Confirmed. The bug will happen wherever opening a symlink to a directory with O_DIRECTORY||O_NOFOLLOW returns ENOTDIR instead of ELOOP (and you have to be using protocol SMB2 or higher):
xenial: andreas@nsn7:~$ mkdir -p /tmp/cve/a andreas@nsn7:~$ ln -s /tmp/cve/a /tmp/cve/b andreas@nsn7:~$ python -c 'import os; os.open("/tmp/cve/b", os.O_DIRECTORY|os.O_NOFOLLOW)' Traceback (most recent call last): File "<string>", line 1, in <module> OSError: [Errno 40] Too many levels of symbolic links: '/tmp/cve/b' andreas@nsn7:~$ Same thing on artful: root@15-89:~# mkdir -p /tmp/cve/a root@15-89:~# ln -s /tmp/cve/a /tmp/cve/b root@15-89:~# python -c 'import os; os.open("/tmp/cve/b", os.O_DIRECTORY|os.O_NOFOLLOW)' Traceback (most recent call last): File "<string>", line 1, in <module> OSError: [Errno 20] Not a directory: '/tmp/cve/b' root@15-89:~# Samba is only checking for ELOOP, which means the ENOTDIR error surfaces: (my [cve] share points at /cve) root@15-89:~# ls -la /cve total 12 drwxr-xr-x 3 root root 4096 Jun 30 19:20 . drwxr-xr-x 24 root root 4096 Jun 30 19:20 .. drwxr-xr-x 2 root root 4096 Jun 30 19:20 a lrwxrwxrwx 1 root root 1 Jun 30 19:20 b -> a root@15-89:~# smbclient //localhost/cve -U ubuntu%ubuntu -m SMB2 -c "ls /b/" WARNING: The "syslog" option is deprecated Domain=[ARTFUL] OS=[] Server=[] NT_STATUS_NOT_A_DIRECTORY listing \b\ root@15-89:~# When using SMB1 (which is the default, so you get the same without specifying -m): root@15-89:~# smbclient //localhost/cve -U ubuntu%ubuntu -m SMB -c "ls /b/" WARNING: Ignoring invalid value 'SMB' for parameter 'client max protocol' WARNING: The "syslog" option is deprecated Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.5.8-Ubuntu] b D 0 Fri Jun 30 19:20:37 2017 30831504 blocks of size 1024. 23550704 blocks available On my xenial LXD samba container, it works all the time, and my host is xenial too, so it's the right kernel. I'll double check with a VM, though. ** Changed in: samba (Ubuntu) Status: New => In Progress ** Changed in: samba (Ubuntu) Assignee: (unassigned) => Andreas Hasenack (ahasenack) ** Summary changed: - CVE-2017-2619 regression breaks symlinks + CVE-2017-2619 regression breaks symlinks to directories -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1701073 Title: CVE-2017-2619 regression breaks symlinks to directories To manage notifications about this bug go to: https://bugs.launchpad.net/samba/+bug/1701073/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs