[Pkg-samba-maint] Bug#987308: cifs-utils: CVE-2021-20208: cifs.upcall kerberos auth leak in container
Matthias Merz
matthias at merz-ka.de
Mon May 17 16:46:23 BST 2021
Package: cifs-utils
Version: 2:6.11-3
Followup-For: Bug #987308
X-Debbugs-Cc: merz at jacob.de
Dear Samba Maintainers,
since upgrading to the "fixed" version, kerberos mounts are broken on
my bullseye system, please thoroughly check the security fixes for regressions.
environment: Autofs mount like this:
/mount/point -fstype=cifs,uid=user at realm,gid=gid at realm,cruid=${UID},sec=krb5i ://server.fqdn/share
May 17 17:34:30 hostname systemd[1]: Started Automounts filesystems on demand.
May 17 17:34:34 hostname cifs.upcall: key description: cifs.spnego;0;0;39010000;ver=0x2;host=host.fqdn;ip4=<address>;sec=krb5;uid=0xf00ba;creduid=0xf00ba;user=root;pid=0x8b45
May 17 17:34:34 hostname cifs.upcall: ver=2
May 17 17:34:34 hostname cifs.upcall: host=host.fqdn
May 17 17:34:34 hostname cifs.upcall: ip=<address>
May 17 17:34:34 hostname cifs.upcall: sec=1
May 17 17:34:34 hostname cifs.upcall: uid=<uid>
May 17 17:34:34 hostname cifs.upcall: creduid=<uid>
May 17 17:34:34 hostname cifs.upcall: user=root
May 17 17:34:34 hostname cifs.upcall: pid=35653
May 17 17:34:34 hostname cifs.upcall: get_cachename_from_process_env: pathname=/proc/35653/environ
May 17 17:34:34 hostname cifs.upcall: switch_to_process_ns: setns() failed for cgroup
May 17 17:34:34 hostname cifs.upcall: unable to switch to process namespace: Operation not permitted
May 17 17:34:34 hostname cifs.upcall: Exit status 1
Do I need to adapt something (which might be a case for NEWS.Debian),
or might the fix be incomplete / introduce regressions?
Thanks in advance for your help,
Yours
Matthias Merz
-- System Information:
Debian Release: 11.0
APT prefers testing-security
APT policy: (500, 'testing-security'), (500, 'testing'), (50, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.10.0-5-amd64 (SMP w/8 CPU threads)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages cifs-utils depends on:
ii libc6 2.31-11
ii libcap-ng0 0.7.9-2.2+b1
ii libkeyutils1 1.6.1-2
ii libkrb5-3 1.18.3-5
ii libpam0g 1.4.0-7
ii libtalloc2 2.3.1-2+b1
ii libwbclient0 2:4.13.5+dfsg-2
ii python3 3.9.2-3
Versions of packages cifs-utils recommends:
ii keyutils 1.6.1-2
Versions of packages cifs-utils suggests:
ii bash-completion 1:2.11-2
ii smbclient 2:4.13.5+dfsg-2
ii winbind 2:4.13.5+dfsg-2
-- no debconf information
More information about the Pkg-samba-maint
mailing list