go a long way to help you make this all work. We should be able to do all testing on the same VM. 1) Create a fresh VM 2) sudo apt update 3) sudo apt upgrade 4) sudo hostnamectl set-hostname samba-dc 5) sudo vim /etc/hosts Add an entry with its IP address, e.g.: 192.168.122.124 samba-dc samba-dc.example.com 6) sudo apt install -y samba smbclient winbind libpam-winbind libnss-winbind krb5-kdc libpam-krb5 cifs-utils Note: skip config of kerberos KDC. 7) sudo rm /etc/krb5.conf 8) sudo rm /etc/samba/smb.conf 9) sudo samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm=samba-dc.EXAMPLE.COM --domain=SAMBA --adminpass=Password1 10) sudo cp /var/lib/samba/private/krb5.conf /etc/krb5.conf 11) sudo systemctl mask smbd nmbd winbind 12) sudo systemctl disable smbd nmbd winbind 13) sudo systemctl stop smbd nmbd winbind 14) sudo systemctl unmask samba-ad-dc 1
[Bug 2099914] Re: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache
** Description changed: BugLink: https://bugs.launchpad.net/bugs/2099914 [Impact] This is CVE-2025-2312, where namespace confusion by cifs.upcall may lead to disclosing sensitive data from the host or container Kerberos credentials cache by accessing the wrong credential cache that doesn't belong to the current user. Consider the following scenario: A CIFS/SMB file share is mounted on a host node using Kerberos authentication. During the session setup phase, the Linux kernel's cifs.ko module makes an upcall to user space to retrieve the Kerberos service ticket from the credential cache. In typical (non-container) environments, this process works correctly, but in containerized environments, the upcall may be directed to a different namespace than intended, leading to issues. For example: a) The file share is mounted on the host node at /mnt/testshare1, meaning the Kerberos credential cache is stored in the host's namespace. b) A Docker container is created, and the file share path /mnt/testshare1 is exported to the container at /sharedpath. c) When the service ticket expires and the SMB connection is lost, before the ticket is refreshed in the credential cache, an application inside the container performs a file operation. This triggers the kernel to attempt a session reconnect. d) During the session setup, a Kerberos ticket is needed, so the kernel invokes the cifs.upcall binary using the request_key function. However, cifs.upcall switches to the namespace of the caller (i.e., the container), causing it to attempt to read the credential cache from the container's namespace. But since the original mount happened in the host namespace, the credential cache is located on the host, not in the container. This results in the upcall failing to access the correct credential cache or accessinng credential cache which doesn't belong to correct user. [Fix] The fix adds a "upcall_target" mount parameter that needs to be present in both the kernel and cifs-utils. "upcall_target" specifies what namespace to find the kerberos credential cache, and takes options "mount" being the host namespace, or "app", being the container namespace. The language is intended to suit Kubernetes based usecases. The kernel requires the following commit: commit db363b0a1d9e6b9dc556296f1b1007aeb496a8cf Author: Ritvik Budhiraja Date: Mon Nov 11 11:43:51 2024 + Subject: CIFS: New mount option for cifs.upcall namespace resolution Link: https://github.com/torvalds/linux/commit/db363b0a1d9e6b9dc556296f1b1007aeb496a8cf This landed in 6.13 mainline, and is already in plucky. Oracular is a clean cherry pick, noble and jammy requires a context adjustment backport and focal needed a heavy backport. Test packages are available in the following ppa: https://launchpad.net/~vpeixoto/+archive/ubuntu/cifs-backport In addition, a userspace fix is also needed in cifs-utils, with the following commits: commit 89b679228cc1be9739d54203d28289b03352c174 From: Ritvik Budhiraja Date: Tue, 19 Nov 2024 06:07:58 + Subject: CIFS.upcall to accomodate new namespace mount opt Link: https://git.samba.org/?p=cifs-utils.git;a=commit;h=89b679228cc1be9739d54203d28289b03352c174 commit cf63240489431e98033e599a7c9437b59494a2e4 From: Ritvik Budhiraja Date: Thu, 30 Jan 2025 14:13:10 + Subject: cifs-utils: add documentation for upcall_target Link: https://git.samba.org/?p=cifs-utils.git;a=commit;h=cf63240489431e98033e599a7c9437b59494a2e4 These were a part of 7.2 upstream. Plucky already has this release, so we just need to fix oracular, noble, jammy and focal. Test packages are available in the following ppa: https://launchpad.net/~mruffell/+archive/ubuntu/sf407276-test If you install the test packages, you can now use the upcall_target argument with either "mount" or "app" options. [Testcase] Some knowledge of kerberos will go a long way to help you make this all work. We should be able to do all testing on the same VM. 1) Create a fresh VM 2) sudo apt update 3) sudo apt upgrade 4) sudo hostnamectl set-hostname samba-dc 5) sudo vim /etc/hosts Add an entry with its IP address, e.g.: 192.168.122.124 samba-dc samba-dc.example.com 6) sudo apt install -y samba smbclient winbind libpam-winbind libnss-winbind krb5-kdc libpam-krb5 cifs-utils Note: skip config of kerberos KDC. 7) sudo rm /etc/krb5.conf 8) sudo rm /etc/samba/smb.conf 9) sudo samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm=samba-dc.EXAMPLE.COM --domain=SAMBA --adminpass=Password1 10) sudo cp /var/lib/samba/private/krb5.conf /etc/krb5.conf 11) sudo systemctl mask smbd nmbd winbind 12) sudo systemctl disable smbd nmbd winbind 13) sudo systemctl stop smbd nmbd winbind 14) sudo systemctl unmask samba-ad-dc 1
[Bug 2099914] Re: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache
