!47 [sync] PR-46: sync some patches

From: @openeuler-sync-bot 
Reviewed-by: @swf504 
Signed-off-by: @swf504

0000-CVE-2021-20208.patch

@@ -1,262 +0,0 @@
-From cb8b6a8b8ea983844584d8ada4d9aa4c88c997fb Mon Sep 17 00:00:00 2001
-From: Alastair Houghton <alastair@alastairs-place.net>
-Date: Tue, 29 Dec 2020 14:02:39 +0000
-Subject: [PATCH] cifs.upcall: try to use container ipc/uts/net/pid/mnt/user
- namespaces
-
-In certain scenarios (e.g. kerberos multimount), when a process does
-syscalls, the kernel sometimes has to query information or trigger
-some actions in userspace. To do so it calls the cifs.upcall binary
-with information on the process that triggered the syscall in the
-first place.
-
-ls(pid=10) ====> open("foo") ====> kernel
-
-                                   that user doesn't have an SMB
-                                   session, lets create one using his
-                                   kerberos credential cache
-
-                                   call cifs.upcall and ask for krb info
-                                   for whoever owns pid=10
-                                                         |
-                  cifs.upcall --pid 10 <=================+
-
-               ...gather info...
-                  return binary blob used
-                  when establishing SMB session
-                        ===================> kernel
-                                              open SMB session, handle
-                                              open() syscall
-ls <===================================   return open() result to ls
-
-On a system using containers, the kernel is still calling the host
-cifs.upcall and using the host configuration (for network, pid, etc).
-
-This patch changes the behaviour of cifs.upcall so that it uses the
-calling process namespaces (ls in the example) when doing its
-job.
-
-Note that the kernel still calls the binary in the host, but the
-binary will place itself the contexts of the calling process
-namespaces.
-
-This code makes use of (but shouldn't require) the following kernel
-config options and syscall flags:
-
-approx. year   |
-introduced     |  config/flags
----------------+----------------
-2008           | CONFIG_NAMESPACES=y
-2007           | CONFIG_UTS_NS=y
-2020           | CONFIG_TIME_NS=y
-2006           | CONFIG_IPC_NS=y
-2007           | CONFIG_USER_NS
-2008           | CONFIG_PID_NS=y
-2007           | CONFIG_NET_NS=y
-2007           | CONFIG_CGROUPS
-2016           | CLONE_NEWCGROUP setns() flag
-
-Signed-off-by: Aurelien Aptel <aaptel@suse.com>
-Signed-off-by: Alastair Houghton <alastair@alastairs-place.net>
----
- cifs.upcall.c | 171 ++++++++++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 171 insertions(+)
-
-diff --git a/cifs.upcall.c b/cifs.upcall.c
-index 1559434..141dc66 100644
---- a/cifs.upcall.c
-+++ b/cifs.upcall.c
-@@ -51,6 +51,7 @@
- #include <grp.h>
- #include <stdbool.h>
- #include <errno.h>
-+#include <sched.h>
- 
- #include "data_blob.h"
- #include "spnego.h"
-@@ -230,6 +231,164 @@ err_cache:
- 	return credtime;
- }
- 
-+static struct namespace_file {
-+	int nstype;
-+	const char *name;
-+	int fd;
-+} namespace_files[] = {
-+
-+#ifdef CLONE_NEWCGROUP
-+	{ CLONE_NEWCGROUP, "cgroup", -1 },
-+#endif
-+
-+#ifdef CLONE_NEWIPC
-+	{ CLONE_NEWIPC, "ipc", -1 },
-+#endif
-+
-+#ifdef CLONE_NEWUTS
-+	{ CLONE_NEWUTS, "uts", -1 },
-+#endif
-+
-+#ifdef CLONE_NEWNET
-+	{ CLONE_NEWNET, "net", -1 },
-+#endif
-+
-+#ifdef CLONE_NEWPID
-+	{ CLONE_NEWPID, "pid", -1 },
-+#endif
-+
-+#ifdef CLONE_NEWTIME
-+	{ CLONE_NEWTIME, "time", -1 },
-+#endif
-+
-+#ifdef CLONE_NEWNS
-+	{ CLONE_NEWNS, "mnt", -1 },
-+#endif
-+
-+#ifdef CLONE_NEWUSER
-+	{ CLONE_NEWUSER, "user", -1 },
-+#endif
-+};
-+
-+#define NS_PATH_FMT    "/proc/%d/ns/%s"
