Bug 1741727 (CVE-2019-10220)

Summary: CVE-2019-10220 kernel: CIFS: Relative paths injection in directory entry lists
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: acaringi, airlied, bhu, blc, brdeoliv, bskeggs, carnil, dhoward, dvlasenk, esammons, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, jlelli, john.j5live, jonathan, josef, jross, jshortt, jstancek, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, masami256, matt, mchehab, mcressma, mjg59, mlangsdo, nmurray, plougher, qzhao, rt-maint, rvrbovsk, security-response-team, steved, williams, wmealing, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-12-16 03:33:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1777399    
Bug Blocks: 1741728    

Description Pedro Sampaio 2019-08-16 00:41:52 UTC
A flaw was found in the Linux kernel SMB client. Path separators are not checked by cifs.ko when parsing directory listings back, so a bad server
can return relative paths that will be returned as-is to userspace potencially leading to manipulating of files outside shared mount points.

Upstream patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/fs?id=4f11918ab93bc113ec0831ed2ab7b88847d44dd7

Comment 1 Pedro Sampaio 2019-08-16 00:41:57 UTC
Acknowledgments:

Name: the SUSE Labs samba team
Upstream: Michael Hanselmann

Comment 2 Marian Rehak 2019-11-27 15:16:44 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1777399]

Comment 3 Salvatore Bonaccorso 2019-11-27 20:05:42 UTC
Hi

https://bugzilla.redhat.com/show_bug.cgi?id=1741728 is not publicly accessible, which I assume contains more information. Can you make those available? Is the issue fixed upstream?

Regards,
Salvatore

Comment 4 Salvatore Bonaccorso 2019-11-27 20:10:11 UTC
Seems related to the SuSE bugzilla entry at https://bugzilla.suse.com/show_bug.cgi?id=1144903

Comment 5 Justin M. Forbes 2019-12-02 14:18:07 UTC
This was fixed for Fedora with the 5.3.8 stable kernel updates.

Comment 6 Petr Matousek 2019-12-06 13:00:00 UTC
Hi Salvatore,

In reply to comment #3:
> https://bugzilla.redhat.com/show_bug.cgi?id=1741728 is not publicly
> accessible, which I assume contains more information. Can you make those
> available?

no, sorry.

> Is the issue fixed upstream?

This issue was solved on the VFS level not on the per filesystem level.
Please see comment #0.

Thank you,
--
Petr Matousek / Red Hat Product Security

Comment 7 Wade Mealing 2019-12-09 04:05:47 UTC
Gday,

I think that this was fixed here:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/fs?id=4f11918ab93bc113ec0831ed2ab7b88847d44dd7

Which kinda negates the need for this fix as its fixing it for all networked filesystems on the vfs level.

Does this answre your question ?

Comment 8 Salvatore Bonaccorso 2019-12-13 14:16:32 UTC
Many thanks for confirming!

Comment 9 Wade Mealing 2019-12-16 03:32:36 UTC
No problem , thanks for the follow up.