** Description changed: BugLink: https://bugs.launchpad.net/bugs/2099914 [Impact] This is CVE-2025-2312, where namespace confusion by cifs.upcall may lead to disclosing sensitive data from the host or container Kerberos credentials cache by accessing the wrong credential cache that doesn't belong to the current user. Consider the following scenario: A CIFS/SMB file share is mounted on a host node using Kerberos authentication. During the session setup phase, the Linux kernel's cifs.ko module makes an upcall to user space to retrieve the Kerberos service ticket from the credential cache. In typical (non-container) environments, this process works correctly, but in containerized environments, the upcall may be directed to a different namespace than intended, leading to issues. For example: - a) The file share is mounted on the host node at /mnt/testshare1, meaning the + a) The file share is mounted on the host node at /mnt/testshare1, meaning the Kerberos credential cache is stored in the host's namespace. b) A Docker container is created, and the file share path /mnt/testshare1 is exported to the container at /sharedpath. c) When the service ticket expires and the SMB connection is lost, before the ticket is refreshed in the credential cache, an application inside the container performs a file operation. This triggers the kernel to attempt a session reconnect. d) During the session setup, a Kerberos ticket is needed, so the kernel invokes the cifs.upcall binary using the request_key function. However, cifs.upcall switches to the namespace of the caller (i.e., the container), causing it to attempt to read the credential cache from the container's namespace. But since the original mount happened in the host namespace, the credential cache is located on the host, not in the container. This results in the upcall failing to access the correct credential cache or accessinng credential cache which doesn't belong to correct user. [Fix] The fix adds a "upcall_target" mount parameter that needs to be present in both the kernel and cifs-utils. "upcall_target" specifies what namespace to find the kerberos credential cache, and takes options "mount" being the host namespace, or "app", being the container namespace. The language is intended to suit Kubernetes based usecases. The kernel requires the following commit: commit db363b0a1d9e6b9dc556296f1b1007aeb496a8cf Author: Ritvik Budhiraja Date: Mon Nov 11 11:43:51 2024 + Subject: CIFS: New mount option for cifs.upcall namespace resolution Link: https://github.com/torvalds/linux/commit/db363b0a1d9e6b9dc556296f1b1007aeb496a8cf This landed in 6.13 mainline, and is already in plucky. Oracular is a clean cherry pick, noble and jammy requires a context adjustment backport and focal needed a heavy backport. Test packages are available in the following ppa: - + https://launchpad.net/~vpeixoto/+archive/ubuntu/cifs-backport/+packages In addition, a userspace fix is also needed in cifs-utils, with the following commits: commit 89b679228cc1be9739d54203d28289b03352c174 From: Ritvik Budhiraja Date: Tue, 19 Nov 2024 06:07:58 + Subject: CIFS.upcall to accomodate new namespace mount opt Link: https://git.samba.org/?p=cifs-utils.git;a=commit;h=89b679228cc1be9739d54203d28289b03352c174 commit cf63240489431e98033e599a7c9437b59494a2e4 From: Ritvik Budhiraja Date: Thu, 30 Jan 2025 14:13:10 + Subject: cifs-utils: add documentation for upcall_target Link: https://git.samba.org/?p=cifs-utils.git;a=commit;h=cf63240489431e98033e599a7c9437b59494a2e4 These were a part of 7.2 upstream. Plucky already has this release, so we just need to fix oracular, noble, jammy and focal. Test packages are available in the following ppa: https://launchpad.net/~mruffell/+archive/ubuntu/sf407276-test If you install the test packages, you can now use the upcall_target argument with either "mount" or "app" options. [Testcase] Some knowledge of kerberos will go a long way to help you make this all work. We should be able to do all testing on the same VM. 1) Create a fresh VM 2) sudo apt update 3) sudo apt upgrade 4) sudo hostnamectl set-hostname samba-dc 5) sudo vim /etc/hosts Add an entry with its IP address, e.g.: 192.168.122.124 samba-dc samba-dc.example.com 6) sudo apt install -y samba smbclient winbind libpam-winbind libnss-winbind krb5-kdc libpam-krb5 cifs-utils Note: skip config of kerberos KDC. 7) sudo rm /etc/krb5.conf 8) sudo rm /etc/samba/smb.conf 9) sudo samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm=samba-dc.EXAMPLE.COM --domain=SAMBA --adminpass=Password1 10) sudo cp /var/lib/samba/private/krb5.conf /etc/krb5.conf 11) sudo systemctl mask smbd nmbd winbind 12) sudo systemctl disable smbd nmbd w
[Bug 2099914] Re: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache
