[Pkg-samba-maint] Bug#1010818: cifs-utils: CVE-2022-27239 CVE-2022-29869
Salvatore Bonaccorso
carnil at debian.org
Tue May 10 20:43:41 BST 2022
Hi,
On Tue, May 10, 2022 at 09:29:52PM +0200, Salvatore Bonaccorso wrote:
> Source: cifs-utils
> Version: 2:6.8-2
> Severity: grave
> Tags: security upstream
> X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
> Control: found -1 2:6.11-3.1
> Control: found -1 2:6.14-1
>
> Hi,
>
> The following vulnerabilities were published for cifs-utils.
>
> CVE-2022-27239[0]:
> | In cifs-utils through 6.14, a stack-based buffer overflow when parsing
> | the mount.cifs ip= command-line argument could lead to local attackers
> | gaining root privileges.
>
>
> CVE-2022-29869[1]:
> | cifs-utils through 6.14, with verbose logging, can cause an
> | information leak when a file contains = (equal sign) characters but is
> | not a valid credentials file.
>
>
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2022-27239
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27239
> [1] https://security-tracker.debian.org/tracker/CVE-2022-29869
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29869
Working on the buster- and bullseye-security updates and can propose
as well a NMU for unstable if needed.
Regards,
Salvatore
More information about the Pkg-samba-maint
mailing list