Cannot access anything under a subdirectory if symlinks are disallowed

Bug #1675698 reported by David Macek on 2017-03-24
42
This bug affects 8 people
Affects Status Importance Assigned to Milestone
samba
Unknown
Unknown
samba (Debian)
Fix Released
Unknown
samba (Ubuntu)
Undecided
Unassigned
Precise
High
Marc Deslauriers
Trusty
High
Marc Deslauriers
Xenial
High
Marc Deslauriers
Yakkety
High
Marc Deslauriers
Zesty
Undecided
Unassigned

Bug Description

After upgrading to 4.3.11+dfsg-0ubuntu0.14.04.6, some of my shares broke in a curious way. The affected shares have `follow symlinks = no`; the ones with `follow symlinks = yes` aren't affected AFAICT. Allowing symlinks on one of the affected shares mitigates the issue for that share.

The issue is that access to anything under a direct subdirectory of the share doesn't work. I can create a directory in `\\srv\share`, e.g. `\\srv\share\foo`, but I can't create any files or directories inside it, e.g. creating `\\srv\share\foo\bar` ends up with error 50 (The request is not supported). Attempts to access existing files or directories at this level produce error 59 (An unexpected network error occured).

The log at level 2 says:

```
../source3/smbd/vfs.c:1298(check_reduced_name)
  check_reduced_name: Bad access attempt: branches is a symlink to foo/bar

```

... or:

```
../source3/smbd/vfs.c:1298(check_reduced_name)
  check_reduced_name: Bad access attempt: . is a symlink to foo
```

CVE References

David Macek (david-macek-0) wrote :

Among the clients I tested with are Windows 10 (current stable -- AU) and Windows Server 2012 R2.

Mathieu Vedie (mvedie) wrote :

I experienced same issue since this morning but i havent made any upgrade.

Marc Deslauriers (mdeslaur) wrote :

Thanks for reporting this issue, I can reproduce it.

David Macek (david-macek-0) wrote :

The linked Debian bug doesn't mention that `follow symlinks` is the trigger. I don't have much time today to follow this further, but it would be great if someone else could coordinate with Debian maintainers so that they don't have to do redundant work.

Mikael Willberg (mig-j) wrote :

The same issue here, I just upgraded the samba to 2:4.3.11+dfsg-0ubuntu0.16.04.5, have "follow symlinks = no" and debug states the same issue that samba thinks folders are symlinks. So changing "follow symlinks = yes" will hide the issue not solve it.

Changed in samba (Ubuntu Precise):
status: New → Confirmed
Changed in samba (Ubuntu Trusty):
status: New → Confirmed
Changed in samba (Ubuntu Xenial):
status: New → Confirmed
Changed in samba (Ubuntu Yakkety):
status: New → Confirmed
Changed in samba (Ubuntu Precise):
importance: Undecided → High
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in samba (Ubuntu Trusty):
importance: Undecided → High
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in samba (Ubuntu Xenial):
importance: Undecided → High
Changed in samba (Ubuntu Yakkety):
importance: Undecided → High
Changed in samba (Ubuntu Xenial):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in samba (Ubuntu Yakkety):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in samba (Ubuntu Zesty):
status: New → Confirmed
Changed in samba (Debian):
status: Unknown → Confirmed
kfmes (kfmes) wrote :

I have same issue, after package update . and changed option 'follow symlinks = no' .
but I will wait for bug fixed.

Heiko Lechner (no-spam-to-me) wrote :

Downgraded to 4.3.8 until a fix is offered

Jeremy Allison (jra-samba) wrote :

Fixes for this have been uploaded to:

https://bugzilla.samba.org/show_bug.cgi?id=12721

Marc Deslauriers (mdeslaur) wrote :

I have uploaded packages to the security team PPA that contain the patches from the Samba bug here:

https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages

Once they have been reviewed upstream, I'll put them through QA and will release them as a regression fix.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:4.4.5+dfsg-2ubuntu5.5

---------------
samba (2:4.4.5+dfsg-2ubuntu5.5) yakkety-security; urgency=medium

  * SECURITY REGRESSION: follow symlinks issue (LP: #1675698)
    - debian/patches/CVE-2017-2619/bug12721-*.patch: add fixes from Samba
      bug #12721.
  * Add missing prerequisite for previous update
    - debian/patches/CVE-2017-2619/bug12172.patch: handle non-existant
      files and wildcards in source3/modules/vfs_shadow_copy2.c.

 -- Marc Deslauriers <email address hidden> Tue, 28 Mar 2017 07:31:03 -0400

Changed in samba (Ubuntu Yakkety):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:4.3.11+dfsg-0ubuntu0.16.04.6

---------------
samba (2:4.3.11+dfsg-0ubuntu0.16.04.6) xenial-security; urgency=medium

  * SECURITY REGRESSION: follow symlinks issue (LP: #1675698)
    - debian/patches/CVE-2017-2619/bug12721-*.patch: add fixes from Samba
      bug #12721.
  * Add missing prerequisite for previous update
    - debian/patches/CVE-2017-2619/bug12172.patch: handle non-existant
      files and wildcards in source3/modules/vfs_shadow_copy2.c.

 -- Marc Deslauriers <email address hidden> Tue, 28 Mar 2017 08:31:57 -0400

Changed in samba (Ubuntu Xenial):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:3.6.25-0ubuntu0.12.04.10

---------------
samba (2:3.6.25-0ubuntu0.12.04.10) precise-security; urgency=medium

  * SECURITY REGRESSION: follow symlinks issue (LP: #1675698)
    - debian/patches/bug12721-*.patch: add backported fixes from Samba bug
      #12721.
  * debian/patches/*: fix CVE number in patch filenames.

 -- Marc Deslauriers <email address hidden> Tue, 28 Mar 2017 09:43:30 -0400

Changed in samba (Ubuntu Precise):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:4.3.11+dfsg-0ubuntu0.14.04.7

---------------
samba (2:4.3.11+dfsg-0ubuntu0.14.04.7) trusty-security; urgency=medium

  * SECURITY REGRESSION: follow symlinks issue (LP: #1675698)
    - debian/patches/CVE-2017-2619/bug12721-*.patch: add fixes from Samba
      bug #12721.
  * Add missing prerequisite for previous update
    - debian/patches/CVE-2017-2619/bug12172.patch: handle non-existant
      files and wildcards in source3/modules/vfs_shadow_copy2.c.

 -- Marc Deslauriers <email address hidden> Tue, 28 Mar 2017 09:28:06 -0400

Changed in samba (Ubuntu Trusty):
status: Confirmed → Fix Released
Changed in samba (Ubuntu Zesty):
status: Confirmed → Invalid
Changed in samba (Debian):
status: Confirmed → Fix Committed
Changed in samba (Debian):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.