-+#define NS_PATH_MAXLEN (6 + 10 + 4 + 6 + 1)
-+
-+/**
-+ * in_same_user_ns - return true if two processes are in the same user
-+ *                   namespace.
-+ * @pid_a: the pid of the first process
-+ * @pid_b: the pid of the second process
-+ *
-+ * Works by comparing the inode numbers for /proc/<pid>/user.
-+ */
-+static int
-+in_same_user_ns(pid_t pid_a, pid_t pid_b)
-+{
-+	char path[NS_PATH_MAXLEN];
-+	ino_t a_ino, b_ino;
-+	struct stat st;
-+
-+	snprintf(path, sizeof(path), NS_PATH_FMT, pid_a, "user");
-+	if (stat(path, &st) != 0)
-+		return 0;
-+	a_ino = st.st_ino;
-+
-+	snprintf(path, sizeof(path), NS_PATH_FMT, pid_b, "user");
-+	if (stat(path, &st) != 0)
-+		return 0;
-+	b_ino = st.st_ino;
-+
-+	return a_ino == b_ino;
-+}
-+
-+/**
-+ * switch_to_process_ns - change the namespace to the one for the specified
-+ *                        process.
-+ * @pid: initiating pid value from the upcall string
-+ *
-+ * Uses setns() to switch process namespace.
-+ * This ensures that we have the same access and configuration as the
-+ * process that triggered the lookup.
-+ */
-+static int
-+switch_to_process_ns(pid_t pid)
-+{
-+	int count = sizeof(namespace_files) / sizeof(struct namespace_file);
-+	int n, err = 0;
-+	int rc = 0;
-+
-+	/* First, open all the namespace fds.  We do this first because
-+	   the namespace changes might prohibit us from opening them. */
-+	for (n = 0; n < count; ++n) {
-+		char nspath[NS_PATH_MAXLEN];
-+		int ret, fd;
-+
-+#ifdef CLONE_NEWUSER
-+		if (namespace_files[n].nstype == CLONE_NEWUSER
-+		    && in_same_user_ns(getpid(), pid)) {
-+			/* Switching to the same user namespace is forbidden,
-+			   because switching to a user namespace grants all
-+			   capabilities in that namespace regardless of uid. */
-+			namespace_files[n].fd = -1;
-+			continue;
-+		}
-+#endif
-+
-+		ret = snprintf(nspath, NS_PATH_MAXLEN, NS_PATH_FMT,
-+			       pid, namespace_files[n].name);
-+		if (ret >= NS_PATH_MAXLEN) {
-+			syslog(LOG_DEBUG, "%s: unterminated path!\n", __func__);
-+			err = ENAMETOOLONG;
-+			rc = -1;
-+			goto out;
-+		}
-+
-+		fd = open(nspath, O_RDONLY);
-+		if (fd < 0 && errno != ENOENT) {
-+			/*
-+			 * don't stop on non-existing ns
-+			 * but stop for other errors
-+			 */
-+			err = errno;
-+			rc = -1;
-+			goto out;
-+		}
-+
-+		namespace_files[n].fd = fd;
-+	}
-+
-+	/* Next, call setns for each of them */
-+	for (n = 0; n < count; ++n) {
-+		/* skip non-existing ns */
-+		if (namespace_files[n].fd < 0)
-+			continue;
-+
-+		rc = setns(namespace_files[n].fd, namespace_files[n].nstype);
-+
-+		if (rc < 0) {
-+			syslog(LOG_DEBUG, "%s: setns() failed for %s\n",
-+			       __func__, namespace_files[n].name);
-+			err = errno;
-+			goto out;
-+		}
-+	}
-+
-+out:
-+	/* Finally, close all the fds */
-+	for (n = 0; n < count; ++n) {
-+		if (namespace_files[n].fd != -1) {
-+			close(namespace_files[n].fd);
-+			namespace_files[n].fd = -1;
-+		}
-+	}
-+
-+	if (rc != 0) {
-+		errno = err;
-+	}
-+
-+	return rc;
-+}
-+
- #define	ENV_PATH_FMT			"/proc/%d/environ"
- #define	ENV_PATH_MAXLEN			(6 + 10 + 8 + 1)
- 
-@@ -1099,6 +1258,19 @@ int main(const int argc, char *const argv[])
- 	env_cachename =
- 		get_cachename_from_process_env(env_probe ? arg.pid : 0);
- 
-+	/*
-+	 * Change to the process's namespace. This means that things will work
-+	 * acceptably in containers, because we'll be looking at the correct
-+	 * filesystem and have the correct network configuration.
-+	 */
-+	rc = switch_to_process_ns(arg.pid);
-+	if (rc == -1) {
-+		syslog(LOG_ERR, "unable to switch to process namespace: %s",
-+		       strerror(errno));
-+		rc = 1;
-+		goto out;
-+	}
-+
- 	rc = setuid(uid);
- 	if (rc == -1) {
- 		syslog(LOG_ERR, "setuid: %s", strerror(errno));
---

