Bug 1024542 (CVE-2013-4475) - CVE-2013-4475 samba: no access check verification on stream files
Summary: CVE-2013-4475 samba: no access check verification on stream files
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2013-4475
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1024543 1024544 1028086 1028087 1028088 1028089 1028275
Blocks: 1016554
TreeView+ depends on / blocked
 
Reported: 2013-10-29 21:47 UTC by Vincent Danen
Modified: 2019-09-29 13:09 UTC (History)
16 users (show)

Fixed In Version: samba 3.6.20, samba 4.0.11, samba 4.1.1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-01-06 19:11:54 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:1806 normal SHIPPED_LIVE Important: samba and samba3x security update 2013-12-10 05:17:45 UTC
Red Hat Product Errata RHSA-2014:0009 normal SHIPPED_LIVE Important: samba security update 2014-01-06 23:32:39 UTC

Description Vincent Danen 2013-10-29 21:47:57 UTC
It was reported [1] that there are no ACL checks done on accessing stream files (as opposed to regular files) when performing generic file operations like read and write.  A stream file created on a CIFS share, with explicit deny write ACE applied, would be ignored, despite the access control.  This could allow users able to access the CIFS share on which such a restricted stream file existed, to read and write to the stream file when the expectation was that they were not authorized to do so.

A patch has been posted to the samba-technical mailing list [2] to correct this flaw.  Samba 3.6 and higher are affected by this flaw.

[1] https://bugzilla.samba.org/show_bug.cgi?id=10235
[2] https://lists.samba.org/archive/samba-technical/attachments/20131028/3f1fc04c/attachment.patch

Comment 2 Vincent Danen 2013-10-29 21:50:30 UTC
Created samba tracking bugs for this issue:

Affects: fedora-all [bug 1024544]

Comment 6 Tomas Hoger 2013-11-04 08:55:00 UTC
Public report on the upstream samba-technical list:
https://lists.samba.org/archive/samba-technical/2013-October/095725.html

Comment 12 Tomas Hoger 2013-11-11 18:55:45 UTC
This issue is now fixed in upstream Samba versions 3.6.20, 4.0.11, and 4.1.1.

External References:

http://www.samba.org/samba/security/CVE-2013-4475

Comment 13 Tomas Hoger 2013-11-11 19:01:52 UTC
Upstream commit:
http://git.samba.org/?p=samba.git;a=commitdiff;h=60f922b

Comment 14 Tomas Hoger 2013-11-11 19:03:33 UTC
Public upstream bug report:
https://bugzilla.samba.org/show_bug.cgi?id=10229

Comment 16 errata-xmlrpc 2013-12-10 00:18:47 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2013:1806 https://rhn.redhat.com/errata/RHSA-2013-1806.html

Comment 17 errata-xmlrpc 2014-01-06 18:34:32 UTC
This issue has been addressed in following products:

  Red Hat Storage 2.1

Via RHSA-2014:0009 https://rhn.redhat.com/errata/RHSA-2014-0009.html

Comment 18 Murray McAllister 2014-07-30 05:53:49 UTC
Statement:

This issue did not affect the samba package in Red Hat Enterprise Linux 5. This issue was addressed for the samba3x package in Red Hat Enterprise Linux 5 and the samba package in Red Hat Enterprise Linux 6 via https://rhn.redhat.com/errata/RHSA-2013-1806.html, and the samba package in Red Hat Storage via https://rhn.redhat.com/errata/RHSA-2014-0009.html


Note You need to log in before you can comment on or make changes to this bug.