[arch-commits] Commit in cifs-utils/repos (14 files)

Tobias Powalowski tpowa at nymeria.archlinux.org
Mon Jun 16 10:42:57 UTC 2014


    Date: Monday, June 16, 2014 @ 12:42:57
  Author: tpowa
Revision: 215193

archrelease: copy trunk to extra-i686, extra-x86_64

Added:
  cifs-utils/repos/extra-i686/0003-cifskey-better-use-snprintf.patch
    (from rev 215192, cifs-utils/trunk/0003-cifskey-better-use-snprintf.patch)
  cifs-utils/repos/extra-i686/0004-cifscreds-better-error-handling-when-key_search-fail.patch
    (from rev 215192, cifs-utils/trunk/0004-cifscreds-better-error-handling-when-key_search-fail.patch)
  cifs-utils/repos/extra-i686/0005-cifscreds-better-error-handling-for-key_add.patch
    (from rev 215192, cifs-utils/trunk/0005-cifscreds-better-error-handling-for-key_add.patch)
  cifs-utils/repos/extra-i686/PKGBUILD
    (from rev 215192, cifs-utils/trunk/PKGBUILD)
  cifs-utils/repos/extra-i686/fix-5.9-credentials.patch
    (from rev 215192, cifs-utils/trunk/fix-5.9-credentials.patch)
  cifs-utils/repos/extra-x86_64/0003-cifskey-better-use-snprintf.patch
    (from rev 215192, cifs-utils/trunk/0003-cifskey-better-use-snprintf.patch)
  cifs-utils/repos/extra-x86_64/0004-cifscreds-better-error-handling-when-key_search-fail.patch
    (from rev 215192, cifs-utils/trunk/0004-cifscreds-better-error-handling-when-key_search-fail.patch)
  cifs-utils/repos/extra-x86_64/0005-cifscreds-better-error-handling-for-key_add.patch
    (from rev 215192, cifs-utils/trunk/0005-cifscreds-better-error-handling-for-key_add.patch)
  cifs-utils/repos/extra-x86_64/PKGBUILD
    (from rev 215192, cifs-utils/trunk/PKGBUILD)
  cifs-utils/repos/extra-x86_64/fix-5.9-credentials.patch
    (from rev 215192, cifs-utils/trunk/fix-5.9-credentials.patch)
Deleted:
  cifs-utils/repos/extra-i686/PKGBUILD
  cifs-utils/repos/extra-i686/fix-5.9-credentials.patch
  cifs-utils/repos/extra-x86_64/PKGBUILD
  cifs-utils/repos/extra-x86_64/fix-5.9-credentials.patch

------------------------------------------------------------------------------+
 /PKGBUILD                                                                    |   90 ++++++++
 /fix-5.9-credentials.patch                                                   |   32 +++
 extra-i686/0003-cifskey-better-use-snprintf.patch                            |   49 ++++
 extra-i686/0004-cifscreds-better-error-handling-when-key_search-fail.patch   |   85 ++++++++
 extra-i686/0005-cifscreds-better-error-handling-for-key_add.patch            |  102 ++++++++++
 extra-i686/PKGBUILD                                                          |   30 --
 extra-i686/fix-5.9-credentials.patch                                         |   16 -
 extra-x86_64/0003-cifskey-better-use-snprintf.patch                          |   49 ++++
 extra-x86_64/0004-cifscreds-better-error-handling-when-key_search-fail.patch |   85 ++++++++
 extra-x86_64/0005-cifscreds-better-error-handling-for-key_add.patch          |  102 ++++++++++
 extra-x86_64/PKGBUILD                                                        |   30 --
 extra-x86_64/fix-5.9-credentials.patch                                       |   16 -
 12 files changed, 594 insertions(+), 92 deletions(-)

Copied: cifs-utils/repos/extra-i686/0003-cifskey-better-use-snprintf.patch (from rev 215192, cifs-utils/trunk/0003-cifskey-better-use-snprintf.patch)
===================================================================
--- extra-i686/0003-cifskey-better-use-snprintf.patch	                        (rev 0)
+++ extra-i686/0003-cifskey-better-use-snprintf.patch	2014-06-16 10:42:57 UTC (rev 215193)
@@ -0,0 +1,49 @@
+From 0c521d5060035da655107001374e08873ac5dde8 Mon Sep 17 00:00:00 2001
+From: Sebastian Krahmer <krahmer at suse.de>
+Date: Mon, 14 Apr 2014 11:39:41 +0200
+Subject: [PATCH] cifskey: better use snprintf()
+
+Prefer snprintf() over sprintf() in cifskey.c
+Projects that fork the code (pam_cifscreds) can't rely on
+the max-size parameters.
+
+[jlayton: removed unneeded initialization of "len" in key_add]
+
+Signed-off-by: Sebastian Krahmer <krahmer at suse.de>
+---
+ cifskey.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/cifskey.c b/cifskey.c
+index 7716c42..e89cacf 100644
+--- a/cifskey.c
++++ b/cifskey.c
+@@ -29,7 +29,8 @@ key_search(const char *addr, char keytype)
+ {
+ 	char desc[INET6_ADDRSTRLEN + sizeof(KEY_PREFIX) + 4];
+ 
+-	sprintf(desc, "%s:%c:%s", KEY_PREFIX, keytype, addr);
++	if (snprintf(desc, sizeof(desc), "%s:%c:%s", KEY_PREFIX, keytype, addr) >= (int)sizeof(desc))
++		return -1;
+ 
+ 	return keyctl_search(DEST_KEYRING, CIFS_KEY_TYPE, desc, 0);
+ }
+@@ -43,10 +44,13 @@ key_add(const char *addr, const char *user, const char *pass, char keytype)
+ 	char val[MOUNT_PASSWD_SIZE +  MAX_USERNAME_SIZE + 2];
+ 
+ 	/* set key description */
+-	sprintf(desc, "%s:%c:%s", KEY_PREFIX, keytype, addr);
++	if (snprintf(desc, sizeof(desc), "%s:%c:%s", KEY_PREFIX, keytype, addr) >= (int)sizeof(desc))
++		return -1;
+ 
+ 	/* set payload contents */
+-	len = sprintf(val, "%s:%s", user, pass);
++	len = snprintf(val, sizeof(val), "%s:%s", user, pass);
++	if (len >= (int)sizeof(val))
++		return -1;
+ 
+ 	return add_key(CIFS_KEY_TYPE, desc, val, len + 1, DEST_KEYRING);
+ }
+-- 
+1.8.4.2
+

