[Bug 1701073] Re: CVE-2017-2619 regression breaks symlinks

Fri, 30 Jun 2017 12:42:06 -0700 

Confirmed. The bug will happen wherever opening a symlink to a directory
with O_DIRECTORY||O_NOFOLLOW returns ENOTDIR instead of ELOOP (and you
have to be using protocol SMB2 or higher):

xenial:
andreas@nsn7:~$ mkdir -p /tmp/cve/a
andreas@nsn7:~$ ln -s /tmp/cve/a /tmp/cve/b
andreas@nsn7:~$ python -c 'import os; os.open("/tmp/cve/b", 
os.O_DIRECTORY|os.O_NOFOLLOW)'
Traceback (most recent call last):
  File "<string>", line 1, in <module>
OSError: [Errno 40] Too many levels of symbolic links: '/tmp/cve/b'
andreas@nsn7:~$ 

Same thing on artful:
root@15-89:~# mkdir -p /tmp/cve/a
root@15-89:~# ln -s /tmp/cve/a /tmp/cve/b
root@15-89:~# python -c 'import os; os.open("/tmp/cve/b", 
os.O_DIRECTORY|os.O_NOFOLLOW)'
Traceback (most recent call last):
  File "<string>", line 1, in <module>
OSError: [Errno 20] Not a directory: '/tmp/cve/b'
root@15-89:~# 


Samba is only checking for ELOOP, which means the ENOTDIR error surfaces:
(my [cve] share points at /cve)
root@15-89:~# ls -la /cve
total 12
drwxr-xr-x  3 root root 4096 Jun 30 19:20 .
drwxr-xr-x 24 root root 4096 Jun 30 19:20 ..
drwxr-xr-x  2 root root 4096 Jun 30 19:20 a
lrwxrwxrwx  1 root root    1 Jun 30 19:20 b -> a
root@15-89:~# smbclient //localhost/cve -U ubuntu%ubuntu -m SMB2 -c "ls /b/"
WARNING: The "syslog" option is deprecated
Domain=[ARTFUL] OS=[] Server=[]
NT_STATUS_NOT_A_DIRECTORY listing \b\
root@15-89:~# 


When using SMB1 (which is the default, so you get the same without specifying 
-m):
root@15-89:~# smbclient //localhost/cve -U ubuntu%ubuntu -m SMB -c "ls /b/"
WARNING: Ignoring invalid value 'SMB' for parameter 'client max protocol'
WARNING: The "syslog" option is deprecated
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.5.8-Ubuntu]
  b                                   D        0  Fri Jun 30 19:20:37 2017

                30831504 blocks of size 1024. 23550704 blocks available

On my xenial LXD samba container, it works all the time, and my host is
xenial too, so it's the right kernel. I'll double check with a VM,
though.

** Changed in: samba (Ubuntu)
       Status: New => In Progress

** Changed in: samba (Ubuntu)
     Assignee: (unassigned) => Andreas Hasenack (ahasenack)

** Summary changed:

- CVE-2017-2619 regression breaks symlinks
+ CVE-2017-2619 regression breaks symlinks to directories

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1701073

Title:
  CVE-2017-2619 regression breaks symlinks to directories

To manage notifications about this bug go to:
https://bugs.launchpad.net/samba/+bug/1701073/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to