samba: Security Advisory - CVE-2013-4475

Samba 3.x before 3.6.20, 4.0.x before 4.0.11, and 4.1.x before 4.1.1, when vfs_streams_depot or vfs_streams_xattr is enabled, allows remote attackers to bypass intended file restrictions by leveraging ACL differences between a file and an associated alternate data stream (ADS). http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4475 Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Chong Lu <Chong.Lu@windriver.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
2026-05-07 05:10:20 +00:00 · 2014-06-13 14:12:58 +08:00
parent 69e765c464
commit 18e196f16e
2 changed files with 103 additions and 0 deletions
@@ -0,0 +1,102 @@
+Upstream-Status: Backport
+
+From 928910f01f951657ea4629a6d573ac00646d16f8 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Thu, 31 Oct 2013 13:48:42 -0700
+Subject: [PATCH] Fix bug #10229 - No access check verification on stream
+ files.
+
+https://bugzilla.samba.org/show_bug.cgi?id=10229
+
+We need to check if the requested access mask
+could be used to open the underlying file (if
+it existed), as we're passing in zero for the
+access mask to the base filename.
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+---
+ source3/smbd/open.c | 61 +++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 61 insertions(+)
+
+diff --git a/source3/smbd/open.c b/source3/smbd/open.c
+index 447de80..441b8cd 100644
+--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
+@@ -152,6 +152,48 @@ NTSTATUS smbd_check_open_rights(struct connection_struct *conn,
+ }
+ 
+ /****************************************************************************
+ Ensure when opening a base file for a stream open that we have permissions
+ to do so given the access mask on the base file.
+****************************************************************************/
+
+static NTSTATUS check_base_file_access(struct connection_struct *conn,
+				struct smb_filename *smb_fname,
+				uint32_t access_mask)
+{
+	uint32_t access_granted = 0;
+	NTSTATUS status;
+
+	status = smbd_calculate_access_mask(conn, smb_fname,
+					false,
+					access_mask,
+					&access_mask);
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(10, ("smbd_calculate_access_mask "
+			"on file %s returned %s\n",
+			smb_fname_str_dbg(smb_fname),
+			nt_errstr(status)));
+		return status;
+	}
+
+	if (access_mask & (FILE_WRITE_DATA|FILE_APPEND_DATA)) {
+		uint32_t dosattrs;
+		if (!CAN_WRITE(conn)) {
+			return NT_STATUS_ACCESS_DENIED;
+		}
+		dosattrs = dos_mode(conn, smb_fname);
+ 		if (IS_DOS_READONLY(dosattrs)) {
+			return NT_STATUS_ACCESS_DENIED;
+		}
+	}
+
+
+	return smbd_check_open_rights(conn,
+				smb_fname,
+				access_mask,
+				&access_granted);
+}
+
+/****************************************************************************
+  fd support routines - attempt to do a dos_open.
+ ****************************************************************************/
+ 
+@@ -3227,6 +3269,25 @@ static NTSTATUS create_file_unixpath(connection_struct *conn,
+ 		if (SMB_VFS_STAT(conn, smb_fname_base) == -1) {
+ 			DEBUG(10, ("Unable to stat stream: %s\n",
+ 				   smb_fname_str_dbg(smb_fname_base)));
+		} else {
+			/*
+			 * https://bugzilla.samba.org/show_bug.cgi?id=10229
+			 * We need to check if the requested access mask
+			 * could be used to open the underlying file (if
+			 * it existed), as we're passing in zero for the
+			 * access mask to the base filename.
+			 */
+			status = check_base_file_access(conn,
+							smb_fname_base,
+							access_mask);
+
+			if (!NT_STATUS_IS_OK(status)) {
+				DEBUG(10, ("Permission check "
+					"for base %s failed: "
+					"%s\n", smb_fname->base_name,
+					nt_errstr(status)));
+				goto fail;
+			}
+ 		}
+ 
+ 		/* Open the base file. */
+-- 
+1.8.4.1
+
@@ -34,6 +34,7 @@ SRC_URI += "\
    file://0001-PIDL-fix-parsing-linemarkers-in-preprocessor-output.patch;patchdir=.. \
    file://samba-3.6.11-CVE-2013-0213-CVE-2013-0214.patch;patchdir=.. \
    file://samba-3.6.16-CVE-2013-4124.patch;patchdir=.. \
+    file://samba-3.6.19-CVE-2013-4475.patch;patchdir=.. \
 "
 SRC_URI[md5sum] = "fbb245863eeef2fffe172df779a217be"
 SRC_URI[sha256sum] = "4f5a171a8d902c6b4f822ed875c51eb8339196d9ccf0ecd7f6521c966b3514de"