Copied: cifs-utils/repos/extra-i686/0004-cifscreds-better-error-handling-when-key_search-fail.patch (from rev 215192, cifs-utils/trunk/0004-cifscreds-better-error-handling-when-key_search-fail.patch)
===================================================================
--- extra-i686/0004-cifscreds-better-error-handling-when-key_search-fail.patch	                        (rev 0)
+++ extra-i686/0004-cifscreds-better-error-handling-when-key_search-fail.patch	2014-06-16 10:42:57 UTC (rev 215193)
@@ -0,0 +1,85 @@
+From 3da4c43b575498be86c87a2ac3f3142e3cab1c59 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton at samba.org>
+Date: Sun, 20 Apr 2014 20:41:05 -0400
+Subject: [PATCH] cifscreds: better error handling when key_search fails
+
+If we ended up getting a bogus string that would have overflowed, then
+make key_search set errno to EINVAL before returning. The callers can
+then test to see if the returned error is what was expected or something
+else and handle it appropriately.
+
+Cc: Sebastian Krahmer <krahmer at suse.de>
+Signed-off-by: Jeff Layton <jlayton at samba.org>
+---
+ cifscreds.c     | 9 +++++++++
+ cifskey.c       | 5 ++++-
+ pam_cifscreds.c | 9 +++++++++
+ 3 files changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/cifscreds.c b/cifscreds.c
+index fa05dc8..64d55b0 100644
+--- a/cifscreds.c
++++ b/cifscreds.c
+@@ -188,6 +188,15 @@ static int cifscreds_add(struct cmdarg *arg)
+ 			return EXIT_FAILURE;
+ 		}
+ 
++		switch(errno) {
++		case ENOKEY:
++			/* success */
++			break;
++		default:
++			printf("Key search failed: %s\n", strerror(errno));
++			return EXIT_FAILURE;
++		}
++
+ 		currentaddress = nextaddress;
+ 		if (currentaddress) {
+ 			*(currentaddress - 1) = ',';
+diff --git a/cifskey.c b/cifskey.c
+index e89cacf..4f01ed0 100644
+--- a/cifskey.c
++++ b/cifskey.c
+@@ -20,6 +20,7 @@
+ #include <sys/types.h>
+ #include <keyutils.h>
+ #include <stdio.h>
++#include <errno.h>
+ #include "cifskey.h"
+ #include "resolve_host.h"
+ 
+@@ -29,8 +30,10 @@ key_search(const char *addr, char keytype)
+ {
+ 	char desc[INET6_ADDRSTRLEN + sizeof(KEY_PREFIX) + 4];
+ 
+-	if (snprintf(desc, sizeof(desc), "%s:%c:%s", KEY_PREFIX, keytype, addr) >= (int)sizeof(desc))
++	if (snprintf(desc, sizeof(desc), "%s:%c:%s", KEY_PREFIX, keytype, addr) >= (int)sizeof(desc)) {
++		errno = EINVAL;
+ 		return -1;
++	}
+ 
+ 	return keyctl_search(DEST_KEYRING, CIFS_KEY_TYPE, desc, 0);
+ }
+diff --git a/pam_cifscreds.c b/pam_cifscreds.c
+index e0d8a55..fb23117 100644
+--- a/pam_cifscreds.c
++++ b/pam_cifscreds.c
+@@ -206,6 +206,15 @@ static int cifscreds_pam_add(pam_handle_t *ph, const char *user, const char *pas
+ 			return PAM_SERVICE_ERR;
+ 		}
+ 
++		switch(errno) {
++		case ENOKEY:
++			break;
++		default:
++			pam_syslog(ph, LOG_ERR, "Unable to search keyring for %s (%s)",
++					currentaddress, strerror(errno));
++			return PAM_SERVICE_ERR;
++		}
++
+ 		currentaddress = nextaddress;
+ 		if (currentaddress) {
+ 			*(currentaddress - 1) = ',';
+-- 
+1.8.4.2
+

