Attachment 18129 Details for Bug 15439 – Patch for master

[patch] Patch for master

CVE-2023-4091-master.patch (text/plain), 5.16 KB, created by Ralph Böhme on 2023-09-28 17:26:00 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Ralph Böhme

Created: 2023-09-28 17:26:00 UTC

Size: 5.16 KB

patch

obsolete

>From bff3a637d9b261c8e04114fbd32060ac822f94d0 Mon Sep 17 00:00:00 2001
>From: Ralph Boehme <slow@samba.org>
>Date: Tue, 1 Aug 2023 13:04:36 +0200
>Subject: [PATCH 1/2] CVE-2023-4091: smbd: use open_access_mask for access
> check in open_file()
>
>If the client requested FILE_OVERWRITE[_IF], we're implicitly adding
>FILE_WRITE_DATA to the open_access_mask in open_file_ntcreate(), but for the
>access check we're using access_mask which doesn't contain the additional
>right, which means we can end up truncating a file for which the user has
>only read-only access via an SD.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439
>
>Signed-off-by: Ralph Boehme <slow@samba.org>
>---
> selftest/knownfail.d/samba3.smb2.acls | 1 -
> source3/smbd/open.c                   | 4 ++--
> 2 files changed, 2 insertions(+), 3 deletions(-)
> delete mode 100644 selftest/knownfail.d/samba3.smb2.acls
>
>diff --git a/selftest/knownfail.d/samba3.smb2.acls b/selftest/knownfail.d/samba3.smb2.acls
>deleted file mode 100644
>index 18df260c0e50..000000000000
>--- a/selftest/knownfail.d/samba3.smb2.acls
>+++ /dev/null
>@@ -1 +0,0 @@
>-^samba3.smb2.acls.OVERWRITE_READ_ONLY_FILE
>diff --git a/source3/smbd/open.c b/source3/smbd/open.c
>index 87719eec06e6..93c12e00eb0d 100644
>--- a/source3/smbd/open.c
>+++ b/source3/smbd/open.c
>@@ -1442,7 +1442,7 @@ static NTSTATUS open_file(struct smb_request *req,
> 						dirfsp,
> 						fsp,
> 						false,
>-						access_mask);
>+						open_access_mask);
> 
> 				if (!NT_STATUS_IS_OK(status)) {
> 					DBG_DEBUG("smbd_check_access_rights_fsp"
>@@ -1633,7 +1633,7 @@ static NTSTATUS open_file(struct smb_request *req,
> 			status = smbd_check_access_rights_fsp(dirfsp,
> 							      fsp,
> 							      false,
>-							      access_mask);
>+							      open_access_mask);
> 
> 			if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND) &&
> 			    posix_open &&
>-- 
>2.41.0
>
>
>From fa3ac41c89c6a327a62c7365ff5189b835c9d451 Mon Sep 17 00:00:00 2001
>From: Ralph Boehme <slow@samba.org>
>Date: Wed, 2 Aug 2023 14:14:31 +0200
>Subject: [PATCH 2/2] advisory-CVE-2023-4091.txt
>
>---
> advisory-CVE-2023-4091.txt | 89 ++++++++++++++++++++++++++++++++++++++
> 1 file changed, 89 insertions(+)
> create mode 100644 advisory-CVE-2023-4091.txt
>
>diff --git a/advisory-CVE-2023-4091.txt b/advisory-CVE-2023-4091.txt
>new file mode 100644
>index 000000000000..6b6f94d1d5ca
>--- /dev/null
>+++ b/advisory-CVE-2023-4091.txt
>@@ -0,0 +1,89 @@
>+===========================================================
>+== Subject:     SMB clients can truncate files with
>+==              read-only permissions
>+==
>+== CVE ID#:     CVE-2023-4091
>+==
>+== Versions:    All Samba versions
>+==
>+== Summary:     SMB client can truncate files to 0 bytes
>+==              by opening files with OVERWRITE disposition
>+==              when using the acl_xattr Samba VFS module
>+==              with the smb.conf setting
>+==              "acl_xattr:ignore system acls = yes"
>+===========================================================
>+
>+===========
>+Description
>+===========
>+
>+The SMB protocol allows opening files where the client
>+requests read-only access, but then implicitly truncating
>+the opened file if the client specifies a separate OVERWRITE
>+create disposition.
>+
>+This operation requires write access to the file, and in the
>+default Samba configuration the operating system kernel will
>+deny access to open a read-only file for read/write (which
>+the truncate operation requires).
>+
>+However, when Samba has been configured to ignore kernel
>+file system permissions, Samba will truncate a file when the
>+underlying operating system kernel would deny the operation.
>+
>+Affected Samba configurations are the ones where kernel
>+file-system permission checks are bypassed, relying on
>+Samba's own permission enforcement.  The error is that this
>+check is done against the client request for read-only
>+access, and not the implicitly requested read-write (for
>+truncate) one.
>+
>+The widely used Samba VFS module "acl_xattr" when configured
>+with the module configuration parameter "acl_xattr:ignore
>+system acls = yes" is the only upstream Samba module that
>+allows this behavior and is the only known method of
>+reproducing this security flaw.
>+
>+If (as is the default) the module configuration parameter
>+"acl_xattr:ignore system acls=no", then the Samba server is
>+not vulnerable to this attack.
>+
>+==================
>+Patch Availability
>+==================
>+
>+Patches addressing both these issues have been posted to:
>+
>+    https://www.samba.org/samba/security/
>+
>+Additionally, Samba versions 4.19.1, 4.18.8 and 4.17.12 have
>+been issued as security releases to correct the defect.
>+Samba administrators are advised to upgrade to these
>+releases or apply the patch as soon as possible.
>+
>+==================
>+CVSSv3 calculation
>+==================
>+
>+CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N (6.5)
>+
>+==========
>+Workaround
>+==========
>+
>+None.
>+
>+=======
>+Credits
>+=======
>+
>+Originally reported by Sri Nagasubramanian <snagasubramanian@nasuni.com>
>+from Nasuni.
>+
>+Patches provided by Ralph BÃ¶hme of SerNet and the Samba team.
>+
>+==========================================================
>+== Our Code, Our Bugs, Our Responsibility.
>+== The Samba Team
>+==========================================================
>+
>-- 
>2.41.0
>

Flags:

metze: review-
slow: ci-passed+

Actions: View

Attachments on bug 15439: 18018 | 18021 | 18069 | 18070 | 18129 | 18130 | 18131 | 18132 | 18146 | 18149