Bug 2137776 (CVE-2022-3592)

Summary: CVE-2022-3592 samba: wide links protection broken
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abokovoy, anoopcs, asn, dkarpele, gdeschner, kyoshida, pfilipen, rhs-smb, sbose
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: samba 4.17.2 Doc Type: If docs needed, set a value
Doc Text:
A symlink following vulnerability was found in Samba, where a user can create a symbolic link that will make 'smbd' escape the configured share path. This flaw allows a remote user with access to the exported part of the file system under a share via SMB1 unix extensions or NFS to create symlinks to files outside the 'smbd' configured share path and gain access to another restricted server's filesystem.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2137778, 2138446    
Bug Blocks: 2137644    

Description TEJ RATHI 2022-10-26 07:36:07 UTC 
Samba 4.17 introduced following symlinks in user space with the intent to properly check symlink targets to stay within the share that was configured by the administrator. The check does not properly cover a corner case, so that a user can create a symbolic link that will make smbd escape the configured share path.

Affects - All versions of Samba since 4.17.0.
Samba 4.17.2 has been issued as a security releases to correct the defect.

https://www.samba.org/samba/security/CVE-2022-3592.html
Comment 1 TEJ RATHI 2022-10-26 07:36:56 UTC 
Created samba tracking bugs for this issue:

Affects: fedora-all [bug 2137778]