Copied: cifs-utils/repos/extra-i686/0005-cifscreds-better-error-handling-for-key_add.patch (from rev 215192, cifs-utils/trunk/0005-cifscreds-better-error-handling-for-key_add.patch)
===================================================================
--- extra-i686/0005-cifscreds-better-error-handling-for-key_add.patch	                        (rev 0)
+++ extra-i686/0005-cifscreds-better-error-handling-for-key_add.patch	2014-06-16 10:42:57 UTC (rev 215193)
@@ -0,0 +1,102 @@
+From 382ec63757c1d8d4d399d17ccc927c4897d4cfc9 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton at samba.org>
+Date: Sun, 20 Apr 2014 20:41:05 -0400
+Subject: [PATCH] cifscreds: better error handling for key_add
+
+If the string buffers would have been overrun, set errno to EINVAL
+before returning. Then, have the callers report the errors to
+stderr or syslog as appropriate.
+
+Cc: Sebastian Krahmer <krahmer at suse.de>
+Signed-off-by: Jeff Layton <jlayton at samba.org>
+---
+ cifscreds.c     | 6 +++---
+ cifskey.c       | 8 ++++++--
+ pam_cifscreds.c | 9 +++++----
+ 3 files changed, 14 insertions(+), 9 deletions(-)
+
+diff --git a/cifscreds.c b/cifscreds.c
+index 64d55b0..5d84c3c 100644
+--- a/cifscreds.c
++++ b/cifscreds.c
+@@ -220,8 +220,8 @@ static int cifscreds_add(struct cmdarg *arg)
+ 	while (currentaddress) {
+ 		key_serial_t key = key_add(currentaddress, arg->user, pass, arg->keytype);
+ 		if (key <= 0) {
+-			fprintf(stderr, "error: Add credential key for %s\n",
+-				currentaddress);
++			fprintf(stderr, "error: Add credential key for %s: %s\n",
++				currentaddress, strerror(errno));
+ 		} else {
+ 			if (keyctl(KEYCTL_SETPERM, key, CIFS_KEY_PERMS) < 0) {
+ 				fprintf(stderr, "error: Setting permissons "
+@@ -422,7 +422,7 @@ static int cifscreds_update(struct cmdarg *arg)
+ 		key_serial_t key = key_add(addrs[id], arg->user, pass, arg->keytype);
+ 		if (key <= 0)
+ 			fprintf(stderr, "error: Update credential key "
+-				"for %s\n", addrs[id]);
++				"for %s: %s\n", addrs[id], strerror(errno));
+ 	}
+ 
+ 	return EXIT_SUCCESS;
+diff --git a/cifskey.c b/cifskey.c
+index 4f01ed0..919540f 100644
+--- a/cifskey.c
++++ b/cifskey.c
+@@ -47,13 +47,17 @@ key_add(const char *addr, const char *user, const char *pass, char keytype)
+ 	char val[MOUNT_PASSWD_SIZE +  MAX_USERNAME_SIZE + 2];
+ 
+ 	/* set key description */
+-	if (snprintf(desc, sizeof(desc), "%s:%c:%s", KEY_PREFIX, keytype, addr) >= (int)sizeof(desc))
++	if (snprintf(desc, sizeof(desc), "%s:%c:%s", KEY_PREFIX, keytype, addr) >= (int)sizeof(desc)) {
++		errno = EINVAL;
+ 		return -1;
++	}
+ 
+ 	/* set payload contents */
+ 	len = snprintf(val, sizeof(val), "%s:%s", user, pass);
+-	if (len >= (int)sizeof(val))
++	if (len >= (int)sizeof(val)) {
++		errno = EINVAL;
+ 		return -1;
++	}
+ 
+ 	return add_key(CIFS_KEY_TYPE, desc, val, len + 1, DEST_KEYRING);
+ }
+diff --git a/pam_cifscreds.c b/pam_cifscreds.c
+index fb23117..5d99c2d 100644
+--- a/pam_cifscreds.c
++++ b/pam_cifscreds.c
+@@ -208,6 +208,7 @@ static int cifscreds_pam_add(pam_handle_t *ph, const char *user, const char *pas
+ 
+ 		switch(errno) {
+ 		case ENOKEY:
++			/* success */
+ 			break;
+ 		default:
+ 			pam_syslog(ph, LOG_ERR, "Unable to search keyring for %s (%s)",
+@@ -233,8 +234,8 @@ static int cifscreds_pam_add(pam_handle_t *ph, const char *user, const char *pas
+ 	while (currentaddress) {
+ 		key_serial_t key = key_add(currentaddress, user, password, keytype);
+ 		if (key <= 0) {
+-			pam_syslog(ph, LOG_ERR, "error: Add credential key for %s",
+-				currentaddress);
++			pam_syslog(ph, LOG_ERR, "error: Add credential key for %s: %s",
++				currentaddress, strerror(errno));
+ 		} else {
+ 			if ((args & ARG_DEBUG) == ARG_DEBUG) {
+ 				pam_syslog(ph, LOG_DEBUG, "credential key for \\\\%s\\%s added",
+@@ -336,8 +337,8 @@ static int cifscreds_pam_update(pam_handle_t *ph, const char *user, const char *
+ 	for (id = 0; id < count; id++) {
+ 		key_serial_t key = key_add(currentaddress, user, password, keytype);
+ 		if (key <= 0) {
+-			pam_syslog(ph, LOG_ERR, "error: Update credential key for %s",
+-				currentaddress);
++			pam_syslog(ph, LOG_ERR, "error: Update credential key for %s: %s",
++				currentaddress, strerror(errno));
+ 		}
+ 	}
+ 
+-- 
+1.8.4.2
+