** Summary changed: - cifs.upcall program in cifs-utils package incorrectly makes an upcall to different namespace in case of container environments + CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache ** Description changed: - In some cases, the cifs.upcall program from the cifs-utils package makes - an upcall to the wrong namespace in containerized environments. + BugLink: https://bugs.launchpad.net/bugs/2099914 + + [Impact] + + This is CVE-2025-2312, where namespace confusion by cifs.upcall may lead to + disclosing sensitive data from the host or container Kerberos credentials cache + by accessing the wrong credential cache that doesn't belong to the current user. Consider the following scenario: A CIFS/SMB file share is mounted on a host node using Kerberos authentication. - During the session setup phase, the Linux kernel's cifs.ko module makes - an upcall to user space to retrieve the Kerberos service ticket from the - credential cache. + During the session setup phase, the Linux kernel's cifs.ko module makes an + upcall to user space to retrieve the Kerberos service ticket from the credential + cache. - In typical (non-container) environments, this process works correctly, - but in containerized environments, the upcall may be directed to a - different namespace than intended, leading to issues. For example: + In typical (non-container) environments, this process works correctly, but in + containerized environments, the upcall may be directed to a different namespace + than intended, leading to issues. For example: - a) The file share is mounted on the host node at /mnt/testshare1, meaning the Kerberos credential cache is stored in the host's namespace. - b) A Docker container is created, and the file share path /mnt/testshare1 is exported to the container at /sharedpath. - c) When the service ticket expires and the SMB connection is lost, before the ticket is refreshed in the credential cache, an application inside the container performs a file operation. This triggers the kernel to attempt a session reconnect. - d) During the session setup, a Kerberos ticket is needed, so the kernel invokes the cifs.upcall binary using the request_key function. However, cifs.upcall switches to the namespace of the caller (i.e., the container), causing it to attempt to read the credential cache from the container's namespace. But since the original mount happened in the host namespace, the credential cache is located on the host, not in the container. This results in the upcall failing to access the correct credential cache or accessinng credential cache which doesn't belong to correct user. + a) The file share is mounted on the host node at /mnt/testshare1, meaning the + Kerberos credential cache is stored in the host's namespace. + b) A Docker container is created, and the file share path /mnt/testshare1 is + exported to the container at /sharedpath. + c) When the service ticket expires and the SMB connection is lost, before the + ticket is refreshed in the credential cache, an application inside the container + performs a file operation. This triggers the kernel to attempt a session + reconnect. + d) During the session setup, a Kerberos ticket is needed, so the kernel invokes + the cifs.upcall binary using the request_key function. However, cifs.upcall + switches to the namespace of the caller (i.e., the container), causing it to + attempt to read the credential cache from the container's namespace. But since + the original mount happened in the host namespace, the credential cache is + located on the host, not in the container. This results in the upcall failing + to access the correct credential cache or accessinng credential cache which + doesn't belong to correct user. + + [Fix] + + The fix adds a "upcall_target" mount parameter that needs to be present in both + the kernel and cifs-utils. "upcall_target" specifies what namespace to find the + kerberos credential cache, and takes options "mount" being the host namespace, + or "app", being the container namespace. The language is intended to suit + Kubernetes based usecases. + + The kernel requires the following commit: + + commit db363b0a1d9e6b9dc556296f1b1007aeb496a8cf + Author: Ritvik Budhiraja + Date: Mon Nov 11 11:43:51 2024 + + Subject: CIFS: New mount option for cifs.upcall namespace resolution + Link: https://github.com/torvalds/linux/commit/db363b0a1d9e6b9dc556296f1b1007aeb496a8cf + + This landed in 6.13 mainline, and is already in plucky. Oracular is a clean + cherry pick, noble and jammy requires a context adjustment backport and focal + needed a heavy backport. + + Test packages are available in the following ppa: + + <> + + In addition, a userspace fix is also needed in cifs-utils, with the following + commits: + + commit 89b679228cc1be9739d54203d28289b03352c174 + From: Ritvik Budhiraja + Date: Tue, 19 Nov 2024 06:07:58 + + Subject: CIFS.upcall to acco
[Bug 2099914] Re: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache
