CVE-2022-29869

NameCVE-2022-29869
Descriptioncifs-utils through 6.14, with verbose logging, can cause an information leak when a file contains = (equal sign) characters but is not a valid credentials file.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-3009-1, DSA-5157-1
Debian Bugs1010818

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
cifs-utils (PTS)stretch2:6.7-1vulnerable
stretch (security)2:6.7-1+deb9u1fixed
buster2:6.8-2vulnerable
buster (security)2:6.8-2+deb10u1fixed
bullseye2:6.11-3.1vulnerable
bullseye (security)2:6.11-3.1+deb11u1fixed
bookworm, sid2:6.14-1.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
cifs-utilssourcestretch2:6.7-1+deb9u1DLA-3009-1
cifs-utilssourcebuster2:6.8-2+deb10u1DSA-5157-1
cifs-utilssourcebullseye2:6.11-3.1+deb11u1DSA-5157-1
cifs-utilssource(unstable)2:6.14-1.11010818

Notes

https://bugzilla.samba.org/show_bug.cgi?id=15026
https://github.com/piastry/cifs-utils/pull/7
https://git.samba.org/cifs-utils.git/?p=cifs-utils.git;a=commit;h=8acc963a2e7e9d63fe1f2e7f73f5a03f83d9c379 (cifs-utils-6.15)

Search for package or bug name: Reporting problems