The Samba-Bugzilla – Attachment 13350 Details for
Bug 12885
CVE-2017-2619 breaks accessing previous versions of directories with snapshots in subdirectories of the share
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch for 4.5 cherry-picked from master
bug12887-v45.patch (text/plain), 4.60 KB, created by
Ralph Böhme
on 2017-07-10 09:33:49 UTC
(
hide
)
Description:
Patch for 4.5 cherry-picked from master
Filename:
MIME Type:
Creator:
Ralph Böhme
Created:
2017-07-10 09:33:49 UTC
Size:
4.60 KB
patch
obsolete
>From fcca2de9b4069a9b123451ee6f86994848988ea5 Mon Sep 17 00:00:00 2001 >From: Ralph Boehme <slow@samba.org> >Date: Fri, 7 Jul 2017 12:57:57 +0200 >Subject: [PATCH 1/2] s3/smbd: let non_widelink_open() chdir() to directories > directly >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >If the caller passes O_DIRECTORY we just try to chdir() to smb_fname >directly, not to the parent directory. > >The security check in check_reduced_name() will continue to work, but >this fixes the case of an open() for a previous version of a >subdirectory that contains snapshopt. > >Eg: > >[share] > path = /shares/test > vfs objects = shadow_copy2 > shadow:snapdir = .snapshots > shadow:snapdirseverywhere = yes > >Directory tree with fake snapshots: > >$ tree -a /shares/test/ >/shares/test/ >âââ dir >â  âââ file >â  âââ .snapshots >â  âââ @GMT-2017.07.04-04.30.12 >â  âââ file >âââ dir2 >â  âââ file >âââ file >âââ .snapshots >â  âââ @GMT-2001.01.01-00.00.00 >â  âââ dir2 >â  â  âââ file >â  âââ file >âââ testfsctl.dat > >./bin/smbclient -U slow%x //localhost/share -c 'ls @GMT-2017.07.04-04.30.12/dir/*' >NT_STATUS_OBJECT_NAME_NOT_FOUND listing \@GMT-2017.07.04-04.30.12\dir\* > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=12885 > >Signed-off-by: Ralph Boehme <slow@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit b886a9443d49f6e27fa3863d87c9e24d12e62874) >--- > source3/smbd/open.c | 30 +++++++++++++++++++++++++----- > 1 file changed, 25 insertions(+), 5 deletions(-) > >diff --git a/source3/smbd/open.c b/source3/smbd/open.c >index c96bc9b..50fbcc6 100644 >--- a/source3/smbd/open.c >+++ b/source3/smbd/open.c >@@ -537,12 +537,32 @@ static int non_widelink_open(struct connection_struct *conn, > char *oldwd = NULL; > char *parent_dir = NULL; > const char *final_component = NULL; >+ bool is_directory = false; >+ bool ok; > >- if (!parent_dirname(talloc_tos(), >- smb_fname->base_name, >- &parent_dir, >- &final_component)) { >- goto out; >+#ifdef O_DIRECTORY >+ if (flags & O_DIRECTORY) { >+ is_directory = true; >+ } >+#endif >+ >+ if (is_directory) { >+ parent_dir = talloc_strdup(talloc_tos(), smb_fname->base_name); >+ if (parent_dir == NULL) { >+ saved_errno = errno; >+ goto out; >+ } >+ >+ final_component = "."; >+ } else { >+ ok = parent_dirname(talloc_tos(), >+ smb_fname->base_name, >+ &parent_dir, >+ &final_component); >+ if (!ok) { >+ saved_errno = errno; >+ goto out; >+ } > } > > oldwd = vfs_GetWd(talloc_tos(), conn); >-- >2.9.4 > > >From 89be3851bd0c6d2d7e4d54ad2fe37dc4edcb6635 Mon Sep 17 00:00:00 2001 >From: Ralph Boehme <slow@samba.org> >Date: Fri, 7 Jul 2017 13:12:19 +0200 >Subject: [PATCH 2/2] selftest: add a test for accessing previous version of > directories with snapdirseverywhere >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=12885 > >Signed-off-by: Ralph Boehme <slow@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> > >Autobuild-User(master): Ralph Böhme <slow@samba.org> >Autobuild-Date(master): Sat Jul 8 00:33:51 CEST 2017 on sn-devel-144 > >(cherry picked from commit cc9ba98c08665e0ed6927fd81fa43a7bb7842e45) >--- > source3/script/tests/test_shadow_copy.sh | 23 +++++++++++++++++++++++ > 1 file changed, 23 insertions(+) > >diff --git a/source3/script/tests/test_shadow_copy.sh b/source3/script/tests/test_shadow_copy.sh >index 783e7f32..eba873f 100755 >--- a/source3/script/tests/test_shadow_copy.sh >+++ b/source3/script/tests/test_shadow_copy.sh >@@ -221,6 +221,26 @@ test_fetch_snap_file() > -c "get ${SNAPSHOTS[$snapidx]}/$path $WORKDIR/foo" > } > >+# Test fetching a previous version of a file >+test_fetch_snap_dir() >+{ >+ local share >+ local path >+ local snapidx >+ >+ share=$1 >+ path=$2 >+ snapidx=$3 >+ >+ # This first command is not strictly needed, but it causes the snapshots to >+ # appear in a network trace which helps debugging... >+ $SMBCLIENT -U$USERNAME%$PASSWORD "//$SERVER/$share" -I $SERVER_IP \ >+ -c "allinfo $path" >+ >+ $SMBCLIENT -U$USERNAME%$PASSWORD "//$SERVER/$share" -I $SERVER_IP \ >+ -c "ls ${SNAPSHOTS[$snapidx]}/$path/*" >+} >+ > test_shadow_copy_fixed() > { > local share #share to contact >@@ -329,6 +349,9 @@ test_shadow_copy_everywhere() > test_fetch_snap_file $share "bar/lfoo" 3 || \ > failed=`expr $failed + 1` > >+ testit "list a previous version directory" \ >+ test_fetch_snap_dir $share "bar" 6 || \ >+ failed=`expr $failed + 1` > } > > test_shadow_copy_format() >-- >2.9.4 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
jra
:
review+
Actions:
View
Attachments on
bug 12885
: 13350 |
13351
|
13352
|
13381