| Message ID | 20200920075720.636748-1-fontaine.fabrice@gmail.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [1/1] package/cifs-utils: security bump to version 6.11 | expand |
On Sun, 20 Sep 2020 09:57:20 +0200 Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote: > Fix CVE-2020-14342: It was found that cifs-utils' mount.cifs was > invoking a shell when requesting the Samba password, which could be used > to inject arbitrary commands. An attacker able to invoke mount.cifs with > special permission, such as via sudo rules, could use this flaw to > escalate their privileges. > > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> > --- > package/cifs-utils/cifs-utils.hash | 2 +- > package/cifs-utils/cifs-utils.mk | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) Applied to master, thanks. Thomas
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes: > Fix CVE-2020-14342: It was found that cifs-utils' mount.cifs was > invoking a shell when requesting the Samba password, which could be used > to inject arbitrary commands. An attacker able to invoke mount.cifs with > special permission, such as via sudo rules, could use this flaw to > escalate their privileges. > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Committed to 2020.02.x, 2020.05.x and 2020.08.x, thanks.
diff --git a/package/cifs-utils/cifs-utils.hash b/package/cifs-utils/cifs-utils.hash index 5eaa84f370..ca97eb8e56 100644 --- a/package/cifs-utils/cifs-utils.hash +++ b/package/cifs-utils/cifs-utils.hash @@ -1,5 +1,5 @@ # Locally calculated after checking pgp signature -sha256 92fc29c8e9039637f3344267500f1fa381e2cccd7d10142f0c1676fa575904a7 cifs-utils-6.10.tar.bz2 +sha256 b859239a3f204f8220d3e54ed43bf8109e1ef202042dd87ba87492f8878728d9 cifs-utils-6.11.tar.bz2 # Hash for license file: sha256 8ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903 COPYING diff --git a/package/cifs-utils/cifs-utils.mk b/package/cifs-utils/cifs-utils.mk index b59a54d987..b06ce7dddf 100644 --- a/package/cifs-utils/cifs-utils.mk +++ b/package/cifs-utils/cifs-utils.mk @@ -4,7 +4,7 @@ # ################################################################################ -CIFS_UTILS_VERSION = 6.10 +CIFS_UTILS_VERSION = 6.11 CIFS_UTILS_SOURCE = cifs-utils-$(CIFS_UTILS_VERSION).tar.bz2 CIFS_UTILS_SITE = http://ftp.samba.org/pub/linux-cifs/cifs-utils CIFS_UTILS_LICENSE = GPL-3.0+
Fix CVE-2020-14342: It was found that cifs-utils' mount.cifs was invoking a shell when requesting the Samba password, which could be used to inject arbitrary commands. An attacker able to invoke mount.cifs with special permission, such as via sudo rules, could use this flaw to escalate their privileges. Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> --- package/cifs-utils/cifs-utils.hash | 2 +- package/cifs-utils/cifs-utils.mk | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)