Bug 14842 - CVE-2021-20316 [SECURITY] Fileserver symlink metadata share escape.
Summary: CVE-2021-20316 [SECURITY] Fileserver symlink metadata share escape.
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: 4.14.7
Hardware: All All
: P5 critical (vote)
Target Milestone: ---
Assignee: Jeremy Allison
QA Contact: Samba QA Contact
Depends on: 14846
Blocks: CVE-2021-43566
  Show dependency treegraph
Reported: 2021-09-22 01:01 UTC by Jeremy Allison
Modified: 2022-12-16 12:07 UTC (History)
9 users (show)

See Also:

Proposed CVE text. (4.19 KB, text/plain)
2021-09-24 21:27 UTC, Jeremy Allison
no flags Details
Slightly updated version with better english. (4.25 KB, text/plain)
2021-09-24 23:19 UTC, Jeremy Allison
slow: review+
npower: review+
jmcd: review+

Note You need to log in before you can comment on or make changes to this bug.
Comment 11 Jeremy Allison 2021-10-21 15:57:18 UTC
Comment from Jim @ SuSE.

We're going to do like RH and mark earlier versions as unsafe with SMB1
(or in our oldest case, unix extensions/NFS), and update our latest two
releases (SLES12SP5 and SLES15SP3) to 4.15.
Comment 12 Jeremy Allison 2021-10-21 15:58:07 UTC
OK, as agreed upon, I'm now opening this bug up to Samba vendors.
Comment 13 Stefan Metzmacher 2021-10-25 14:56:02 UTC
(In reply to Jeremy Allison from comment #12)

Please make sure that https://bugzilla.samba.org/show_bug.cgi?id=14846
(and also possible other regressions) gets fixed before telling the world to upgrade to 4.15.
Comment 14 Jeremy Allison 2021-10-27 16:09:53 UTC
Release date for this has been set as January 10th 2022.
Comment 15 Matt McDonald 2021-10-27 16:16:31 UTC
(In reply to Jeremy Allison from comment #14)

Is January 10th, 2022 the same date the vulnerability will be publicly announced?
Comment 16 Jeremy Allison 2021-10-27 16:19:42 UTC
Yes, the plan is to announce on January 10th 2022. Let me know if this works for everyone please.
Comment 17 Arvid Requate 2022-01-05 17:32:09 UTC
Any news for samba-vendor?
Comment 18 Jeremy Allison 2022-01-05 18:09:27 UTC
January 10th will be the announcement date. What more for samba-vendor do you need ?
Comment 19 Arvid Requate 2022-01-05 18:30:07 UTC
Usually there are patches available about two weeks ahead of the public release. But maybe I'm misunderstanding the term "announcement".
Comment 20 Jeremy Allison 2022-01-05 18:34:13 UTC
The "patch" for this is 4.15.0 and above. It was a 2-3 year rewrite to fix the VFS layer to make everything handle based and remove any possibility of symlink escape.

There are only mitigations possible for releases below 4.15.
Comment 21 Jule Anger 2022-01-10 15:03:02 UTC
Removing vendor CC (so that any public comments don't need to be broadcast so widely) and opening these bugs to the public.  
If you wish to continue to be informed about any changes here please CC individually.