** Description changed: BugLink: https://bugs.launchpad.net/bugs/2099914 [Impact] This is CVE-2025-2312, where namespace confusion by cifs.upcall may lead to disclosing sensitive data from the host or container Kerberos credentials cache by accessing the wrong credential cache that doesn't belong to the current user. Consider the following scenario: A CIFS/SMB file share is mounted on a host node using Kerberos authentication. During the session setup phase, the Linux kernel's cifs.ko module makes an upcall to user space to retrieve the Kerberos service ticket from the credential cache. In typical (non-container) environments, this process works correctly, but in containerized environments, the upcall may be directed to a different namespace than intended, leading to issues. For example: a) The file share is mounted on the host node at /mnt/testshare1, meaning the Kerberos credential cache is stored in the host's namespace. b) A Docker container is created, and the file share path /mnt/testshare1 is exported to the container at /sharedpath. c) When the service ticket expires and the SMB connection is lost, before the ticket is refreshed in the credential cache, an application inside the container performs a file operation. This triggers the kernel to attempt a session reconnect. d) During the session setup, a Kerberos ticket is needed, so the kernel invokes the cifs.upcall binary using the request_key function. However, cifs.upcall switches to the namespace of the caller (i.e., the container), causing it to attempt to read the credential cache from the container's namespace. But since the original mount happened in the host namespace, the credential cache is located on the host, not in the container. This results in the upcall failing to access the correct credential cache or accessinng credential cache which doesn't belong to correct user. [Fix] The fix adds a "upcall_target" mount parameter that needs to be present in both the kernel and cifs-utils. "upcall_target" specifies what namespace to find the kerberos credential cache, and takes options "mount" being the host namespace, or "app", being the container namespace. The language is intended to suit Kubernetes based usecases. The kernel requires the following commit: commit db363b0a1d9e6b9dc556296f1b1007aeb496a8cf Author: Ritvik Budhiraja Date: Mon Nov 11 11:43:51 2024 + Subject: CIFS: New mount option for cifs.upcall namespace resolution Link: https://github.com/torvalds/linux/commit/db363b0a1d9e6b9dc556296f1b1007aeb496a8cf This landed in 6.13 mainline, and is already in plucky. Oracular is a clean cherry pick, noble and jammy requires a context adjustment backport and focal needed a heavy backport. Test packages are available in the following ppa: - <> + In addition, a userspace fix is also needed in cifs-utils, with the following commits: commit 89b679228cc1be9739d54203d28289b03352c174 From: Ritvik Budhiraja Date: Tue, 19 Nov 2024 06:07:58 + Subject: CIFS.upcall to accomodate new namespace mount opt Link: https://git.samba.org/?p=cifs-utils.git;a=commit;h=89b679228cc1be9739d54203d28289b03352c174 commit cf63240489431e98033e599a7c9437b59494a2e4 From: Ritvik Budhiraja Date: Thu, 30 Jan 2025 14:13:10 + Subject: cifs-utils: add documentation for upcall_target Link: https://git.samba.org/?p=cifs-utils.git;a=commit;h=cf63240489431e98033e599a7c9437b59494a2e4 These were a part of 7.2 upstream. Plucky already has this release, so we just need to fix oracular, noble, jammy and focal. Test packages are available in the following ppa: https://launchpad.net/~mruffell/+archive/ubuntu/sf407276-test If you install the test packages, you can now use the upcall_target argument with either "mount" or "app" options. [Testcase] - Deploy a fresh VM. - - + Some knowledge of kerberos will go a long way to help you make this all + work. + + We should be able to do all testing on the same VM. + + 1) Create a fresh VM + 2) sudo apt update + 3) sudo apt upgrade + 4) sudo hostnamectl set-hostname samba-dc + 5) sudo vim /etc/hosts + Add an entry with its IP address, e.g.: + 192.168.122.124 samba-dc samba-dc.example.com + 6) sudo apt install -y samba smbclient winbind libpam-winbind libnss-winbind krb5-kdc libpam-krb5 cifs-utils + Note: skip config of kerberos KDC. + 7) sudo rm /etc/krb5.conf + 8) sudo rm /etc/samba/smb.conf + 9) sudo samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm=samba-dc.EXAMPLE.COM --domain=SAMBA --adminpass=Password1 + 10) sudo cp /var/lib/samba/private/krb5.conf /etc/krb5.conf + 11) sudo systemctl mask smbd nmbd winbind + 12) sudo systemctl disable smbd nmbd winbind + 13) sudo systemctl stop smbd nmbd winbind + 14) sudo systemctl unmask samba-ad-dc + 15) sudo systemctl start samb
