[Bug 1701073] Re: CVE-2017-2619 regression breaks symlinks

Andreas Hasenack andreas at canonical.com
Fri Jun 30 19:31:43 UTC 2017 

Confirmed. The bug will happen wherever opening a symlink to a directory
with O_DIRECTORY||O_NOFOLLOW returns ENOTDIR instead of ELOOP (and you
have to be using protocol SMB2 or higher):

xenial:
andreas at nsn7:~$ mkdir -p /tmp/cve/a
andreas at nsn7:~$ ln -s /tmp/cve/a /tmp/cve/b
andreas at nsn7:~$ python -c 'import os; os.open("/tmp/cve/b", os.O_DIRECTORY|os.O_NOFOLLOW)'
Traceback (most recent call last):
  File "<string>", line 1, in <module>
OSError: [Errno 40] Too many levels of symbolic links: '/tmp/cve/b'
andreas at nsn7:~$ 

Same thing on artful:
root at 15-89:~# mkdir -p /tmp/cve/a
root at 15-89:~# ln -s /tmp/cve/a /tmp/cve/b
root at 15-89:~# python -c 'import os; os.open("/tmp/cve/b", os.O_DIRECTORY|os.O_NOFOLLOW)'
Traceback (most recent call last):
  File "<string>", line 1, in <module>
OSError: [Errno 20] Not a directory: '/tmp/cve/b'
root at 15-89:~# 


Samba is only checking for ELOOP, which means the ENOTDIR error surfaces:
(my [cve] share points at /cve)
root at 15-89:~# ls -la /cve
total 12
drwxr-xr-x  3 root root 4096 Jun 30 19:20 .
drwxr-xr-x 24 root root 4096 Jun 30 19:20 ..
drwxr-xr-x  2 root root 4096 Jun 30 19:20 a
lrwxrwxrwx  1 root root    1 Jun 30 19:20 b -> a
root at 15-89:~# smbclient //localhost/cve -U ubuntu%ubuntu -m SMB2 -c "ls /b/"
WARNING: The "syslog" option is deprecated
Domain=[ARTFUL] OS=[] Server=[]
NT_STATUS_NOT_A_DIRECTORY listing \b\
root at 15-89:~# 


When using SMB1 (which is the default, so you get the same without specifying -m):
root at 15-89:~# smbclient //localhost/cve -U ubuntu%ubuntu -m SMB -c "ls /b/"
WARNING: Ignoring invalid value 'SMB' for parameter 'client max protocol'
WARNING: The "syslog" option is deprecated
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.5.8-Ubuntu]
  b                                   D        0  Fri Jun 30 19:20:37 2017

                30831504 blocks of size 1024. 23550704 blocks available

On my xenial LXD samba container, it works all the time, and my host is
xenial too, so it's the right kernel. I'll double check with a VM,
though.

** Changed in: samba (Ubuntu)
       Status: New => In Progress

** Changed in: samba (Ubuntu)
     Assignee: (unassigned) => Andreas Hasenack (ahasenack)

** Summary changed:

- CVE-2017-2619 regression breaks symlinks
+ CVE-2017-2619 regression breaks symlinks to directories

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1701073

Title:
  CVE-2017-2619 regression breaks symlinks to directories

Status in samba:
  Unknown
Status in samba package in Ubuntu:
  In Progress

Bug description:
  Found in current version in Xenial (4.3.11+dfsg-0ubuntu0.16.04.7).
  When share's path is '/', symlinks do not work properly from Windows
  client. Gives "Cannot Access" error.

  To reproduce:

  1. Install samba and related dependencies

  apt install -y samba

  2. Add a share at the end of the default file that uses '/' as the
  path:

  [reproducer]
          comment = share
          browseable = no
          writeable = yes
          create mode = 0600
          directory mode = 0700
          path = /

  3. Attempt to access a symlink somewhere within the path of the share
  with a Windows client.

  4. Receive "Windows cannot access..." related error

To manage notifications about this bug go to:
https://bugs.launchpad.net/samba/+bug/1701073/+subscriptions

More information about the foundations-bugs mailing list