Deleted: extra-i686/PKGBUILD
===================================================================
--- extra-i686/PKGBUILD	2014-06-16 10:42:46 UTC (rev 215192)
+++ extra-i686/PKGBUILD	2014-06-16 10:42:57 UTC (rev 215193)
@@ -1,30 +0,0 @@
-# $Id$
-# Maintainer: Tobias Powalowski <tpowa at archlinux.org>
-pkgname=cifs-utils
-pkgver=6.3
-pkgrel=1
-pkgdesc="CIFS filesystem user-space tools"
-arch=(i686 x86_64)
-url="http://wiki.samba.org/index.php/LinuxCIFS_utils"
-license=('GPL')
-depends=('libcap-ng' 'keyutils' 'krb5' 'talloc' 'libwbclient' 'pam')
-source=(ftp://ftp.samba.org/pub/linux-cifs/cifs-utils/$pkgname-$pkgver.tar.bz2)
-
-build() {
-  cd "$srcdir/$pkgname-$pkgver"
-  # systemd support is broken in mount.cifs
-  # https://bugs.archlinux.org/task/30958
-  ./configure --prefix=/usr --sbindir=/usr/bin --disable-systemd
-  make
-}
-
-package() {
-  cd "$srcdir/$pkgname-$pkgver"
-  make DESTDIR="$pkgdir" ROOTSBINDIR=/usr/bin install
-  mkdir -p $pkgdir/etc/request-key.d
-  install -m 644 contrib/request-key.d/cifs.idmap.conf $pkgdir/etc/request-key.d
-  install -m 644 contrib/request-key.d/cifs.spnego.conf $pkgdir/etc/request-key.d
-  # set mount.cifs uid, to enable none root mounting form fstab
-  chmod +s $pkgdir/usr/bin/mount.cifs
-}
-md5sums=('93697dbc043cb4d5c66e15e281f872e5')

Copied: cifs-utils/repos/extra-i686/PKGBUILD (from rev 215192, cifs-utils/trunk/PKGBUILD)
===================================================================
--- extra-i686/PKGBUILD	                        (rev 0)
+++ extra-i686/PKGBUILD	2014-06-16 10:42:57 UTC (rev 215193)
@@ -0,0 +1,45 @@
+# $Id$
+# Maintainer: Tobias Powalowski <tpowa at archlinux.org>
+pkgname=cifs-utils
+pkgver=6.3
+pkgrel=2
+pkgdesc="CIFS filesystem user-space tools"
+arch=(i686 x86_64)
+url="http://wiki.samba.org/index.php/LinuxCIFS_utils"
+license=('GPL')
+depends=('libcap-ng' 'keyutils' 'krb5' 'talloc' 'libwbclient' 'pam')
+source=(ftp://ftp.samba.org/pub/linux-cifs/cifs-utils/$pkgname-$pkgver.tar.bz2
+        '0003-cifskey-better-use-snprintf.patch'
+        '0004-cifscreds-better-error-handling-when-key_search-fail.patch'
+        '0005-cifscreds-better-error-handling-for-key_add.patch')
+
+prepare() {
+  cd "$srcdir/$pkgname-$pkgver"
+  # add fedora patches
+  # 40789 CVE-2014-2830
+  patch -Np1 -i "$srcdir/0003-cifskey-better-use-snprintf.patch"
+  patch -Np1 -i "$srcdir/0004-cifscreds-better-error-handling-when-key_search-fail.patch"
+  patch -Np1 -i "$srcdir/0005-cifscreds-better-error-handling-for-key_add.patch"
+}
+
+build() {
+  cd "$srcdir/$pkgname-$pkgver"
+  # systemd support is broken in mount.cifs
+  # https://bugs.archlinux.org/task/30958
+  ./configure --prefix=/usr --sbindir=/usr/bin --disable-systemd
+  make
+}
+
+package() {
+  cd "$srcdir/$pkgname-$pkgver"
+  make DESTDIR="$pkgdir" ROOTSBINDIR=/usr/bin install
+  mkdir -p $pkgdir/etc/request-key.d
+  install -m 644 contrib/request-key.d/cifs.idmap.conf $pkgdir/etc/request-key.d
+  install -m 644 contrib/request-key.d/cifs.spnego.conf $pkgdir/etc/request-key.d
+  # set mount.cifs uid, to enable none root mounting form fstab
+  chmod +s $pkgdir/usr/bin/mount.cifs
+}
+md5sums=('93697dbc043cb4d5c66e15e281f872e5'
+         'cc13c6d1b734a446d0f4384e0ce32748'
+         '350491f336dc931f9b192228909e5924'
+         'ac2b3367363fbc79f8f7fdfcae008a8c')

Deleted: extra-i686/fix-5.9-credentials.patch
===================================================================
--- extra-i686/fix-5.9-credentials.patch	2014-06-16 10:42:46 UTC (rev 215192)
+++ extra-i686/fix-5.9-credentials.patch	2014-06-16 10:42:57 UTC (rev 215193)
@@ -1,16 +0,0 @@
-X-Git-Url: https://git.samba.org/?p=cifs-utils.git;a=blobdiff_plain;f=mount.cifs.c;h=40b77e92e3f734c606f522ccf279a0508ad64eab;hp=c7c3055cb890764937193b1d50d1f0fb7ae18826;hb=1a01f7c4b90695211d12291d7a24bec05b1f2922;hpb=739289ad3ce915e1ee2705ecd7ac4e907cd91405
-
-diff --git a/mount.cifs.c b/mount.cifs.c
-index c7c3055..40b77e9 100644
---- a/mount.cifs.c
-+++ b/mount.cifs.c
-@@ -581,7 +581,8 @@ static int open_cred_file(char *file_name,
- 		switch (parse_cred_line(line_buf + i, &temp_val)) {
- 		case CRED_USER:
- 			strlcpy(parsed_info->username, temp_val,
--				sizeof(parsed_info->domain));
-+				sizeof(parsed_info->username));
-+			parsed_info->got_user = 1;
- 			break;
- 		case CRED_PASS:
- 			i = set_password(parsed_info, temp_val);

