Gentoo Archives: gentoo-announce

From: Sam James <sam@g.o>
To: gentoo-announce@l.g.o
Subject: [gentoo-announce] [ GLSA 202009-16 ] LinuxCIFS: Shell injection
Date: Tue, 29 Sep 2020 18:18:51
Message-Id: 1F5F250D-0169-41CE-A4AC-9E95FF1CA8C8@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 202009-16
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 https://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: LinuxCIFS: Shell injection
9 Date: September 29, 2020
10 Bugs: #743211
11 ID: 202009-16
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 A vulnerability in LinuxCIFS may allow a remote code execution via a
19 command line option.
20
21 Background
22 ==========
23
24 The LinuxCIFS utils are a collection of tools for managing Linux CIFS
25 Client Filesystems.
26
27 Affected packages
28 =================
29
30 -------------------------------------------------------------------
31 Package / Vulnerable / Unaffected
32 -------------------------------------------------------------------
33 1 net-fs/cifs-utils < 6.11 >= 6.11
34
35 Description
36 ===========
37
38 The mount.cifs utility had a shell injection issue where one can embed
39 shell commands via the username mount option. Those commands will be
40 run via popen() in the context of the user calling mount.
41
42 Impact
43 ======
44
45 A remote attacker could entice a user to use a specially crafted
46 argument using mount.cifs, possibly resulting in execution of arbitrary
47 code with the privileges of the process or a Denial of Service
48 condition.
49
50 Workaround
51 ==========
52
53 There is no known workaround at this time.
54
55 Resolution
56 ==========
57
58 All LinuxCIFS users should upgrade to the latest version:
59
60 # emerge --sync
61 # emerge --ask --oneshot --verbose ">=net-fs/cifs-utils-6.11"
62
63 References
64 ==========
65
66 [ 1 ] CVE-2020-14342
67 https://nvd.nist.gov/vuln/detail/CVE-2020-14342
68
69 Availability
70 ============
71
72 This GLSA and any updates to it are available for viewing at
73 the Gentoo Security Website:
74
75 https://security.gentoo.org/glsa/202009-16
76
77 Concerns?
78 =========
79
80 Security is a primary focus of Gentoo Linux and ensuring the
81 confidentiality and security of our users' machines is of utmost
82 importance to us. Any security concerns should be addressed to
83 security@g.o or alternatively, you may file a bug at
84 https://bugs.gentoo.org.
85
86 License
87 =======
88
89 Copyright 2020 Gentoo Foundation, Inc; referenced text
90 belongs to its owner(s).
91
92 The contents of this document are licensed under the
93 Creative Commons - Attribution / Share Alike license.
94
95 https://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature