As part of the Spotlight protocol search results are returned as absolute server-side paths and the client has access to the information of the share root path. CVE 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N To avoid disclosing this information we can return a fake share path of /SHARENAME.
Created attachment 17912 [details] Advisory v1
Comment on attachment 17912 [details] Advisory v1 Spelling mistakes: "abolute" -> "absolute" "abosolute" -> "absolute". A quick primer on why exposing absolute server paths is bad would also help in the "Description" section.
Created attachment 17918 [details] Advisory v2 Updated advisory with changes as requested.
Comment on attachment 17918 [details] Advisory v2 LGTM.
Created attachment 17921 [details] Patch for master
Comment on attachment 17921 [details] Patch for master In mdscli_get_path_done() you have: + /* Path is prefixed by /SHARENAME/, strip it */ + p = strchr(path + 1, '/'); + if (p == NULL) { + tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR); + return; + } For paranoia sake, do you want to check that that path prefix actually *is* sharename ?
(In reply to Jeremy Allison from comment #6) Hm, no, probably not, but your comment reminded me of the fact that the Mac SMB Spotlight server actually *does* return server side paths, so this client lib change breaks compat with Mac server. I guess I have to think a bit more about how to handle both cases correctly in the client... Ah, ok, we get the path prefix in the initial handshare (where Samba now returns a fake path and Macos returns the real path), so we can use that to strip it from the path of search results.
Created attachment 17932 [details] Patch for master
Created attachment 17933 [details] Advisory v3 The client tooling is change to report share relative paths as part of the patchset. Mention that in the CVE.
Created attachment 17936 [details] Patch for master Patch reviewed by metze.
Comment on attachment 17933 [details] Advisory v3 After saying: "will from now on report paths of search results as relative paths relative to the root of the SMB share." it would be good to give an example. eg. [TESTSHARE] path "file/within/share" will be returned as "/TESTSHARE/file/within/share" or whatever scheme you used.
Created attachment 17937 [details] Advisory v4 Better? Thanks!
Created attachment 17945 [details] Patch for 4.18
Created attachment 17946 [details] Patch for 4.17
Created attachment 17952 [details] Patch for 4.16
Comment on attachment 17937 [details] Advisory v4 Much better, thanks !
Proposed release date for this CVE is the 19th of July.
Removing vendor CC (so that any public comments don't need to be broadcast so widely) and opening these bugs to the public. If you wish to continue to be informed about any changes here please CC individually.
This bug was referenced in samba v4-16-stable (Release samba-4.16.11): b09e22cfc79845ef751acc9b5ecf479cb56b135f 8c95f7ae6b3f30ccdc5ce4f0c44b3f8c1fc6a5c8 3636b54616ee63e17d8571af610a0e21d667b592 82cc2a422db8d4402378c2e6f1e138ff385b0f15 7bbaa191be6a1b389604eff75aba9913b0e75d98 739f72a07032da15b3a74a8b96959300d555e836 34f9f1b37ec07a4f233fe90a0e97ce504e0cdffb 0fdfc85f28a21f66aa2f1d7e337fe9184368e972 d6b9c5234ffc6bf415156c693aac3256d17e259c cecd415a0abd857831a33d1f0719b870d85e7966 1809843614bbd407db221ace2c90faf9259065b0
This bug was referenced in samba v4-17-stable (Release samba-4.17.10): 98b2a013bc723cd660978d5a1db40b987816f90e 47a0c1681dd1e7ec407679793966ec8bdc08a24e 56a21b3bc8fb24416ead9061f9305c8122bc7f86 0ae6084d1a9c4eb12e9f1ab1902e00f96bcbea55 353a9ccea6ff93ea2cd604dcc2b0372f056f819d 449f1280b718c6da3b8e309fe124be4e9bfd8184 cc593a6ac531f02f2fe70fd4f7dfe649a02f9206 ee428be9c67b1a7c9720c98f4aa67208e1b2938b cb8313e7bee75454ce29d2b2f657927259298f52 a5c570e262911874e43e82de601d809aa5b1b729 091b0265fe42878d676def5d4f5b4f8f3977b0e2
