The Samba-Bugzilla – Attachment 18129 Details for
Bug 15439
[SECURITY] CVE-2023-4091: Client can truncate file with read-only permissions
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch for master
CVE-2023-4091-master.patch (text/plain), 5.16 KB, created by
Ralph Böhme
on 2023-09-28 17:26:00 UTC
(
hide
)
Description:
Patch for master
Filename:
MIME Type:
Creator:
Ralph Böhme
Created:
2023-09-28 17:26:00 UTC
Size:
5.16 KB
patch
obsolete
>From bff3a637d9b261c8e04114fbd32060ac822f94d0 Mon Sep 17 00:00:00 2001 >From: Ralph Boehme <slow@samba.org> >Date: Tue, 1 Aug 2023 13:04:36 +0200 >Subject: [PATCH 1/2] CVE-2023-4091: smbd: use open_access_mask for access > check in open_file() > >If the client requested FILE_OVERWRITE[_IF], we're implicitly adding >FILE_WRITE_DATA to the open_access_mask in open_file_ntcreate(), but for the >access check we're using access_mask which doesn't contain the additional >right, which means we can end up truncating a file for which the user has >only read-only access via an SD. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439 > >Signed-off-by: Ralph Boehme <slow@samba.org> >--- > selftest/knownfail.d/samba3.smb2.acls | 1 - > source3/smbd/open.c | 4 ++-- > 2 files changed, 2 insertions(+), 3 deletions(-) > delete mode 100644 selftest/knownfail.d/samba3.smb2.acls > >diff --git a/selftest/knownfail.d/samba3.smb2.acls b/selftest/knownfail.d/samba3.smb2.acls >deleted file mode 100644 >index 18df260c0e50..000000000000 >--- a/selftest/knownfail.d/samba3.smb2.acls >+++ /dev/null >@@ -1 +0,0 @@ >-^samba3.smb2.acls.OVERWRITE_READ_ONLY_FILE >diff --git a/source3/smbd/open.c b/source3/smbd/open.c >index 87719eec06e6..93c12e00eb0d 100644 >--- a/source3/smbd/open.c >+++ b/source3/smbd/open.c >@@ -1442,7 +1442,7 @@ static NTSTATUS open_file(struct smb_request *req, > dirfsp, > fsp, > false, >- access_mask); >+ open_access_mask); > > if (!NT_STATUS_IS_OK(status)) { > DBG_DEBUG("smbd_check_access_rights_fsp" >@@ -1633,7 +1633,7 @@ static NTSTATUS open_file(struct smb_request *req, > status = smbd_check_access_rights_fsp(dirfsp, > fsp, > false, >- access_mask); >+ open_access_mask); > > if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND) && > posix_open && >-- >2.41.0 > > >From fa3ac41c89c6a327a62c7365ff5189b835c9d451 Mon Sep 17 00:00:00 2001 >From: Ralph Boehme <slow@samba.org> >Date: Wed, 2 Aug 2023 14:14:31 +0200 >Subject: [PATCH 2/2] advisory-CVE-2023-4091.txt > >--- > advisory-CVE-2023-4091.txt | 89 ++++++++++++++++++++++++++++++++++++++ > 1 file changed, 89 insertions(+) > create mode 100644 advisory-CVE-2023-4091.txt > >diff --git a/advisory-CVE-2023-4091.txt b/advisory-CVE-2023-4091.txt >new file mode 100644 >index 000000000000..6b6f94d1d5ca >--- /dev/null >+++ b/advisory-CVE-2023-4091.txt >@@ -0,0 +1,89 @@ >+=========================================================== >+== Subject: SMB clients can truncate files with >+== read-only permissions >+== >+== CVE ID#: CVE-2023-4091 >+== >+== Versions: All Samba versions >+== >+== Summary: SMB client can truncate files to 0 bytes >+== by opening files with OVERWRITE disposition >+== when using the acl_xattr Samba VFS module >+== with the smb.conf setting >+== "acl_xattr:ignore system acls = yes" >+=========================================================== >+ >+=========== >+Description >+=========== >+ >+The SMB protocol allows opening files where the client >+requests read-only access, but then implicitly truncating >+the opened file if the client specifies a separate OVERWRITE >+create disposition. >+ >+This operation requires write access to the file, and in the >+default Samba configuration the operating system kernel will >+deny access to open a read-only file for read/write (which >+the truncate operation requires). >+ >+However, when Samba has been configured to ignore kernel >+file system permissions, Samba will truncate a file when the >+underlying operating system kernel would deny the operation. >+ >+Affected Samba configurations are the ones where kernel >+file-system permission checks are bypassed, relying on >+Samba's own permission enforcement. The error is that this >+check is done against the client request for read-only >+access, and not the implicitly requested read-write (for >+truncate) one. >+ >+The widely used Samba VFS module "acl_xattr" when configured >+with the module configuration parameter "acl_xattr:ignore >+system acls = yes" is the only upstream Samba module that >+allows this behavior and is the only known method of >+reproducing this security flaw. >+ >+If (as is the default) the module configuration parameter >+"acl_xattr:ignore system acls=no", then the Samba server is >+not vulnerable to this attack. >+ >+================== >+Patch Availability >+================== >+ >+Patches addressing both these issues have been posted to: >+ >+ https://www.samba.org/samba/security/ >+ >+Additionally, Samba versions 4.19.1, 4.18.8 and 4.17.12 have >+been issued as security releases to correct the defect. >+Samba administrators are advised to upgrade to these >+releases or apply the patch as soon as possible. >+ >+================== >+CVSSv3 calculation >+================== >+ >+CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N (6.5) >+ >+========== >+Workaround >+========== >+ >+None. >+ >+======= >+Credits >+======= >+ >+Originally reported by Sri Nagasubramanian <snagasubramanian@nasuni.com> >+from Nasuni. >+ >+Patches provided by Ralph Böhme of SerNet and the Samba team. >+ >+========================================================== >+== Our Code, Our Bugs, Our Responsibility. >+== The Samba Team >+========================================================== >+ >-- >2.41.0 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
metze
:
review-
slow
:
ci-passed+
Actions:
View
Attachments on
bug 15439
:
18018
|
18021
|
18069
|
18070
|
18129
|
18130
|
18131
|
18132
|
18146
|
18149