The Samba-Bugzilla – Attachment 18021 Details for
Bug 15439
[SECURITY] CVE-2023-4091: Client can truncate file with read-only permissions
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
Advisory v1
advisory-CVE-2023-4091.txt (text/plain), 2.29 KB, created by
Ralph Böhme
on 2023-08-03 09:39:23 UTC
(
hide
)
Description:
Advisory v1
Filename:
MIME Type:
Creator:
Ralph Böhme
Created:
2023-08-03 09:39:23 UTC
Size:
2.29 KB
patch
obsolete
> > >TODO: VERSION > > >=========================================================== >== Subject: SMB clients can truncate files with >== read-only permissions >== >== CVE ID#: CVE-2023-4091 >== >== Versions: All Samba versions >== >== Summary: SMB client can truncate files to 0 bytes >== by opening files with OVERWRITE disposition >== when using the acl_xattr Samba VFS module >== with the smb.conf setting >== "acl_xattr:ignore system acls = yes" >=========================================================== > >=========== >Description >=========== > >SMB allows opening files for read-only and truncating the >opened files by specifying an OVERWRITE create >disposition. This operation requires write access to the >file, but Samba incorrectly checks the requested read-only >permission on the files ACL, instead of the required >read/write permission. > >When opening the system file handle, Samba internally opens >the file in read/write mode as that is required by POSIX >when passing O_TRUNC. Therefor most default Samba configurations >are not affected by this security vulnerability. > >Affected Samba configurations are ones where somehow kernel >file-system permission checks are bypassed, relying on >Samba's own permission enforcement. > >The widely used Samba VFS module "acl_xattr" when configured >with the module configuration parameter "acl_xattr:ignore >system acls = yes" is the only upstream Samba module that >allows this behavior and is affected by this vulnerability. > > >================== >Patch Availability >================== > >Patches addressing both these issues have been posted to: > > https://www.samba.org/samba/security/ > >Additionally, Samba $VERSIONS have been issued >as security releases to correct the defect. Samba administrators are >advised to upgrade to these releases or apply the patch as soon >as possible. > >================== >CVSSv3 calculation >================== > >CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N (6.5) > >========== >Workaround >========== > >None. > >======= >Credits >======= > >Originally reported by $REPORTER. > >Patches provided by Ralph Böhme of SerNet and the Samba team. > >========================================================== >== Our Code, Our Bugs, Our Responsibility. >== The Samba Team >========================================================== >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=18021">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
jra
:
review-
Actions:
View
Attachments on
bug 15439
:
18018
|
18021
|
18069
|
18070
|
18129
|
18130
|
18131
|
18132
|
18146
|
18149