0001-CVE-2022-27239.patch

@@ -0,0 +1,35 @@
+From 955fb147e97a6a74e1aaa65766de91e2c1479765 Mon Sep 17 00:00:00 2001
+From: Jeffrey Bencteux <jbe@improsec.com>
+Date: Thu, 17 Mar 2022 12:58:52 -0400
+Subject: [PATCH] CVE-2022-27239: mount.cifs: fix length check for ip option
+ parsing
+
+Previous check was true whatever the length of the input string was,
+leading to a buffer overflow in the subsequent strcpy call.
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=15025
+
+Signed-off-by: Jeffrey Bencteux <jbe@improsec.com>
+Reviewed-by: David Disseldorp <ddiss@suse.de>
+---
+ mount.cifs.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/mount.cifs.c b/mount.cifs.c
+index 84274c9..3a6b449 100644
+--- a/mount.cifs.c
++++ b/mount.cifs.c
+@@ -926,9 +926,10 @@ parse_options(const char *data, struct parsed_mount_info *parsed_info)
+ 			if (!value || !*value) {
+ 				fprintf(stderr,
+ 					"target ip address argument missing\n");
+-			} else if (strnlen(value, MAX_ADDRESS_LEN) <=
++			} else if (strnlen(value, MAX_ADDRESS_LEN) <
+ 				MAX_ADDRESS_LEN) {
+-				strcpy(parsed_info->addrlist, value);
++				strlcpy(parsed_info->addrlist, value,
++					MAX_ADDRESS_LEN);
+ 				if (parsed_info->verboseflag)
+ 					fprintf(stderr,
+ 						"ip address %s override specified\n",
+--

