[SCM] Samba Shared Repository - branch v4-13-stable updated

Jule Anger janger at samba.org
Mon Jan 10 12:29:21 UTC 2022 

The branch, v4-13-stable has been updated
       via  27a1dfbce25 VERSION: Disable GIT_SNAPSHOT for the 4.13.16 release.
       via  2513ed0fe29 WHATSNEW: Add release notes for Samba 4.13.16.
       via  9c2e3c72c0c s3: smbd: Fix mkdir race condition allows share escape in Samba 4.13.X and below: CVE-2021-43566
       via  c3f170643bb VERSION: Bump version up to Samba 4.13.16...
      from  c02edb51e7f VERSION: Disable GIT_SNAPSHOT for the 4.13.15 release.

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-stable


- Log -----------------------------------------------------------------
commit 27a1dfbce256b65a79b88b5fbc9b4701c05488f9
Author: Jule Anger <janger at samba.org>
Date:   Mon Jan 10 10:22:20 2022 +0100

    VERSION: Disable GIT_SNAPSHOT for the 4.13.16 release.
    
    Signed-off-by: Jule Anger <janger at samba.org>

commit 2513ed0fe296303f6ddde3ccef950a53cd802d83
Author: Jule Anger <janger at samba.org>
Date:   Mon Jan 10 10:21:47 2022 +0100

    WHATSNEW: Add release notes for Samba 4.13.16.
    
    Signed-off-by: Jule Anger <janger at samba.org>

commit 9c2e3c72c0cdde31a2a5c2e58ce508070ec151d0
Author: Jeremy Allison <jra at samba.org>
Date:   Tue Sep 21 17:38:27 2021 -0700

    s3: smbd: Fix mkdir race condition allows share escape in Samba 4.13.X and below: CVE-2021-43566
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13979
    
    Signed-off-by: Jeremy Allison <jra at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 VERSION             |  2 +-
 WHATSNEW.txt        | 72 +++++++++++++++++++++++++++++++++++++++++++++++++++--
 source3/smbd/open.c | 43 +++++++++++++++++++++++++++++---
 3 files changed, 111 insertions(+), 6 deletions(-)


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index 06b6f42b27a..b03fcb5e560 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
 ########################################################
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=13
-SAMBA_VERSION_RELEASE=15
+SAMBA_VERSION_RELEASE=16
 
 ########################################################
 # If a official release has a serious bug              #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 60b7c75f90b..b5699d7630e 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,72 @@
+                   ===============================
+                   Release Notes for Samba 4.13.16
+                          January 10, 2022
+                   ===============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2021-43566:  mkdir race condition allows share escape in Samba 4.x.
+                   https://www.samba.org/samba/security/CVE-2021-43566.html
+
+
+=======
+Details
+=======
+
+o  CVE-2021-43566:
+   All versions of Samba prior to 4.13.16 are vulnerable to a malicious
+   client using an SMB1 or NFS symlink race to allow a directory to be
+   created in an area of the server file system not exported under the
+   share definition. Note that SMB1 has to be enabled, or the share
+   also available via NFS in order for this attack to succeed.
+
+   Clients that have write access to the exported part of the file system
+   under a share via SMB1 unix extensions or NFS can create symlinks that
+   can race the server by renaming an existing path and then replacing it
+   with a symlink. If the client wins the race it can cause the server to
+   create a directory under the new symlink target after the exported
+   share path check has been done. This new symlink target can point to
+   anywhere on the server file system. The authenticated user must have
+   permissions to create a directory under the target directory of the
+   symlink.
+
+   This is a difficult race to win, but theoretically possible. Note that
+   the proof of concept code supplied wins the race only when the server
+   is slowed down and put under heavy load. Exploitation of this bug has
+   not been seen in the wild.
+
+
+Changes since 4.13.15
+---------------------
+
+o  Jeremy Allison <jra at samba.org>
+   * BUG 13979: CVE-2021-43566: mkdir race condition allows share escape in Samba 4.x
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.libera.chat or the
+#samba-technical:matrix.org matrix channel.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
                    ===============================
                    Release Notes for Samba 4.13.15
                           December 15, 2021
@@ -70,8 +139,7 @@ database (https://bugzilla.samba.org/).
 ======================================================================
 
 
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
                    ===============================
                    Release Notes for Samba 4.13.14
                            November 9, 2021
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index ef158657684..17163e9ddea 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -4255,6 +4255,8 @@ static NTSTATUS mkdir_internal(connection_struct *conn,
 	uint32_t access_mask = SEC_DIR_ADD_SUBDIR;
 	int ret;
 	bool ok;
+	struct smb_filename *oldwd_fname = NULL;
+	struct smb_filename *smb_fname_rel = NULL;
 
 	SMB_ASSERT(*dirfsp == conn->cwd_fsp);
 
@@ -4267,7 +4269,7 @@ static NTSTATUS mkdir_internal(connection_struct *conn,
 	ok = parent_smb_fname(talloc_tos(),
 			      smb_dname,
 			      &parent_dir_fname,
-			      NULL);
+			      &smb_fname_rel);
 	if (!ok) {
 		return NT_STATUS_NO_MEMORY;
 	}
@@ -4295,14 +4297,40 @@ static NTSTATUS mkdir_internal(connection_struct *conn,
 		return status;
 	}
 
+	oldwd_fname = vfs_GetWd(talloc_tos(), conn);
+	if (oldwd_fname == NULL) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	/* Pin parent directory in place. */
+	if (vfs_ChDir(conn, parent_dir_fname) == -1) {
+		status = map_nt_error_from_unix(errno);
+		TALLOC_FREE(oldwd_fname);
+		return status;
+	}
+
+	/* Ensure the relative path is below the share. */
+	status = check_reduced_name(conn, parent_dir_fname, smb_fname_rel);
+	if (!NT_STATUS_IS_OK(status)) {
+		goto need_chdir_err;
+	}
+
 	ret = SMB_VFS_MKDIRAT(conn,
 			      *dirfsp,
-			      smb_dname,
+			      smb_fname_rel,
 			      mode);
 	if (ret != 0) {
-		return map_nt_error_from_unix(errno);
+		status = map_nt_error_from_unix(errno);
+		goto need_chdir_err;
 	}
 
+	/* Return to share $cwd. */
+	ret = vfs_ChDir(conn, oldwd_fname);
+	if (ret == -1) {
+		smb_panic("unable to get back to old directory\n");
+	}
+	TALLOC_FREE(oldwd_fname);
+
 	/* Ensure we're checking for a symlink here.... */
 	/* We don't want to get caught by a symlink racer. */
 
@@ -4378,6 +4406,15 @@ static NTSTATUS mkdir_internal(connection_struct *conn,
 		     smb_dname->base_name);
 
 	return NT_STATUS_OK;
+
+  need_chdir_err:
+
+	ret = vfs_ChDir(conn, oldwd_fname);
+	if (ret == -1) {
+		smb_panic("unable to get back to old directory\n");
+	}
+	TALLOC_FREE(oldwd_fname);
+	return status;
 }
 
 /****************************************************************************


-- 
Samba Shared Repository

More information about the samba-cvs mailing list