debcrafters-packages team mailing list archive

Thread
Date
[Bug 2112614] Re: Regression: After CVE-2025-2312 cifs.upcall can't find credential caches from user env

To: debcrafters-packages@xxxxxxxxxxxxxxxxxxx
From: Matthew Ruffell <2112614@xxxxxxxxxxxxxxxxxx>
Date: Wed, 11 Jun 2025 11:00:51 -0000
Reply-to: Bug 2112614 <2112614@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
Hi everyone,

The PPA now has test packages based on the above debdiffs with the upstreamed
fixes, and not the patch I was previously using / submitted.

I am going to need tomorrow to test this before I talk to the Security Team
to get this sponsored.

If you would like to help, you can install cifs-utils from the ppa and
test.

Please note this package is NOT SUPPORTED by Canonical, and is for TESTING
PURPOSES ONLY. ONLY Install in a dedicated test environment.

Instructions to Install (On a focal, jammy, noble, oracular, plucky system):
1) sudo add-apt-repository ppa:mruffell/sf407276-regression-test
2) sudo apt update
3) sudo apt install cifs-utils
4) sudo apt-cache policy cifs-utils | grep Installed
Check for +sf407276v20250611b2

I'll try my best to get this fix rolled out by the end of the week, but if we
get too close to the weekend we will likely have to delay till Monday.

Thanks,
Matthew

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to cifs-utils in Ubuntu.
https://bugs.launchpad.net/bugs/2112614

Title:
  Regression: After CVE-2025-2312 cifs.upcall can't find credential
  caches from user env

Status in cifs-utils package in Ubuntu:
  In Progress
Status in cifs-utils source package in Focal:
  In Progress
Status in cifs-utils source package in Jammy:
  In Progress
Status in cifs-utils source package in Noble:
  In Progress
Status in cifs-utils source package in Oracular:
  In Progress
Status in cifs-utils source package in Plucky:
  In Progress
Status in cifs-utils source package in Questing:
  In Progress

Bug description:
  [Impact]

  Unfortunately, the release of CVE-2025-2312 caused a minor regression for some
  users of cifs-utils, particularly those with AD users mounting shares from
  non-standard UID numbers that aren't the default 0 or 1000.

  Trying to mount a share with credentials in environment variables like
  $KRB5CCNAME gets messages like:

  $ echo $KRB5CCNAME
  /tmp/krb5cc_11200
  $ sudo mount -t cifs -o sec=krb5i //samba-dc.example.com/demo /mnt/testshare1
  mount error(126): Required key not available
  Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)

  Affected packages:

  questing: 2:7.3-1
  plucky: 2:7.2-2
  oracular: 2:7.0-2.1ubuntu0.1
  noble: 2:7.0-2ubuntu0.1
  jammy: 2:6.14-1ubuntu0.2
  focal: 2:6.9-1ubuntu0.3

  We changed debian/patches/CVE-2025-2312-1.patch:
  @@ -1384,7 +1423,7 @@
           * look at the environ file.
           */
          env_cachename =
  - get_cachename_from_process_env(env_probe ? arg->pid : 0);
  + get_cachename_from_process_env((env_probe && (arg->upcall_target == UPTARGET_APP)) ? arg->pid : 0);

          rc = setuid(uid);
          if (rc == -1) {

  Unfortunately, we missed the UPTARGET_UNSPECIFIED option.

  The fix should have been:
  +		get_cachename_from_process_env((env_probe && (arg->upcall_target == UPTARGET_APP || arg->upcall_target == UPTARGET_UNSPECIFIED)) ? arg->pid : 0);

  This affects users who use the non-patched kernels.

  I'm broken, please get me a fix / Workarounds:
  1) You can install the test packages in the [Testcase] section.
  or
  2) You can enable -proposed and install any of the 5.4.0-218-generic, 5.15.0-142-generic, 6.8.0-62-generic or 6.11.0-28-generic kernels.
  or
  3) You can edit the following files:
  /etc/krb5.conf - Add this to [libdefaults]:
      default_ccache_name = /tmp/krb5cc_%{uid}
  /etc/sssd/sssd.conf - Add this to [domain]
      krb5_ccachedir = /tmp
      krb5_ccname_template = FILE:%d/krb5cc_%{uid}
  Ideally restart sssd so sssd-pam can find the kerberos crediental cache again.
      sudo systemctl restart sssd

  [Testcase]

  Follow the entire testcase of https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2099914
  first.

