FS#70521 - cifs-utils: broken as of 6.13-1 (upstream confirmed)

Attached to Project: Arch Linux
Opened by Alexander Koch (lynix) - Tuesday, 20 April 2021, 18:17 GMT
Last edited by Tobias Powalowski (tpowa) - Monday, 23 August 2021, 07:22 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Tobias Powalowski (tpowa)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

cifs.upcall has received a fix for CVE-2021-20208 that contains a regression, making it impossible to mount a CIFS share using Krb5:

cifs.upcall[78171]: switch_to_process_ns: setns() failed for cgroup
cifs.upcall[78171]: unable to switch to process namespace: Operation not permitted
cifs.upcall[78171]: Exit status 1
mount[78168]: mount error(126): Required key not available
systemd[1]: mnt-server01-share01.mount: Mount process exited, code=exited, status=32/n/a
systemd[1]: mnt-server01-share01.mount: Failed with result 'exit-code'.

Upstream developers have confirmed this: https://www.spinics.net/lists/linux-cifs/msg21550.html

They also provided two workarounds:

1) building with libcap instead of libcapng
2) patching out the call to trim_capabilities() in cifs.upcall.c

I'm currently fine having downgraded the package to 6.12 as I'm not affected by the container vulnerability.

Additional info:
* package version(s): 6.13-1
* upstream discussion: https://www.spinics.net/lists/linux-cifs/msg21549.html

Steps to reproduce:
* install cifs-utils-6.13-1
* try to mount a CIFS share using krb5 ticket
This task depends upon

Closed by  Tobias Powalowski (tpowa)
Monday, 23 August 2021, 07:22 GMT
Reason for closing:  Fixed
Additional comments about closing:  6.13-3
Comment by Alexander Koch (lynix) - Monday, 26 April 2021, 16:22 GMT
  • Field changed: Percent Complete (100% → 0%)
The workaround taken for cifs-utils 6.13-2 seems not to work for me.

Had to downgrade to 6.12-1 again.
Comment by mephinet (mephinet) - Monday, 26 April 2021, 20:40 GMT
I ran into the reported issue with 6.13-1, and I can confirm the re-open request: with 6.13-2, I still get the same error:

Apr 26 17:46:28 ... cifs.upcall[29647]: switch_to_process_ns: setns()
failed for cgroup
Apr 26 17:46:28 ... cifs.upcall[29647]: unable to switch to process
namespace: Operation not permitted
Apr 26 17:46:28 ... cifs.upcall[29647]: Exit status 1
Apr 26 17:46:28 ... kernel: CIFS: VFS: Verify user has a krb5 ticket and
keyutils is installed
Apr 26 17:46:28 ... kernel: CIFS: VFS: \\... Send error in SessSetup = -126
Apr 26 17:46:28 ... kernel: CIFS: VFS: cifs_mount failed w/return code =
-126

After reverting to 6.12-1, mounting is again possible.
Comment by Sergey Kvachonok (ravenexp) - Saturday, 17 July 2021, 14:00 GMT
I confirm that krb5 mounts are still broken when using cifs-utils 6.13-2.
Downgrading to 6.12-1 fixes the issue.
Comment by Alexander Koch (lynix) - Friday, 06 August 2021, 07:04 GMT
I find it interesting that this issue doesn't seem to bother anyone except us three.

I've tried to get in touch with upstream to ask about the 'proper solution' they had mentioned back in April but haven't heard anything back, yet.
Comment by Daniel Giuli (avN0) - Friday, 13 August 2021, 09:16 GMT
This bugged me for some time now.
+1 for Downgrade to 6.12-1
Comment by Alexander Koch (lynix) - Monday, 23 August 2021, 07:15 GMT
There is a patch available from upstream that seems to fix the issue:
https://github.com/piastry/cifs-utils/commit/7f9711dd902a239c499682015d708f73ec884af2

It will be included in the next release. In the meantime, could we add this patch for a 6.13-3? I've attached my proposal for an updated PKGBUILD.
   PKGBUILD (1.9 KiB)
   cifs-utils-6.13_fix-regressio... (13.7 KiB)

Loading...