Copied: cifs-utils/repos/extra-i686/fix-5.9-credentials.patch (from rev 215192, cifs-utils/trunk/fix-5.9-credentials.patch)
===================================================================
--- extra-i686/fix-5.9-credentials.patch	                        (rev 0)
+++ extra-i686/fix-5.9-credentials.patch	2014-06-16 10:42:57 UTC (rev 215193)
@@ -0,0 +1,16 @@
+X-Git-Url: https://git.samba.org/?p=cifs-utils.git;a=blobdiff_plain;f=mount.cifs.c;h=40b77e92e3f734c606f522ccf279a0508ad64eab;hp=c7c3055cb890764937193b1d50d1f0fb7ae18826;hb=1a01f7c4b90695211d12291d7a24bec05b1f2922;hpb=739289ad3ce915e1ee2705ecd7ac4e907cd91405
+
+diff --git a/mount.cifs.c b/mount.cifs.c
+index c7c3055..40b77e9 100644
+--- a/mount.cifs.c
++++ b/mount.cifs.c
+@@ -581,7 +581,8 @@ static int open_cred_file(char *file_name,
+ 		switch (parse_cred_line(line_buf + i, &temp_val)) {
+ 		case CRED_USER:
+ 			strlcpy(parsed_info->username, temp_val,
+-				sizeof(parsed_info->domain));
++				sizeof(parsed_info->username));
++			parsed_info->got_user = 1;
+ 			break;
+ 		case CRED_PASS:
+ 			i = set_password(parsed_info, temp_val);

Copied: cifs-utils/repos/extra-x86_64/0003-cifskey-better-use-snprintf.patch (from rev 215192, cifs-utils/trunk/0003-cifskey-better-use-snprintf.patch)
===================================================================
--- extra-x86_64/0003-cifskey-better-use-snprintf.patch	                        (rev 0)
+++ extra-x86_64/0003-cifskey-better-use-snprintf.patch	2014-06-16 10:42:57 UTC (rev 215193)
@@ -0,0 +1,49 @@
+From 0c521d5060035da655107001374e08873ac5dde8 Mon Sep 17 00:00:00 2001
+From: Sebastian Krahmer <krahmer at suse.de>
+Date: Mon, 14 Apr 2014 11:39:41 +0200
+Subject: [PATCH] cifskey: better use snprintf()
+
+Prefer snprintf() over sprintf() in cifskey.c
+Projects that fork the code (pam_cifscreds) can't rely on
+the max-size parameters.
+
+[jlayton: removed unneeded initialization of "len" in key_add]
+
+Signed-off-by: Sebastian Krahmer <krahmer at suse.de>
+---
+ cifskey.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/cifskey.c b/cifskey.c
+index 7716c42..e89cacf 100644
+--- a/cifskey.c
++++ b/cifskey.c
+@@ -29,7 +29,8 @@ key_search(const char *addr, char keytype)
+ {
+ 	char desc[INET6_ADDRSTRLEN + sizeof(KEY_PREFIX) + 4];
+ 
+-	sprintf(desc, "%s:%c:%s", KEY_PREFIX, keytype, addr);
++	if (snprintf(desc, sizeof(desc), "%s:%c:%s", KEY_PREFIX, keytype, addr) >= (int)sizeof(desc))
++		return -1;
+ 
+ 	return keyctl_search(DEST_KEYRING, CIFS_KEY_TYPE, desc, 0);
+ }
+@@ -43,10 +44,13 @@ key_add(const char *addr, const char *user, const char *pass, char keytype)
+ 	char val[MOUNT_PASSWD_SIZE +  MAX_USERNAME_SIZE + 2];
+ 
+ 	/* set key description */
+-	sprintf(desc, "%s:%c:%s", KEY_PREFIX, keytype, addr);
++	if (snprintf(desc, sizeof(desc), "%s:%c:%s", KEY_PREFIX, keytype, addr) >= (int)sizeof(desc))
++		return -1;
+ 
+ 	/* set payload contents */
+-	len = sprintf(val, "%s:%s", user, pass);
++	len = snprintf(val, sizeof(val), "%s:%s", user, pass);
++	if (len >= (int)sizeof(val))
++		return -1;
+ 
+ 	return add_key(CIFS_KEY_TYPE, desc, val, len + 1, DEST_KEYRING);
+ }
+-- 
+1.8.4.2
+

Copied: cifs-utils/repos/extra-x86_64/0004-cifscreds-better-error-handling-when-key_search-fail.patch (from rev 215192, cifs-utils/trunk/0004-cifscreds-better-error-handling-when-key_search-fail.patch)
===================================================================
--- extra-x86_64/0004-cifscreds-better-error-handling-when-key_search-fail.patch	                        (rev 0)
+++ extra-x86_64/0004-cifscreds-better-error-handling-when-key_search-fail.patch	2014-06-16 10:42:57 UTC (rev 215193)
@@ -0,0 +1,85 @@
+From 3da4c43b575498be86c87a2ac3f3142e3cab1c59 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton at samba.org>
+Date: Sun, 20 Apr 2014 20:41:05 -0400
+Subject: [PATCH] cifscreds: better error handling when key_search fails
+
+If we ended up getting a bogus string that would have overflowed, then
+make key_search set errno to EINVAL before returning. The callers can
+then test to see if the returned error is what was expected or something
+else and handle it appropriately.
+
+Cc: Sebastian Krahmer <krahmer at suse.de>
+Signed-off-by: Jeff Layton <jlayton at samba.org>
+---
+ cifscreds.c     | 9 +++++++++
+ cifskey.c       | 5 ++++-
+ pam_cifscreds.c | 9 +++++++++
+ 3 files changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/cifscreds.c b/cifscreds.c
+index fa05dc8..64d55b0 100644
+--- a/cifscreds.c
++++ b/cifscreds.c
+@@ -188,6 +188,15 @@ static int cifscreds_add(struct cmdarg *arg)
+ 			return EXIT_FAILURE;
+ 		}
+ 
++		switch(errno) {
++		case ENOKEY:
++			/* success */
++			break;
++		default:
++			printf("Key search failed: %s\n", strerror(errno));
++			return EXIT_FAILURE;
++		}
++
+ 		currentaddress = nextaddress;
+ 		if (currentaddress) {
+ 			*(currentaddress - 1) = ',';
+diff --git a/cifskey.c b/cifskey.c
+index e89cacf..4f01ed0 100644
+--- a/cifskey.c
++++ b/cifskey.c
+@@ -20,6 +20,7 @@
+ #include <sys/types.h>
+ #include <keyutils.h>
+ #include <stdio.h>
++#include <errno.h>
+ #include "cifskey.h"
+ #include "resolve_host.h"
+ 
+@@ -29,8 +30,10 @@ key_search(const char *addr, char keytype)
+ {
+ 	char desc[INET6_ADDRSTRLEN + sizeof(KEY_PREFIX) + 4];
+ 
+-	if (snprintf(desc, sizeof(desc), "%s:%c:%s", KEY_PREFIX, keytype, addr) >= (int)sizeof(desc))
++	if (snprintf(desc, sizeof(desc), "%s:%c:%s", KEY_PREFIX, keytype, addr) >= (int)sizeof(desc)) {
++		errno = EINVAL;
+ 		return -1;
++	}
+ 
+ 	return keyctl_search(DEST_KEYRING, CIFS_KEY_TYPE, desc, 0);
+ }
+diff --git a/pam_cifscreds.c b/pam_cifscreds.c
+index e0d8a55..fb23117 100644
+--- a/pam_cifscreds.c
++++ b/pam_cifscreds.c
+@@ -206,6 +206,15 @@ static int cifscreds_pam_add(pam_handle_t *ph, const char *user, const char *pas
+ 			return PAM_SERVICE_ERR;
+ 		}
+ 
++		switch(errno) {
++		case ENOKEY:
++			break;
++		default:
++			pam_syslog(ph, LOG_ERR, "Unable to search keyring for %s (%s)",
++					currentaddress, strerror(errno));
++			return PAM_SERVICE_ERR;
++		}
++
+ 		currentaddress = nextaddress;
+ 		if (currentaddress) {
+ 			*(currentaddress - 1) = ',';
+-- 
+1.8.4.2
+

