Access denied if the share path is "/"

Bug #1545750 reported by Dariusz Gadomski on 2016-02-15
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
samba
Unknown
Unknown
samba (Debian)
Fix Released
Unknown
samba (Ubuntu)
Medium
Marc Deslauriers
Precise
Medium
Marc Deslauriers
Trusty
Medium
Marc Deslauriers
Wily
Medium
Marc Deslauriers

Bug Description

[Impact]

 * User is denied access when trying to access a share "/"

[Test Case]

 * Setup a Samba server

 * Add a share with path "/"

 * Try to access the share

[Regression Potential]

 * This has been introduced upstream by security patch CVE-2015-5252.

 * It has been already fixed upstream.

 * This is just a backport of the fix.

[Other Info]

 * Original bug description:

The fix for bug #11395 / CVE-2015-5252
https://git.samba.org/?p=samba.git;a=commitdiff;h=7606c0db257b3f9d84da5b2bf5fbb4034cc8d77d
locked down the path checks in check_reduced_name[_with_privilege]() to prevent unintended access via wide links.

The new checks do not correctly treat a corner case though: the case of the share path being "/". (Important e.g. for using the glusterfs VFS module.)

In this case all operations after tree connect get ACCESS_DENIED.

CVE References

tags: added: sts
Dariusz Gadomski (dgadomski) wrote :

Debdiff for Xenial.

description: updated
Changed in samba (Ubuntu):
assignee: nobody → Dariusz Gadomski (dgadomski)
assignee: Dariusz Gadomski (dgadomski) → nobody
Dariusz Gadomski (dgadomski) wrote :

SRU proposal for Wily.

Dariusz Gadomski (dgadomski) wrote :

SRU proposal for Trusty.

Dariusz Gadomski (dgadomski) wrote :

SRU proposal for Precise.

Changed in samba (Ubuntu Precise):
status: New → Confirmed
Changed in samba (Ubuntu Trusty):
status: New → Confirmed
Changed in samba (Ubuntu Wily):
status: New → Confirmed
Changed in samba (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Changed in samba (Ubuntu Precise):
importance: Undecided → Medium
Changed in samba (Ubuntu Trusty):
importance: Undecided → Medium
Changed in samba (Ubuntu Wily):
importance: Undecided → Medium
Changed in samba (Ubuntu):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in samba (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in samba (Ubuntu Trusty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in samba (Ubuntu Wily):
assignee: nobody → Marc Deslauriers (mdeslaur)

The attachment "xenial_samba_4.3.3+dfsg-1ubuntu2.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Changed in samba (Debian):
status: Unknown → New
Marc Deslauriers (mdeslaur) wrote :

ACK on the debdiffs, I've uploaded them for building with the following small changes:

- Clean out cruft in trusty and wily patched
- wrapped changelog line to fix lintian warning
- fixed trusty package version number
- re-targeted to -security pocket.

I will publish these updates as a security regression fix once they have been tested. Thanks!

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:4.3.3+dfsg-1ubuntu2

---------------
samba (2:4.3.3+dfsg-1ubuntu2) xenial; urgency=medium

  * Fixes regression introduced by debian/patches/CVE-2015-5252.patch.
    (LP: #1545750)

 -- Dariusz Gadomski <email address hidden> Mon, 15 Feb 2016 16:05:12 +0100

Changed in samba (Ubuntu):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:3.6.3-2ubuntu2.14

---------------
samba (2:3.6.3-2ubuntu2.14) precise-security; urgency=medium

  * Fixes regression introduced by debian/patches/CVE-2015-5252.patch.
    (LP: #1545750)

 -- Dariusz Gadomski <email address hidden> Mon, 15 Feb 2016 15:43:57 +0100

Changed in samba (Ubuntu Precise):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:4.1.6+dfsg-1ubuntu2.14.04.12

---------------
samba (2:4.1.6+dfsg-1ubuntu2.14.04.12) trusty-security; urgency=medium

  * Fixes regression introduced by debian/patches/CVE-2015-5252.patch.
    (LP: #1545750)

 -- Dariusz Gadomski <email address hidden> Mon, 15 Feb 2016 15:59:51 +0100

Changed in samba (Ubuntu Trusty):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:4.1.17+dfsg-4ubuntu3.2

---------------
samba (2:4.1.17+dfsg-4ubuntu3.2) wily-security; urgency=medium

  * Fixes regression introduced by debian/patches/CVE-2015-5252.patch.
    (LP: #1545750)

 -- Dariusz Gadomski <email address hidden> Mon, 15 Feb 2016 16:10:40 +0100

Changed in samba (Ubuntu Wily):
status: Confirmed → Fix Released
Changed in samba (Debian):
status: New → Confirmed
Changed in samba (Debian):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.