[Pkg-samba-maint] Bug#987308: cifs-utils: CVE-2021-20208: cifs.upcall kerberos auth leak in container

Matthias Merz matthias at merz-ka.de
Mon May 17 16:46:23 BST 2021


Package: cifs-utils
Version: 2:6.11-3
Followup-For: Bug #987308
X-Debbugs-Cc: merz at jacob.de

Dear Samba Maintainers,

since upgrading to the "fixed" version, kerberos mounts are broken on
my bullseye system, please thoroughly check the security fixes for regressions.

environment: Autofs mount like this:
/mount/point		-fstype=cifs,uid=user at realm,gid=gid at realm,cruid=${UID},sec=krb5i	://server.fqdn/share

May 17 17:34:30 hostname systemd[1]: Started Automounts filesystems on demand.
May 17 17:34:34 hostname cifs.upcall: key description: cifs.spnego;0;0;39010000;ver=0x2;host=host.fqdn;ip4=<address>;sec=krb5;uid=0xf00ba;creduid=0xf00ba;user=root;pid=0x8b45
May 17 17:34:34 hostname cifs.upcall: ver=2
May 17 17:34:34 hostname cifs.upcall: host=host.fqdn
May 17 17:34:34 hostname cifs.upcall: ip=<address>
May 17 17:34:34 hostname cifs.upcall: sec=1
May 17 17:34:34 hostname cifs.upcall: uid=<uid>
May 17 17:34:34 hostname cifs.upcall: creduid=<uid>
May 17 17:34:34 hostname cifs.upcall: user=root
May 17 17:34:34 hostname cifs.upcall: pid=35653
May 17 17:34:34 hostname cifs.upcall: get_cachename_from_process_env: pathname=/proc/35653/environ
May 17 17:34:34 hostname cifs.upcall: switch_to_process_ns: setns() failed for cgroup
May 17 17:34:34 hostname cifs.upcall: unable to switch to process namespace: Operation not permitted
May 17 17:34:34 hostname cifs.upcall: Exit status 1

Do I need to adapt something (which might be a case for NEWS.Debian),
or might the fix be incomplete / introduce regressions?


Thanks in advance for your help,
Yours
Matthias Merz

-- System Information:
Debian Release: 11.0
  APT prefers testing-security
  APT policy: (500, 'testing-security'), (500, 'testing'), (50, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.10.0-5-amd64 (SMP w/8 CPU threads)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages cifs-utils depends on:
ii  libc6         2.31-11
ii  libcap-ng0    0.7.9-2.2+b1
ii  libkeyutils1  1.6.1-2
ii  libkrb5-3     1.18.3-5
ii  libpam0g      1.4.0-7
ii  libtalloc2    2.3.1-2+b1
ii  libwbclient0  2:4.13.5+dfsg-2
ii  python3       3.9.2-3

Versions of packages cifs-utils recommends:
ii  keyutils  1.6.1-2

Versions of packages cifs-utils suggests:
ii  bash-completion  1:2.11-2
ii  smbclient        2:4.13.5+dfsg-2
ii  winbind          2:4.13.5+dfsg-2

-- no debconf information



More information about the Pkg-samba-maint mailing list