The Samba-Bugzilla – Attachment 13381 Details for
Bug 12885
CVE-2017-2619 breaks accessing previous versions of directories with snapshots in subdirectories of the share
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch for 4.4 cherry-picked from master, ommitting test
bug12885-v44.patch (text/plain), 2.59 KB, created by
Ralph Böhme
on 2017-07-14 08:38:32 UTC
(
hide
)
Description:
Patch for 4.4 cherry-picked from master, ommitting test
Filename:
MIME Type:
Creator:
Ralph Böhme
Created:
2017-07-14 08:38:32 UTC
Size:
2.59 KB
patch
obsolete
>From 47e44f311f1b8fa2763c0dc9e2a5635514faf69d Mon Sep 17 00:00:00 2001 >From: Ralph Boehme <slow@samba.org> >Date: Fri, 7 Jul 2017 12:57:57 +0200 >Subject: [PATCH] s3/smbd: let non_widelink_open() chdir() to directories > directly >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >If the caller passes O_DIRECTORY we just try to chdir() to smb_fname >directly, not to the parent directory. > >The security check in check_reduced_name() will continue to work, but >this fixes the case of an open() for a previous version of a >subdirectory that contains snapshopt. > >Eg: > >[share] > path = /shares/test > vfs objects = shadow_copy2 > shadow:snapdir = .snapshots > shadow:snapdirseverywhere = yes > >Directory tree with fake snapshots: > >$ tree -a /shares/test/ >/shares/test/ >âââ dir >â  âââ file >â  âââ .snapshots >â  âââ @GMT-2017.07.04-04.30.12 >â  âââ file >âââ dir2 >â  âââ file >âââ file >âââ .snapshots >â  âââ @GMT-2001.01.01-00.00.00 >â  âââ dir2 >â  â  âââ file >â  âââ file >âââ testfsctl.dat > >./bin/smbclient -U slow%x //localhost/share -c 'ls @GMT-2017.07.04-04.30.12/dir/*' >NT_STATUS_OBJECT_NAME_NOT_FOUND listing \@GMT-2017.07.04-04.30.12\dir\* > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=12885 > >Signed-off-by: Ralph Boehme <slow@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit b886a9443d49f6e27fa3863d87c9e24d12e62874) >--- > source3/smbd/open.c | 30 +++++++++++++++++++++++++----- > 1 file changed, 25 insertions(+), 5 deletions(-) > >diff --git a/source3/smbd/open.c b/source3/smbd/open.c >index f19af87..5efb6f5 100644 >--- a/source3/smbd/open.c >+++ b/source3/smbd/open.c >@@ -527,12 +527,32 @@ static int non_widelink_open(struct connection_struct *conn, > char *oldwd = NULL; > char *parent_dir = NULL; > const char *final_component = NULL; >+ bool is_directory = false; >+ bool ok; > >- if (!parent_dirname(talloc_tos(), >- smb_fname->base_name, >- &parent_dir, >- &final_component)) { >- goto out; >+#ifdef O_DIRECTORY >+ if (flags & O_DIRECTORY) { >+ is_directory = true; >+ } >+#endif >+ >+ if (is_directory) { >+ parent_dir = talloc_strdup(talloc_tos(), smb_fname->base_name); >+ if (parent_dir == NULL) { >+ saved_errno = errno; >+ goto out; >+ } >+ >+ final_component = "."; >+ } else { >+ ok = parent_dirname(talloc_tos(), >+ smb_fname->base_name, >+ &parent_dir, >+ &final_component); >+ if (!ok) { >+ saved_errno = errno; >+ goto out; >+ } > } > > oldwd = vfs_GetWd(talloc_tos(), conn); >-- >2.9.4 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=13381">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
slow
:
review?
(
metze
)
Actions:
View
Attachments on
bug 12885
:
13350
|
13351
|
13352
| 13381