Fix CVE-2022-27239 and CVE-2022-29869

(cherry picked from commit 7eea3d2a39f9a4b662c6fd87bfc7729a717222cd)

0004-CVE-2022-27239.patch

@@ -0,0 +1,35 @@
+From 955fb147e97a6a74e1aaa65766de91e2c1479765 Mon Sep 17 00:00:00 2001
+From: Jeffrey Bencteux <jbe@improsec.com>
+Date: Thu, 17 Mar 2022 12:58:52 -0400
+Subject: [PATCH] CVE-2022-27239: mount.cifs: fix length check for ip option
+ parsing
+
+Previous check was true whatever the length of the input string was,
+leading to a buffer overflow in the subsequent strcpy call.
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=15025
+
+Signed-off-by: Jeffrey Bencteux <jbe@improsec.com>
+Reviewed-by: David Disseldorp <ddiss@suse.de>
+---
+ mount.cifs.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/mount.cifs.c b/mount.cifs.c
+index 84274c9..3a6b449 100644
+--- a/mount.cifs.c
++++ b/mount.cifs.c
+@@ -926,9 +926,10 @@ parse_options(const char *data, struct parsed_mount_info *parsed_info)
+ 			if (!value || !*value) {
+ 				fprintf(stderr,
+ 					"target ip address argument missing\n");
+-			} else if (strnlen(value, MAX_ADDRESS_LEN) <=
++			} else if (strnlen(value, MAX_ADDRESS_LEN) <
+ 				MAX_ADDRESS_LEN) {
+-				strcpy(parsed_info->addrlist, value);
++				strlcpy(parsed_info->addrlist, value,
++					MAX_ADDRESS_LEN);
+ 				if (parsed_info->verboseflag)
+ 					fprintf(stderr,
+ 						"ip address %s override specified\n",
+--

0005-CVE-2022-29869.patch

@@ -0,0 +1,42 @@
+From 8acc963a2e7e9d63fe1f2e7f73f5a03f83d9c379 Mon Sep 17 00:00:00 2001
+From: Jeffrey Bencteux <jbe@improsec.com>
+Date: Sat, 19 Mar 2022 13:41:15 -0400
+Subject: [PATCH] mount.cifs: fix verbose messages on option parsing
+
+When verbose logging is enabled, invalid credentials file lines may be
+dumped to stderr. This may lead to information disclosure in particular
+conditions when the credentials file given is sensitive and contains '='
+signs.
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=15026
+
+Signed-off-by: Jeffrey Bencteux <jbe@improsec.com>
+Reviewed-by: David Disseldorp <ddiss@suse.de>
+---
+ mount.cifs.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/mount.cifs.c b/mount.cifs.c
+index 3a6b449..2278995 100644
+--- a/mount.cifs.c
++++ b/mount.cifs.c
+@@ -628,17 +628,13 @@ static int open_cred_file(char *file_name,
+ 				goto return_i;
+ 			break;
+ 		case CRED_DOM:
+-			if (parsed_info->verboseflag)
+-				fprintf(stderr, "domain=%s\n",
+-					temp_val);
+ 			strlcpy(parsed_info->domain, temp_val,
+ 				sizeof(parsed_info->domain));
+ 			break;
+ 		case CRED_UNPARSEABLE:
+ 			if (parsed_info->verboseflag)
+ 				fprintf(stderr, "Credential formatted "
+-					"incorrectly: %s\n",
+-					temp_val ? temp_val : "(null)");
++					"incorrectly\n");
+ 			break;
+ 		}
+ 	}
+--

cifs-utils.spec

@@ -1,6 +1,6 @@
 Name:           cifs-utils
 Version:        6.10
-Release:        4
+Release:        5
 Summary:        Utilities for doing and managing mounts of the Linux CIFS filesystem
 License:        GPLv3+
 URL:            http://linux-cifs.samba.org/cifs-utils/
@@ -10,6 +10,8 @@ Patch0:         0001-CVE-2020-14342-mount.cifs-fix-shell-command-injectio.patch
 Patch1:         0002-CVE-2021-20208.patch
 Patch2:         1001-cifs.upcall-update-the-cap-bounding-set-only-when-CA.patch
 Patch3:         1002-mount.cifs-update-the-cap-bounding-set-only-when-CAP.patch
+Patch4:		0004-CVE-2022-27239.patch
+Patch5:		0005-CVE-2022-29869.patch
 
 
 BuildRequires:  python3-docutils libcap-ng-devel libtalloc-devel krb5-devel keyutils-libs-devel autoconf
@@ -83,6 +85,9 @@ install -m 644 contrib/request-key.d/cifs.spnego.conf %{buildroot}%{_sysconfdir}
 %{_mandir}/man8/*
 
 %changelog
+* Thu May 5 2022 yanglongkang <yanglongkang@h-partners.com> - 6.10-5
+- Fix CVE-2022-27239 and CVE-2022-29869
+
 * Tue Nov 23 2021 konglidong <konglidong@uniontech.com> - 6.10-4
 - sync patch from Upstream　for fix capng apply for libcap-ng-0.8.1