This bug was referenced in samba v4-18-stable (Release samba-4.18.5): 3815bb8a70c758b4278850bd145e865429216bc8 a75be03b23c0c38bf525efb54c393befccdf3d00 921a99259090eb33937dabf62717b77fbd95885b a6e05b4bccb599ce51bc3c023a8e352c735f5486 783dbdd25308c33f160ed50ed4ee13d1d66e6cfa de611ccaa8903d46c7a572289a3c0fc708f0aa43 e58d033930592378d24520648b2bb2c46ac1890d beeac1e092517cf25df11e9fe9d2fb26b7262179 fdae8c00a6e2826c6b1a2a270434701dcaf85bb9 a84244705de1ec98cfaf4f608e0cbe7fe3c1eafe 7a4ed01ea6c352543a4937cafc7a4a7825e38d9b
This bug was referenced in samba v4-16-test: b09e22cfc79845ef751acc9b5ecf479cb56b135f 8c95f7ae6b3f30ccdc5ce4f0c44b3f8c1fc6a5c8 3636b54616ee63e17d8571af610a0e21d667b592 82cc2a422db8d4402378c2e6f1e138ff385b0f15 7bbaa191be6a1b389604eff75aba9913b0e75d98 739f72a07032da15b3a74a8b96959300d555e836 34f9f1b37ec07a4f233fe90a0e97ce504e0cdffb 0fdfc85f28a21f66aa2f1d7e337fe9184368e972 d6b9c5234ffc6bf415156c693aac3256d17e259c cecd415a0abd857831a33d1f0719b870d85e7966 1809843614bbd407db221ace2c90faf9259065b0
This bug was referenced in samba v4-17-test: 98b2a013bc723cd660978d5a1db40b987816f90e 47a0c1681dd1e7ec407679793966ec8bdc08a24e 56a21b3bc8fb24416ead9061f9305c8122bc7f86 0ae6084d1a9c4eb12e9f1ab1902e00f96bcbea55 353a9ccea6ff93ea2cd604dcc2b0372f056f819d 449f1280b718c6da3b8e309fe124be4e9bfd8184 cc593a6ac531f02f2fe70fd4f7dfe649a02f9206 ee428be9c67b1a7c9720c98f4aa67208e1b2938b cb8313e7bee75454ce29d2b2f657927259298f52 a5c570e262911874e43e82de601d809aa5b1b729 091b0265fe42878d676def5d4f5b4f8f3977b0e2
This bug was referenced in samba v4-18-test: 3815bb8a70c758b4278850bd145e865429216bc8 a75be03b23c0c38bf525efb54c393befccdf3d00 921a99259090eb33937dabf62717b77fbd95885b a6e05b4bccb599ce51bc3c023a8e352c735f5486 783dbdd25308c33f160ed50ed4ee13d1d66e6cfa de611ccaa8903d46c7a572289a3c0fc708f0aa43 e58d033930592378d24520648b2bb2c46ac1890d beeac1e092517cf25df11e9fe9d2fb26b7262179 fdae8c00a6e2826c6b1a2a270434701dcaf85bb9 a84244705de1ec98cfaf4f608e0cbe7fe3c1eafe 7a4ed01ea6c352543a4937cafc7a4a7825e38d9b
This bug was referenced in samba master: 02552493e37dc28f0aeff64ccc991c92eb517d1e 70184ef3b40a0b0a7c7da464191e93f37de8a968 617fe37cc2a910debf306f7376f8776054154106 e85e09eee93a6332112fff6b7c7107044ace7aa6 6d77daa3af070a06a2d9bc7f67618ddfaa92eb14 5c9efa9604d843208b6e5f078e6bbf62d0ee16ab 33b82c6185b09a5bc356de412ef815297acc66b6 ac9008a20c8954471c65694f92cf2029f947d0d1 d402c0cc6add369885d990fedbe71ef5185a245b 94fcbec8af5cd877e43ca125912cff0d867f7215 578e434a94147dc2d7dbfc006d2ab84807859c1d
Pushed to all branches. Closing out bug report. Thanks!
This bug was referenced in samba v4-19-test: 02552493e37dc28f0aeff64ccc991c92eb517d1e 70184ef3b40a0b0a7c7da464191e93f37de8a968 617fe37cc2a910debf306f7376f8776054154106 e85e09eee93a6332112fff6b7c7107044ace7aa6 6d77daa3af070a06a2d9bc7f67618ddfaa92eb14 5c9efa9604d843208b6e5f078e6bbf62d0ee16ab 33b82c6185b09a5bc356de412ef815297acc66b6 ac9008a20c8954471c65694f92cf2029f947d0d1 d402c0cc6add369885d990fedbe71ef5185a245b 94fcbec8af5cd877e43ca125912cff0d867f7215 578e434a94147dc2d7dbfc006d2ab84807859c1d
This bug was referenced in samba v4-19-stable (Release samba-4.19.0rc1): 02552493e37dc28f0aeff64ccc991c92eb517d1e 70184ef3b40a0b0a7c7da464191e93f37de8a968 617fe37cc2a910debf306f7376f8776054154106 e85e09eee93a6332112fff6b7c7107044ace7aa6 6d77daa3af070a06a2d9bc7f67618ddfaa92eb14 5c9efa9604d843208b6e5f078e6bbf62d0ee16ab 33b82c6185b09a5bc356de412ef815297acc66b6 ac9008a20c8954471c65694f92cf2029f947d0d1 d402c0cc6add369885d990fedbe71ef5185a245b 94fcbec8af5cd877e43ca125912cff0d867f7215 578e434a94147dc2d7dbfc006d2ab84807859c1d