  $ kinit administrator
  Password for administrator@xxxxxxxxxxxxxxxxxxxx:
  Warning: Your password will expire in 36 days on Sat Jul 12 01:54:39 2025
  $ klist
  Ticket cache: FILE:/tmp/krb5cc_1000
  Default principal: administrator@xxxxxxxxxxxxxxxxxxxx

  Valid starting     Expires            Service principal
  06/05/25 21:44:07  06/06/25 07:44:07  krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
   renew until 06/06/25 21:44:04

  $ mv /tmp/krb5cc_1000 /tmp/krb5cc_11200
  $ klist /tmp/krb5cc_11200
  Ticket cache: FILE:/tmp/krb5cc_11200
  Default principal: administrator@xxxxxxxxxxxxxxxxxxxx

  Valid starting     Expires            Service principal
  06/05/25 21:44:07  06/06/25 07:44:07  krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
   renew until 06/06/25 21:44:04

  $ export KRB5CCNAME=/tmp/krb5cc_11200
  $ sudo mount -t cifs -o sec=krb5i //samba-dc.example.com/demo /mnt/testshare1
  mount error(126): Required key not available
  Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)

  $ journalctl -b0
  kernel: CIFS: Attempting to mount //samba-dc.example.com/demo
  cifs.upcall[5177]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.248;sec=krb5;uid=0x0;creduid=0x3e8;user=root;pid=0x142c
  cifs.upcall[5178]: ver=2
  cifs.upcall[5178]: host=samba-dc.example.com
  cifs.upcall[5178]: ip=192.168.122.248
  cifs.upcall[5178]: sec=1
  cifs.upcall[5178]: uid=0
  cifs.upcall[5178]: creduid=1000
  cifs.upcall[5178]: user=root
  cifs.upcall[5178]: pid=5164
  cifs.upcall[5177]: upcall_target=app, switching namespaces to application thread
  cifs.upcall[5177]: get_cachename_from_process_env: pid == 0
  cifs.upcall[5177]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_1000
  cifs.upcall[5177]: check_service_ticket_exists: unable to get client principal from cache: No credentials cache found (filename: /tmp/krb5cc_1000)
  cifs.upcall[5177]: get_tgt_time: unable to get principal
  cifs.upcall[5177]: main: valid TGT is not present in credential cache
  cifs.upcall[5177]: krb5_get_init_creds_keytab: -1765328378
  cifs.upcall[5177]: handle_krb5_mech: getting service ticket for samba-dc.example.com
  cifs.upcall[5177]: handle_krb5_mech: using GSS-API
  cifs.upcall[5177]: GSS-API error init_sec_context: No credentials were supplied, or the credentials were unavailable or inaccessible
  cifs.upcall[5177]: GSS-API error init_sec_context: No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1000)
  cifs.upcall[5177]: handle_krb5_mech: failed to obtain service ticket via GSS (458752)
  cifs.upcall[5177]: Unable to obtain service ticket
  cifs.upcall[5177]: Exit status 458752
  kernel: CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed
  kernel: CIFS: VFS: \\samba-dc.example.com Send error in SessSetup = -126
  kernel: CIFS: VFS: cifs_mount failed w/return code = -126

  If you install the test packages in the following ppa:

  https://launchpad.net/~mruffell/+archive/ubuntu/sf407276-regression-
  test

  Please note this package is NOT SUPPORTED by Canonical, and is for TESTING
  PURPOSES ONLY. ONLY Install in a dedicated test environment.

  Instructions to Install (On a focal, jammy, noble, oracular, plucky system):
  1) sudo add-apt-repository ppa:mruffell/sf407276-regression-test
  2) sudo apt update
  3) sudo apt install cifs-utils
  4) sudo apt-cache policy cifs-utils | grep Installed
  Check for +sf407276v20250531b1

  The share mounts normally as expected.

  [Where problems can occur]

  This is a part of the fix of CVE-2025-2312, and we need to make sure that we
  again, test the following scenarios:

  * patched kernel, patched cifs-utils
  * patched kernel, existing cifs-utils
  * existing kernel, patched cifs-utils

  This time, we really need to spend a bit more time on the unpatched kernel
  scenario, because clearly I wasn't thorough enough.

  If a regression were to occur, it could affect mounting of cifs / smb shares and
  users would not be able to access their data.

  Due to the nature of this bug, there is no secret leakage from
  CVE-2025-2312.

  [Other info]

  This regression was caused in:
  https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2099914
  https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2099917

  I have asked cifs-utils maintainers to land the following change in upstream 
  cifs-utils as soon as possible:

  diff --git a/cifs.upcall.c b/cifs.upcall.c
  index 678b140..e23a887 100644
  --- a/cifs.upcall.c
  +++ b/cifs.upcall.c
  @@ -1573,7 +1573,7 @@ int main(const int argc, char *const argv[])
     * look at the environ file.
     */
    env_cachename =
  -		get_cachename_from_process_env((env_probe && (arg->upcall_target == UPTARGET_APP)) ? arg->pid : 0);
  +		get_cachename_from_process_env((env_probe && (arg->upcall_target == UPTARGET_APP || arg->upcall_target == UPTARGET_UNSPECIFIED)) ? arg->pid : 0);

    rc = setuid(uid);
    if (rc == -1) {

  Once this lands and we have providence for the fix, I will make new packages
  and get the Security Team to sponsor immediately.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2112614/+subscriptions
References

[Bug 2112614] [NEW] Regression: After CVE-2025-2312 cifs.upcall can't find credential caches from user env
From: Matthew Ruffell, 2025-06-06