File cifs-utils-CVE-2022-29869.patch of Package cifs-utils

Overview Repositories Revisions Requests Users Attributes Meta

File cifs-utils-CVE-2022-29869.patch of Package cifs-utils

From 8acc963a2e7e9d63fe1f2e7f73f5a03f83d9c379 Mon Sep 17 00:00:00 2001
From: Jeffrey Bencteux <jbe@improsec.com>
Date: Sat, 19 Mar 2022 13:41:15 -0400
Subject: [PATCH] mount.cifs: fix verbose messages on option parsing
References: CVE-2022-29869, bsc#1198976

When verbose logging is enabled, invalid credentials file lines may be
dumped to stderr. This may lead to information disclosure in particular
conditions when the credentials file given is sensitive and contains '='
signs.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15026

Signed-off-by: Jeffrey Bencteux <jbe@improsec.com>
Reviewed-by: David Disseldorp <ddiss@suse.de>
Acked-by: Enzo Matsumiya <ematsumiya@suse.de>
---
 mount.cifs.c | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

--- cifs-utils-5.1.orig/mount.cifs.c
+++ cifs-utils-5.1/mount.cifs.c
@@ -697,17 +697,13 @@ static int open_cred_file(char *file_nam
 				goto return_i;
 			break;
 		case CRED_DOM:
-			if (parsed_info->verboseflag)
-				fprintf(stderr, "domain=%s\n",
-					temp_val);
 			strlcpy(parsed_info->domain, temp_val,
 				sizeof(parsed_info->domain));
 			break;
 		case CRED_UNPARSEABLE:
 			if (parsed_info->verboseflag)
 				fprintf(stderr, "Credential formatted "
-					"incorrectly: %s\n",
-					temp_val ? temp_val : "(null)");
+					"incorrectly\n");
 			break;
 		}
 	}

Places

File cifs-utils-CVE-2022-29869.patch of Package cifs-utils

Places