*** Bug 15209 has been marked as a duplicate of this bug. ***
Inside filename_convert_dirfsp(). From Volker's private email: ---------------------------------------------------------------- Using strncmp a symlink to x->/aa/etc qualifies as in share /a, so a "get x/passwd" leads to a pretty unfortunate result. --------------------------------------------------------------
Created attachment 17566 [details] Volker's patch for master.
Comment on attachment 17566 [details] Volker's patch for master. Patch looks good to me. Thanks!
Fwiw, the patch still needs the "CVE-XXXX-YYY" prefix in the commit subject once we get a CVE number...
Created attachment 17575 [details] Patch with CVE number added
I'm not really 100% sure, but this might be a 7.4 according to https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L/E:F/RL:U/RC:C/CR:X/IR:X/AR:X/MAV:N/MAC:L/MPR:L/MUI:N/MS:U/MC:X/MI:X/MA:X&version=3.1
Created attachment 17576 [details] CVE advisory
I wonder if it is, assuming the impact is constrained by kernel permissions and any SELinux/AppArmour rules: CVSS3.1:AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N (5.4) (we don't normally fill in the rest, as those change over time) That is, the impact is constrained (giving low for integrity and confidentiality). It would only be high if (and this is subjective) this causes a 'direct, serious loss to the targetted compoent'. Regarding scope, only really odd things like VM -> Hypervisor or VM -> Hardware qualify, as I understand that metric, but the help text is quite unhelpful. I don't know the bug in detail, so can someone describe the availability impact suggested in the previous vector?
The assumption is that once you can look at /etc and /proc even as non-privileged user, you have compromised the system because there are waaay too many attack vectors on Linux systems these days. That was the original reasoning behind story on the much-harder to exploit symlink race.
(In reply to Volker Lendecke from comment #10) My view is that those secondary issues should be scored for each of them, not summed into the worst-case on this one. More importantly we should also be consistent with the other issues, so I've done some research: Bug 13979 / CVE-2021-43566 should have been scored as: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N (4.2) (not 2.6 as in the advisory) Bug 14911 / CVE-2021-44141 has: CVSS:AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (4.2) The main symlink escape bug 16817 / CVE-2021-20316 has: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N (5.9) I would disagree with the integrity high here, but if we followed, this bug would be: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N (7.1) If we say integrity is low (given there are other controls), this bug would be: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N (5.4)
Comment on attachment 17576 [details] CVE advisory Marking this as review- so we remember to fix the CVSS string (currently at 9.1 which isn't consistent)
Comment on attachment 17575 [details] Patch with CVE number added Also adding CI passed tag as discussed yesterday.
Created attachment 17578 [details] CVE-2022-3592 patch for master Reattaching patch with better name.
Created attachment 17579 [details] CVE-2022-3592 patch for 4.17 Currently running in private autobuild on sn-devel. Patch needed a few changes due to changes in master: - subdir_of() is new in 4.17 - "lib: lib/util/fault.h requires _SAMBA_DEBUG_H for SMB_ASSERT()" is not needed - minor context issues in the test and in "smbd: No empty path components in openat_pathref_dirfsp_nosymlink()"
Doing the CVE scoring dance I also come to a CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N (5.4).
Created attachment 17580 [details] CVE advisory v2 Updated advisory with version 4.17.1 added and updated score. Not sure if this is the score that we're going to settle on, Volker please check. :)
(In reply to Ralph Böhme from comment #16) > Doing the CVE scoring dance I also come to a > CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N (5.4). My problem with the CVE calculator is that I have a hard time understanding what these things to click actually mean. My calculation also comes to different scores in the base and in the overall assessment, which I also don't understand. If both of you (Ralph and Andrew) agree this is different from my string, I am of course okay with that.
Comment on attachment 17579 [details] CVE-2022-3592 patch for 4.17 Private autobuild passed.
(In reply to Volker Lendecke from comment #18) Yeah, well, I guess whatever scoring we come up with will be wrong... that's the lesson I learned when doing the scoring for the fruit issue a while ago where folks from *@cert.org reviewed by scoring. :)
(In reply to Ralph Böhme from comment #20) s/by/my/
Created attachment 17581 [details] CVE advisory v3 4.17.1 is released today, so the security release will be 4.17.2. Updated the version number in the text.
Created attachment 17582 [details] CVE-2022-3592 patch for 4.17 Updated patch filename to 4.17.2. No other change.
Comment on attachment 17582 [details] CVE-2022-3592 patch for 4.17 Passed private autobuild on sn-devel.
Opening bug to vendors. Planned release date is the 25th of October. Sorry for the shorted than usual notice!
there seems to be an oversight in the advisory v3 (?): > == CVE ID#: CVE-2021-43566 should probably be > == CVE ID#: CVE-2022-3592
Created attachment 17584 [details] CVE advisory v4 Fixed CVE number. Thanks!
This bug was referenced in samba v4-17-stable (Release samba-4.17.2): 4fbcfb285a923b3d9dbcb4a7c891167628201067 4e3e3f9c4fe24b49c714b1b90f6bf0ba63bf85b0 ace0ebde325958995672bb3d476e072ba1358356 e96d28093ae1b7749a7d7c67133dbd12dc25290b
Removing vendor CC (so that any public comments don't need to be broadcast so widely) and opening these bugs to the public. If you wish to continue to be informed about any changes here please CC individually.
This bug was referenced in samba v4-17-test: 4fbcfb285a923b3d9dbcb4a7c891167628201067 4e3e3f9c4fe24b49c714b1b90f6bf0ba63bf85b0 ace0ebde325958995672bb3d476e072ba1358356 e96d28093ae1b7749a7d7c67133dbd12dc25290b
This bug was referenced in samba master: dc650bde6f97ea63d6105ead874b0249307db13b c770b7872daae21e5ead57374707d7ac334c8f69 fbc0feeca4061c4e1a2543b0a24c4333c1532587 d905dbddf8d2655e6c91752b750cbe9c15837ee5 d385058ce7c9914ea58613f65414e45f2f777481
Closing out bug report. Thanks!
This bug was referenced in samba v4-16-stable (Release samba-4.16.11): 843ec381de3f5ce3740679783d3b3637a7474648
This bug was referenced in samba v4-16-test: 843ec381de3f5ce3740679783d3b3637a7474648