Copied: cifs-utils/repos/extra-x86_64/0005-cifscreds-better-error-handling-for-key_add.patch (from rev 215192, cifs-utils/trunk/0005-cifscreds-better-error-handling-for-key_add.patch)
===================================================================
--- extra-x86_64/0005-cifscreds-better-error-handling-for-key_add.patch	                        (rev 0)
+++ extra-x86_64/0005-cifscreds-better-error-handling-for-key_add.patch	2014-06-16 10:42:57 UTC (rev 215193)
@@ -0,0 +1,102 @@
+From 382ec63757c1d8d4d399d17ccc927c4897d4cfc9 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton at samba.org>
+Date: Sun, 20 Apr 2014 20:41:05 -0400
+Subject: [PATCH] cifscreds: better error handling for key_add
+
+If the string buffers would have been overrun, set errno to EINVAL
+before returning. Then, have the callers report the errors to
+stderr or syslog as appropriate.
+
+Cc: Sebastian Krahmer <krahmer at suse.de>
+Signed-off-by: Jeff Layton <jlayton at samba.org>
+---
+ cifscreds.c     | 6 +++---
+ cifskey.c       | 8 ++++++--
+ pam_cifscreds.c | 9 +++++----
+ 3 files changed, 14 insertions(+), 9 deletions(-)
+
+diff --git a/cifscreds.c b/cifscreds.c
+index 64d55b0..5d84c3c 100644
+--- a/cifscreds.c
++++ b/cifscreds.c
+@@ -220,8 +220,8 @@ static int cifscreds_add(struct cmdarg *arg)
+ 	while (currentaddress) {
+ 		key_serial_t key = key_add(currentaddress, arg->user, pass, arg->keytype);
+ 		if (key <= 0) {
+-			fprintf(stderr, "error: Add credential key for %s\n",
+-				currentaddress);
++			fprintf(stderr, "error: Add credential key for %s: %s\n",
++				currentaddress, strerror(errno));
+ 		} else {
+ 			if (keyctl(KEYCTL_SETPERM, key, CIFS_KEY_PERMS) < 0) {
+ 				fprintf(stderr, "error: Setting permissons "
+@@ -422,7 +422,7 @@ static int cifscreds_update(struct cmdarg *arg)
+ 		key_serial_t key = key_add(addrs[id], arg->user, pass, arg->keytype);
+ 		if (key <= 0)
+ 			fprintf(stderr, "error: Update credential key "
+-				"for %s\n", addrs[id]);
++				"for %s: %s\n", addrs[id], strerror(errno));
+ 	}
+ 
+ 	return EXIT_SUCCESS;
+diff --git a/cifskey.c b/cifskey.c
+index 4f01ed0..919540f 100644
+--- a/cifskey.c
++++ b/cifskey.c
+@@ -47,13 +47,17 @@ key_add(const char *addr, const char *user, const char *pass, char keytype)
+ 	char val[MOUNT_PASSWD_SIZE +  MAX_USERNAME_SIZE + 2];
+ 
+ 	/* set key description */
+-	if (snprintf(desc, sizeof(desc), "%s:%c:%s", KEY_PREFIX, keytype, addr) >= (int)sizeof(desc))
++	if (snprintf(desc, sizeof(desc), "%s:%c:%s", KEY_PREFIX, keytype, addr) >= (int)sizeof(desc)) {
++		errno = EINVAL;
+ 		return -1;
++	}
+ 
+ 	/* set payload contents */
+ 	len = snprintf(val, sizeof(val), "%s:%s", user, pass);
+-	if (len >= (int)sizeof(val))
++	if (len >= (int)sizeof(val)) {
++		errno = EINVAL;
+ 		return -1;
++	}
+ 
+ 	return add_key(CIFS_KEY_TYPE, desc, val, len + 1, DEST_KEYRING);
+ }
+diff --git a/pam_cifscreds.c b/pam_cifscreds.c
+index fb23117..5d99c2d 100644
+--- a/pam_cifscreds.c
++++ b/pam_cifscreds.c
+@@ -208,6 +208,7 @@ static int cifscreds_pam_add(pam_handle_t *ph, const char *user, const char *pas
+ 
+ 		switch(errno) {
+ 		case ENOKEY:
++			/* success */
+ 			break;
+ 		default:
+ 			pam_syslog(ph, LOG_ERR, "Unable to search keyring for %s (%s)",
+@@ -233,8 +234,8 @@ static int cifscreds_pam_add(pam_handle_t *ph, const char *user, const char *pas
+ 	while (currentaddress) {
+ 		key_serial_t key = key_add(currentaddress, user, password, keytype);
+ 		if (key <= 0) {
+-			pam_syslog(ph, LOG_ERR, "error: Add credential key for %s",
+-				currentaddress);
++			pam_syslog(ph, LOG_ERR, "error: Add credential key for %s: %s",
++				currentaddress, strerror(errno));
+ 		} else {
+ 			if ((args & ARG_DEBUG) == ARG_DEBUG) {
+ 				pam_syslog(ph, LOG_DEBUG, "credential key for \\\\%s\\%s added",
+@@ -336,8 +337,8 @@ static int cifscreds_pam_update(pam_handle_t *ph, const char *user, const char *
+ 	for (id = 0; id < count; id++) {
+ 		key_serial_t key = key_add(currentaddress, user, password, keytype);
+ 		if (key <= 0) {
+-			pam_syslog(ph, LOG_ERR, "error: Update credential key for %s",
+-				currentaddress);
++			pam_syslog(ph, LOG_ERR, "error: Update credential key for %s: %s",
++				currentaddress, strerror(errno));
+ 		}
+ 	}
+ 
+-- 
+1.8.4.2
+

Deleted: extra-x86_64/PKGBUILD
===================================================================
--- extra-x86_64/PKGBUILD	2014-06-16 10:42:46 UTC (rev 215192)
+++ extra-x86_64/PKGBUILD	2014-06-16 10:42:57 UTC (rev 215193)
@@ -1,30 +0,0 @@
-# $Id$
-# Maintainer: Tobias Powalowski <tpowa at archlinux.org>
-pkgname=cifs-utils
-pkgver=6.3
-pkgrel=1
-pkgdesc="CIFS filesystem user-space tools"
-arch=(i686 x86_64)
-url="http://wiki.samba.org/index.php/LinuxCIFS_utils"
-license=('GPL')
-depends=('libcap-ng' 'keyutils' 'krb5' 'talloc' 'libwbclient' 'pam')
-source=(ftp://ftp.samba.org/pub/linux-cifs/cifs-utils/$pkgname-$pkgver.tar.bz2)
-
-build() {
-  cd "$srcdir/$pkgname-$pkgver"
-  # systemd support is broken in mount.cifs
-  # https://bugs.archlinux.org/task/30958
-  ./configure --prefix=/usr --sbindir=/usr/bin --disable-systemd
-  make
-}
-
-package() {
-  cd "$srcdir/$pkgname-$pkgver"
-  make DESTDIR="$pkgdir" ROOTSBINDIR=/usr/bin install
-  mkdir -p $pkgdir/etc/request-key.d
-  install -m 644 contrib/request-key.d/cifs.idmap.conf $pkgdir/etc/request-key.d
-  install -m 644 contrib/request-key.d/cifs.spnego.conf $pkgdir/etc/request-key.d
-  # set mount.cifs uid, to enable none root mounting form fstab
-  chmod +s $pkgdir/usr/bin/mount.cifs
-}
-md5sums=('93697dbc043cb4d5c66e15e281f872e5')