0002-CVE-2022-29869.patch

@@ -0,0 +1,42 @@
+From 8acc963a2e7e9d63fe1f2e7f73f5a03f83d9c379 Mon Sep 17 00:00:00 2001
+From: Jeffrey Bencteux <jbe@improsec.com>
+Date: Sat, 19 Mar 2022 13:41:15 -0400
+Subject: [PATCH] mount.cifs: fix verbose messages on option parsing
+
+When verbose logging is enabled, invalid credentials file lines may be
+dumped to stderr. This may lead to information disclosure in particular
+conditions when the credentials file given is sensitive and contains '='
+signs.
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=15026
+
+Signed-off-by: Jeffrey Bencteux <jbe@improsec.com>
+Reviewed-by: David Disseldorp <ddiss@suse.de>
+---
+ mount.cifs.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/mount.cifs.c b/mount.cifs.c
+index 3a6b449..2278995 100644
+--- a/mount.cifs.c
++++ b/mount.cifs.c
+@@ -628,17 +628,13 @@ static int open_cred_file(char *file_name,
+ 				goto return_i;
+ 			break;
+ 		case CRED_DOM:
+-			if (parsed_info->verboseflag)
+-				fprintf(stderr, "domain=%s\n",
+-					temp_val);
+ 			strlcpy(parsed_info->domain, temp_val,
+ 				sizeof(parsed_info->domain));
+ 			break;
+ 		case CRED_UNPARSEABLE:
+ 			if (parsed_info->verboseflag)
+ 				fprintf(stderr, "Credential formatted "
+-					"incorrectly: %s\n",
+-					temp_val ? temp_val : "(null)");
++					"incorrectly\n");
+ 			break;
+ 		}
+ 	}
+--

0003-setcifsacl-fix-comparison-of-actions-reported-by-cov.patch

@@ -0,0 +1,26 @@
+From 4ad2c50f8f22968abe84a84ef49d37806731b20e Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <ab@samba.org>
+Date: Wed, 16 Feb 2022 13:58:24 +0200
+Subject: [PATCH] setcifsacl: fix comparison of actions reported by covscan
+
+Signed-off-by: Alexander Bokovoy <ab@samba.org>
+---
+ setcifsacl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/setcifsacl.c b/setcifsacl.c
+index 9840b14..c0ecd41 100644
+--- a/setcifsacl.c
++++ b/setcifsacl.c
+@@ -1497,7 +1497,7 @@ cifsacl:
+ 
+ 		numfaces = get_numfaces((struct cifs_ntsd *)attrval, attrlen,
+ 				&aclptr, ace_kind);
+-		if (!numfaces && (maction != ActAdd || maction != ActAddReorder)) {
++		if (!numfaces && (maction != ActAdd && maction != ActAddReorder)) {
+ 			/* if we are not adding aces */
+ 			fprintf(stderr, "%s: Empty DACL\n", __func__);
+ 			goto setcifsacl_facenum_ret;
+-- 
+2.33.0
+

0004-cifs-utils-work-around-missing-krb5_free_string-in-H.patch

@@ -0,0 +1,55 @@
+From 5e5aa507f4c4954ed537a7dfc75cf69915727757 Mon Sep 17 00:00:00 2001
+From: atheik <atteh.mailbox@gmail.com>
+Date: Sat, 5 Mar 2022 00:24:49 +0200
+Subject: [PATCH] cifs-utils: work around missing krb5_free_string in Heimdal
+
+The krb5_free_string function is not present in Heimdal and instead
+krb5_xfree should be used for freeing the string allocation done by
+krb5_cc_get_full_name. Heimdal documentation does specify that
+krb5_xfree should be used here and krb5_unparse_name is freed with
+just free.
+
+Signed-off-by: atheik <atteh.mailbox@gmail.com>
+---
+ cifs.upcall.c | 8 ++++++++
+ configure.ac  | 5 +++++
+ 2 files changed, 13 insertions(+)
+
+diff --git a/cifs.upcall.c b/cifs.upcall.c
+index 7a8c374..bf4eb5d 100644
+--- a/cifs.upcall.c
++++ b/cifs.upcall.c
+@@ -190,6 +190,14 @@ static void krb5_free_unparsed_name(krb5_context context, char *val)
+ }
+ #endif
+ 
++#if !defined(HAVE_KRB5_FREE_STRING)	/* Heimdal */
++static void krb5_free_string(krb5_context context, char *val)
++{
++	(void)context;
++	krb5_xfree(val);
++}
++#endif
++
+ #if !defined(HAVE_KRB5_AUTH_CON_GETSENDSUBKEY)	/* Heimdal */
+ static krb5_error_code
+ krb5_auth_con_getsendsubkey(krb5_context context,
+diff --git a/configure.ac b/configure.ac
+index 19fb3d0..2b1aae6 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -256,6 +256,11 @@ if test $enable_cifsupcall != "no"; then
+ 	AC_CHECK_FUNCS([krb5_auth_con_setaddrs krb5_auth_con_set_req_cksumtype])
+ fi
+ 
++# determine how to free a string allocated by a krb5 function
++if test $enable_cifsupcall != "no"; then
++	AC_CHECK_FUNCS([krb5_free_string])
++fi
++
+ if test $enable_systemd != "no"; then
+ 	AC_DEFINE(ENABLE_SYSTEMD, 1, [Enable systemd specific behavior for mount.cifs])
+ fi
+-- 
+2.33.0
+

