[Bug 1069915] Re: unable to mount CIFS share with comma in password

Sat May 9 01:29:01 UTC 2015

Almost three years later I am not involved in Ubuntu any more. As I
still get emails from time to time, so I figure, this has not been fixed
yet. I involved the Ubuntu Security Team, as this obviously is an
information disclosure vulnerability.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to cifs-utils in Ubuntu.
https://bugs.launchpad.net/bugs/1069915

Title:
  unable to mount CIFS share with comma in password

Status in cifs-utils package in Ubuntu:
  Confirmed

Bug description:
  Since the update to Quantal I am unable to mount CIFS shares with a
  comma in the password:

  root at lama ~ # PASSWD=",password" mount -t cifs //cifs.example.org target -o username=user,domain=dom,uid=4711,gid=12345
  mount error(22): Invalid argument
  Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
  32 root at lama ~ # dmesg | tail -1
  [17848.954253] CIFS: Unknown mount option "password"

  The same thing happens with a credential file and the password prompt.

  This looks like a parser regression:
  mount.cifs(8) explains:
             Note that a password which contains the delimiter character (i.e. a
             comma ´,´) will fail to be parsed correctly on the command line.
             However, the same password defined in the PASSWD environment
             variable or via a credentials file (see below) or entered at the
             password prompt will be read correctly.

  This is pretty evil, as it exposes parts of the password through
  dmesg.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/1069915/+subscriptions