Copied: cifs-utils/repos/extra-x86_64/PKGBUILD (from rev 215192, cifs-utils/trunk/PKGBUILD)
===================================================================
--- extra-x86_64/PKGBUILD	                        (rev 0)
+++ extra-x86_64/PKGBUILD	2014-06-16 10:42:57 UTC (rev 215193)
@@ -0,0 +1,45 @@
+# $Id$
+# Maintainer: Tobias Powalowski <tpowa at archlinux.org>
+pkgname=cifs-utils
+pkgver=6.3
+pkgrel=2
+pkgdesc="CIFS filesystem user-space tools"
+arch=(i686 x86_64)
+url="http://wiki.samba.org/index.php/LinuxCIFS_utils"
+license=('GPL')
+depends=('libcap-ng' 'keyutils' 'krb5' 'talloc' 'libwbclient' 'pam')
+source=(ftp://ftp.samba.org/pub/linux-cifs/cifs-utils/$pkgname-$pkgver.tar.bz2
+        '0003-cifskey-better-use-snprintf.patch'
+        '0004-cifscreds-better-error-handling-when-key_search-fail.patch'
+        '0005-cifscreds-better-error-handling-for-key_add.patch')
+
+prepare() {
+  cd "$srcdir/$pkgname-$pkgver"
+  # add fedora patches
+  # 40789 CVE-2014-2830
+  patch -Np1 -i "$srcdir/0003-cifskey-better-use-snprintf.patch"
+  patch -Np1 -i "$srcdir/0004-cifscreds-better-error-handling-when-key_search-fail.patch"
+  patch -Np1 -i "$srcdir/0005-cifscreds-better-error-handling-for-key_add.patch"
+}
+
+build() {
+  cd "$srcdir/$pkgname-$pkgver"
+  # systemd support is broken in mount.cifs
+  # https://bugs.archlinux.org/task/30958
+  ./configure --prefix=/usr --sbindir=/usr/bin --disable-systemd
+  make
+}
+
+package() {
+  cd "$srcdir/$pkgname-$pkgver"
+  make DESTDIR="$pkgdir" ROOTSBINDIR=/usr/bin install
+  mkdir -p $pkgdir/etc/request-key.d
+  install -m 644 contrib/request-key.d/cifs.idmap.conf $pkgdir/etc/request-key.d
+  install -m 644 contrib/request-key.d/cifs.spnego.conf $pkgdir/etc/request-key.d
+  # set mount.cifs uid, to enable none root mounting form fstab
+  chmod +s $pkgdir/usr/bin/mount.cifs
+}
+md5sums=('93697dbc043cb4d5c66e15e281f872e5'
+         'cc13c6d1b734a446d0f4384e0ce32748'
+         '350491f336dc931f9b192228909e5924'
+         'ac2b3367363fbc79f8f7fdfcae008a8c')

Deleted: extra-x86_64/fix-5.9-credentials.patch
===================================================================
--- extra-x86_64/fix-5.9-credentials.patch	2014-06-16 10:42:46 UTC (rev 215192)
+++ extra-x86_64/fix-5.9-credentials.patch	2014-06-16 10:42:57 UTC (rev 215193)
@@ -1,16 +0,0 @@
-X-Git-Url: https://git.samba.org/?p=cifs-utils.git;a=blobdiff_plain;f=mount.cifs.c;h=40b77e92e3f734c606f522ccf279a0508ad64eab;hp=c7c3055cb890764937193b1d50d1f0fb7ae18826;hb=1a01f7c4b90695211d12291d7a24bec05b1f2922;hpb=739289ad3ce915e1ee2705ecd7ac4e907cd91405
-
-diff --git a/mount.cifs.c b/mount.cifs.c
-index c7c3055..40b77e9 100644
---- a/mount.cifs.c
-+++ b/mount.cifs.c
-@@ -581,7 +581,8 @@ static int open_cred_file(char *file_name,
- 		switch (parse_cred_line(line_buf + i, &temp_val)) {
- 		case CRED_USER:
- 			strlcpy(parsed_info->username, temp_val,
--				sizeof(parsed_info->domain));
-+				sizeof(parsed_info->username));
-+			parsed_info->got_user = 1;
- 			break;
- 		case CRED_PASS:
- 			i = set_password(parsed_info, temp_val);

Copied: cifs-utils/repos/extra-x86_64/fix-5.9-credentials.patch (from rev 215192, cifs-utils/trunk/fix-5.9-credentials.patch)
===================================================================
--- extra-x86_64/fix-5.9-credentials.patch	                        (rev 0)
+++ extra-x86_64/fix-5.9-credentials.patch	2014-06-16 10:42:57 UTC (rev 215193)
@@ -0,0 +1,16 @@
+X-Git-Url: https://git.samba.org/?p=cifs-utils.git;a=blobdiff_plain;f=mount.cifs.c;h=40b77e92e3f734c606f522ccf279a0508ad64eab;hp=c7c3055cb890764937193b1d50d1f0fb7ae18826;hb=1a01f7c4b90695211d12291d7a24bec05b1f2922;hpb=739289ad3ce915e1ee2705ecd7ac4e907cd91405
+
+diff --git a/mount.cifs.c b/mount.cifs.c
+index c7c3055..40b77e9 100644
+--- a/mount.cifs.c
++++ b/mount.cifs.c
+@@ -581,7 +581,8 @@ static int open_cred_file(char *file_name,
+ 		switch (parse_cred_line(line_buf + i, &temp_val)) {
+ 		case CRED_USER:
+ 			strlcpy(parsed_info->username, temp_val,
+-				sizeof(parsed_info->domain));
++				sizeof(parsed_info->username));
++			parsed_info->got_user = 1;
+ 			break;
+ 		case CRED_PASS:
+ 			i = set_password(parsed_info, temp_val);




More information about the arch-commits mailing list