RHBA-2013:0408 - Bug Fix Advisory

Topic

Updated cifs-utils packages that fix several bugs and add various enhancements
are now available for Red Hat Enterprise Linux 6.

Description

The SMB/CIFS protocol is a standard file sharing protocol widely deployed on
Microsoft Windows machines. This package contains tools for mounting shares on
Linux using the SMB/CIFS protocol. The tools in this package work in conjunction
with support in the kernel to allow one to mount a SMB/CIFS share onto a client
and use it as if it were a standard Linux file system.

This update fixes the following bugs:

• When the mount.cifs utility ran out of addresses to try, it returned the

"System error" error code (EX_SYSERR) to the caller service. The utility has
been modified and it now correctly returns the "Mount failure" error code
(EX_FAIL). (BZ#856729)

• Typically, "/" characters are not allowed in user names for Microsoft Windows

systems, but they are common in certain types of kerberos principal names.
However, mount.cifs previously allowed the use of "/" in user names, which
caused attempts to mount CIFS file systems to fail. With this package, "/"
characters are now allowed in user names if the "sec=krb5" or "sec=krb5i" mount
options are specified, thus CIFS file systems can now be mounted as expected.
(BZ#826825)

• Previously, the cifs-utils packages were compiled without the RELRO (read-only

relocations) and PIE (Position Independent Executables) flags. Programs provided
by this package could be vulnerable to various attacks based on overwriting the
ELF section of a program. The "-pie" and "-fpie" options enable the building of
position-independent executables, and the "-Wl","-z","relro" turns on read-only
relocation support in gcc. These options are important for security purposes to
guard against possible buffer overflows that lead to exploits. The cifs-utils
binaries are now built with PIE and full RELRO support. The cifs-utils binary is
now more secured against "return-to-text" and memory corruption attacks and also
against attacks based on the program's ELF section overwriting. (BZ#838606)

In addition, this update adds the following enhancements:

• With this update, the "strictcache", "actimeo", "cache=" and "rwpidforward"

mount options are now documented in the mount.cifs(8) manual page. (BZ#843596)

• The "getcifsacl", "setcifsacl" and "cifs.idmap" programs have been added to

the package. These utilities allow users to manipulate ACLs on CIFS shares and
allow the mapping of Windows security IDs to POSIX user and group IDs.
(BZ#843612)

• With this update, the cifs.idmap helper, which allows SID to UID and SID to

GID mapping, has been added to the package. Also, the manual page cifs.upcall(8)
has been updated and cifs.idmap(8) has been added. (BZ#843617)

Users of cifs-utils are advised to upgrade to these updated packages, which fix
these bugs and add these enhancements.

Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Affected Products

• Red Hat Enterprise Linux Server 6 x86_64
• Red Hat Enterprise Linux Server 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 i386
• Red Hat Enterprise Linux Workstation 6 x86_64
• Red Hat Enterprise Linux Workstation 6 i386
• Red Hat Enterprise Linux Desktop 6 x86_64
• Red Hat Enterprise Linux Desktop 6 i386
• Red Hat Enterprise Linux for IBM z Systems 6 s390x
• Red Hat Enterprise Linux for Power, big endian 6 ppc64
• Red Hat Enterprise Linux for Scientific Computing 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 6 s390x
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension 6 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension (for IBM z Systems) 6 s390x

Fixes

• BZ - 838606 - enable PIE and RELRO in cifs-utils binaries

CVEs

(none)

References

(none)