From cb3fa089ea0cc9bca856453839f11fa5d773ee80 Mon Sep 17 00:00:00 2001
From: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Thu, 28 Apr 2022 15:30:46 +0200
Subject: [PATCH 1/2] cifs-utils: patch buffer-overflow in ip param handling

https://www.openwall.com/lists/oss-security/2022/04/27/5
https://bugzilla.suse.com/show_bug.cgi?id=1197216
https://github.com/piastry/cifs-utils/pull/7

Fixes: CVE-2022-27239
---
 pkgs/os-specific/linux/cifs-utils/default.nix | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/pkgs/os-specific/linux/cifs-utils/default.nix b/pkgs/os-specific/linux/cifs-utils/default.nix
index d6dcf702110..e7a4a7f1de5 100644
--- a/pkgs/os-specific/linux/cifs-utils/default.nix
+++ b/pkgs/os-specific/linux/cifs-utils/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, lib, fetchurl, autoreconfHook, docutils, pkg-config
+{ stdenv, lib, fetchurl, fetchpatch, autoreconfHook, docutils, pkg-config
 , libkrb5, keyutils, pam, talloc, python3 }:
 
 stdenv.mkDerivation rec {
@@ -10,6 +10,16 @@ stdenv.mkDerivation rec {
     sha256 = "sha256-ZgnoB0tUISlf8BKjHwLM2aBYQVxhnIE2Lrt4jb8HVrg=";
   };
 
+  patches = [
+    (fetchpatch {
+      # Fix buffer-overflow in handling of ip= parameter in mount.cifs
+      # https://www.openwall.com/lists/oss-security/2022/04/27/5
+      name = "CVE-2022-27239.patch";
+      url = "https://github.com/piastry/cifs-utils/commit/007c07fd91b6d42f8bd45187cf78ebb06801139d.patch";
+      sha256 = "sha256-3uoHso2q17r2bcEW+ZjYUWsW4OIGYA7kxYZxQQy0JOg=";
+    })
+  ];
+
   nativeBuildInputs = [ autoreconfHook docutils pkg-config ];
 
   buildInputs = [ libkrb5 keyutils pam talloc python3 ];

From e121ca2c8f2caec2c02d1983a16374db1920f663 Mon Sep 17 00:00:00 2001
From: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Thu, 28 Apr 2022 15:37:14 +0200
Subject: [PATCH 2/2] cifs-utils: fix information disclosure in logger

https://github.com/piastry/cifs-utils/commit/8acc963a2e7e9d63fe1f2e7f73f5a03f83d9c379

Fixes: CVE-2022-29869
---
 pkgs/os-specific/linux/cifs-utils/default.nix | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/pkgs/os-specific/linux/cifs-utils/default.nix b/pkgs/os-specific/linux/cifs-utils/default.nix
index e7a4a7f1de5..e4635a915ef 100644
--- a/pkgs/os-specific/linux/cifs-utils/default.nix
+++ b/pkgs/os-specific/linux/cifs-utils/default.nix
@@ -18,6 +18,12 @@ stdenv.mkDerivation rec {
       url = "https://github.com/piastry/cifs-utils/commit/007c07fd91b6d42f8bd45187cf78ebb06801139d.patch";
       sha256 = "sha256-3uoHso2q17r2bcEW+ZjYUWsW4OIGYA7kxYZxQQy0JOg=";
     })
+    (fetchpatch {
+      # Fix disclosure of invalid credential configuration in verbose mode
+      name = "CVE-2022-29869.patch";
+      url = "https://github.com/piastry/cifs-utils/commit/8acc963a2e7e9d63fe1f2e7f73f5a03f83d9c379.patch";
+      sha256 = "sha256-MjfreeL1ME550EYK9LPOUAAjIk1BoMGfb+pQe3A1bz8=";
+    })
   ];
 
   nativeBuildInputs = [ autoreconfHook docutils pkg-config ];