Bug 1024542 (CVE-2013-4475)

Summary: CVE-2013-4475 samba: no access check verification on stream files
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aavati, abokovoy, asn, gdeschner, gmollett, jkurik, jlayton, mmcallis, pfrields, rfortier, rhs-bugs, sbose, security-response-team, ssaha, ssorce, vbellur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: samba 3.6.20, samba 4.0.11, samba 4.1.1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-01-06 19:11:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1024543, 1024544, 1028086, 1028087, 1028088, 1028089, 1028275    
Bug Blocks: 1016554    

Description Vincent Danen 2013-10-29 21:47:57 UTC 
It was reported [1] that there are no ACL checks done on accessing stream files (as opposed to regular files) when performing generic file operations like read and write.  A stream file created on a CIFS share, with explicit deny write ACE applied, would be ignored, despite the access control.  This could allow users able to access the CIFS share on which such a restricted stream file existed, to read and write to the stream file when the expectation was that they were not authorized to do so.

A patch has been posted to the samba-technical mailing list [2] to correct this flaw.  Samba 3.6 and higher are affected by this flaw.

[1] https://bugzilla.samba.org/show_bug.cgi?id=10235
[2] https://lists.samba.org/archive/samba-technical/attachments/20131028/3f1fc04c/attachment.patch
Comment 2 Vincent Danen 2013-10-29 21:50:30 UTC 
Created samba tracking bugs for this issue:

Affects: fedora-all [bug 1024544]
Comment 6 Tomas Hoger 2013-11-04 08:55:00 UTC 
Public report on the upstream samba-technical list:
https://lists.samba.org/archive/samba-technical/2013-October/095725.html
Comment 12 Tomas Hoger 2013-11-11 18:55:45 UTC 
This issue is now fixed in upstream Samba versions 3.6.20, 4.0.11, and 4.1.1.

External References:

http://www.samba.org/samba/security/CVE-2013-4475
Comment 13 Tomas Hoger 2013-11-11 19:01:52 UTC 
Upstream commit:
http://git.samba.org/?p=samba.git;a=commitdiff;h=60f922b
Comment 14 Tomas Hoger 2013-11-11 19:03:33 UTC 
Public upstream bug report:
https://bugzilla.samba.org/show_bug.cgi?id=10229
Comment 16 errata-xmlrpc 2013-12-10 00:18:47 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2013:1806 https://rhn.redhat.com/errata/RHSA-2013-1806.html
Comment 17 errata-xmlrpc 2014-01-06 18:34:32 UTC 
This issue has been addressed in following products:

  Red Hat Storage 2.1

Via RHSA-2014:0009 https://rhn.redhat.com/errata/RHSA-2014-0009.html
Comment 18 Murray McAllister 2014-07-30 05:53:49 UTC 
Statement:

This issue did not affect the samba package in Red Hat Enterprise Linux 5. This issue was addressed for the samba3x package in Red Hat Enterprise Linux 5 and the samba package in Red Hat Enterprise Linux 6 via https://rhn.redhat.com/errata/RHSA-2013-1806.html, and the samba package in Red Hat Storage via https://rhn.redhat.com/errata/RHSA-2014-0009.html