cifs-utils.spec

@@ -1,19 +1,22 @@
 Name:           cifs-utils
-Version:        6.12
-Release:        2
+Version:        6.14
+Release:        4
 Summary:        Utilities for doing and managing mounts of the Linux CIFS filesystem
 License:        GPLv3+
 URL:            http://linux-cifs.samba.org/cifs-utils/
 Source0:        https://download.samba.org/pub/linux-cifs/cifs-utils/%{name}-%{version}.tar.bz2
 
-Patch0: 0000-CVE-2021-20208.patch
-
 BuildRequires:  python3-docutils libcap-ng-devel libtalloc-devel krb5-devel keyutils-libs-devel autoconf
-BuildRequires:  automake libwbclient-devel pam-devel git python3-samba pkg-config fdupes gcc
+BuildRequires:  automake libwbclient-devel pam-devel pkg-config fdupes gcc
 Provides:       pam_cifscreds
 Obsoletes:      pam_cifscreds
 Requires:       keyutils
 
+Patch1:	0001-CVE-2022-27239.patch
+Patch2: 0002-CVE-2022-29869.patch
+Patch3: 0003-setcifsacl-fix-comparison-of-actions-reported-by-cov.patch
+Patch4: 0004-cifs-utils-work-around-missing-krb5_free_string-in-H.patch
+
 %description
 The in-kernel CIFS filesystem is generally the preferred method for mounting
 SMB/CIFS shares on Linux.
@@ -40,7 +43,7 @@ Requires: man
 This contains man files for the using of cifs-utils.
 
 %prep
-%autosetup -Sgit -n %{name}-%{version}
+%autosetup -n %{name}-%{version} -p1
 
 %build
 autoreconf -vif
@@ -77,6 +80,21 @@ install -m 644 contrib/request-key.d/cifs.spnego.conf %{buildroot}%{_sysconfdir}
 %{_mandir}/man8/*
 
 %changelog
+* Thu Jun 8 2023 volcanodragon <linfeilong@huawei.com> - 6.14-4
+- Sync some patches
+
+* Thu May 5 2022 yanglongkang <yanglongkang@h-partners.com> - 6.14-3
+- Fix CVE-2022-27239 and CVE-2022-29869
+
+* Sat Jan 8 2022 yanglongkang <yanglongkang@huawei.com> - 6.14-2
+- delete BuildRequires python3-samba
+
+* Tue Nov 16 2021 Wenchao Hao <haowenchao@huawei.com> - 6.14-1
+- Update to cifs-utils-6.14
+
+* Fri Jul 30 2021 chenyanpanHW <chenyanpan@huawei.com> - 6.12-3
+- DESC: delete -Sgit from %autosetup, and delete BuildRequires git
+
 * Fri May 7 2021 yanglongkang <yanglongkang@huawei.com> - 6.12-2
 - Fix CVE-2021-20208