Bug 1079819 (CVE-2014-2581)
Summary: | CVE-2014-2581 smb4k: potential credential cache leak fixed in version 1.1.1 | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Murray McAllister <mmcallis> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | sergio, vdanen |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | smb4k 1.1.1 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-06-03 10:53:59 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1079820 | ||
Bug Blocks: |
Description
Murray McAllister
2014-03-24 05:05:40 UTC
Created smb4k tracking bugs for this issue: Affects: fedora-all [bug 1079820] (In reply to Murray McAllister from comment #0) > The 1.1.1 release of smb4k[1], an SMB/CIFS share browser for KDE, fixes a > potential credential cache leak: > > "Fixed potential security issue reported by Heiner Markert. Do not allow the > cruid option to be entered via the "Additional options" line edit. Also, > implement a check in Smb4KMountJob::createMountAction() that removes the > cruid option from the custom options returned by > Smb4KSettings::customCIFSOptions()." > > Could the Fedora package be upgraded to version 1.1.1? > > [1] > http://sourceforge.net/projects/smb4k/files/Smb4K%20%28stable%20releases%29/ > 1.1.1/ Hi, I planed updated smb4k on rawhide , not in Fedora 20 and 19 , which have smb4k-1.0.9-1.fc20.x86_64 and smb4k-1.0.9-1.fc19 . So I will update smb4k for series 1.1 ASAP (tonight) , what do you think we should do with released versions ? Thanks for taking care of security of smb4k (In reply to Sergio Monteiro Basto from comment #3) > (In reply to Murray McAllister from comment #0) > > The 1.1.1 release of smb4k[1], an SMB/CIFS share browser for KDE, fixes a > > potential credential cache leak: > > > > "Fixed potential security issue reported by Heiner Markert. Do not allow the > > cruid option to be entered via the "Additional options" line edit. Also, > > implement a check in Smb4KMountJob::createMountAction() that removes the > > cruid option from the custom options returned by > > Smb4KSettings::customCIFSOptions()." > > > > Could the Fedora package be upgraded to version 1.1.1? > > > > [1] > > http://sourceforge.net/projects/smb4k/files/Smb4K%20%28stable%20releases%29/ > > 1.1.1/ > > Hi, I planed updated smb4k on rawhide , not in Fedora 20 and 19 , which have > smb4k-1.0.9-1.fc20.x86_64 and smb4k-1.0.9-1.fc19 . > So I will update smb4k for series 1.1 ASAP (tonight) , what do you think we > should do with released versions ? > > Thanks for taking care of security of smb4k Thank you for doing that! I do not have any good guidance on what to do with the released versions other than 'update', but if that is not possible, maybe backporting the security fix is (although I am still unsure where this leak occurs, so maybe it is not a big deal if it is not fixed). I think the security part between 1.0 and 1.1 is related to these two diffs, but I have missed some other changes (along with the all the po/translation pieces): "" --- smb10/smb4k-1.1.0/smb4k/configdlg/smb4ksambaoptionspage.cpp 2014-01-07 02:11:06.000000000 +1100 +++ smb11/smb4k-1.1.1/smb4k/configdlg/smb4ksambaoptionspage.cpp 2014-03-23 02:02:23.000000000 +1100 @@ -51,6 +51,7 @@ #include <kcombobox.h> #include <kuser.h> #include <kicon.h> +#include <kmessagebox.h> // System includes #include <unistd.h> @@ -560,7 +561,6 @@ KLineEdit *additional_opts = new KLineEdit( c_extra_widget ); additional_opts->setObjectName( "kcfg_CustomCIFSOptions" ); - add_options_label->setBuddy( additional_opts ); c_extra_layout->addWidget( security_label, 0, 0, 0 ); @@ -698,6 +698,9 @@ connect( group_menu, SIGNAL(triggered(QAction*)), this, SLOT(slotNewGroupTriggered(QAction*)) ); + + connect( additional_opts, SIGNAL(userTextChanged(QString)), + this, SLOT(slotAdditionalCIFSOptionsChanged(QString)) ); } @@ -740,5 +743,52 @@ } +void Smb4KSambaOptionsPage::slotAdditionalCIFSOptionsChanged(const QString& options) +{ + if ( !options.trimmed().isEmpty() ) + { + // SECURITY: Remove cruid option. + // This issue was reported by Heiner Markert. + if ( options.contains( "cruid=" ) ) + { + QStringList list = options.split( ',', QString::SkipEmptyParts ); + QMutableStringListIterator it( list ); + + while ( it.hasNext() ) + { + if ( it.next().contains( "cruid=" ) ) + { + it.remove(); + } + else + { + // Do nothing + } + } + + KLineEdit *cifs_opts = findChild<KLineEdit *>( "kcfg_CustomCIFSOptions" ); + + if ( cifs_opts ) + { + KMessageBox::information( this, i18n( "<qt>Due to security concerns, the cruid option cannot be defined here and will now be removed.</qt>" ) ); + cifs_opts->setText( list.join( " ," ) ); + } + else + { + // Do nothing + } + } + else + { + // Do nothing + } + } + else + { + // Do nothing + } +} + + #include "smb4ksambaoptionspage.moc" "" "" --- smb10/smb4k-1.1.0/core/smb4kmounter_p.cpp 2014-01-07 02:11:07.000000000 +1100 +++ smb11/smb4k-1.1.1/core/smb4kmounter_p.cpp 2014-03-23 02:02:23.000000000 +1100 @@ -599,7 +599,24 @@ // Global custom options provided by the user if ( !Smb4KSettings::customCIFSOptions().isEmpty() ) { - args_list += Smb4KSettings::customCIFSOptions().split( ',', QString::SkipEmptyParts ); + // SECURITY: Remove cruid option. + // This issue was reported by Heiner Markert. + QStringList list = Smb4KSettings::customCIFSOptions().split( ',', QString::SkipEmptyParts ); + QMutableStringListIterator it( list ); + + while ( it.hasNext() ) + { + if ( it.next().contains( "cruid=" ) ) + { + it.remove(); + } + else + { + // Do nothing + } + } + + args_list += list; } else { "" MITRE assigned CVE-2014-2581 to this issue: http://www.openwall.com/lists/oss-security/2014/03/25/5 building for F21 http://koji.fedoraproject.org/koji/buildinfo?buildID=507178 I will give some time to test it , after that, we see and maybe update F20 and F19 ..., since in low security risk, no rush, and could be a good excuse to update smb4k . smb4k-1.1.2-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. smb4k-1.1.2-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. Should closed automatically ?! |