Bug 1536053 - CVE-2017-2619 regression with non-wide symlinks to directories
Summary: CVE-2017-2619 regression with non-wide symlinks to directories
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: samba
Version: 6.10
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Andreas Schneider
QA Contact: Robin Hack
Keywords: Regression
Depends On:
Blocks: 1504542
TreeView+ depends on / blocked
Reported: 2018-01-18 14:43 UTC by Andreas Schneider
Modified: 2018-06-19 05:09 UTC (History)
15 users (show)

Clone Of:
Last Closed: 2018-06-19 05:09:07 UTC

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:1860 None None None 2018-06-19 05:09 UTC
Samba Project 12860 None None None 2019-03-18 05:15 UTC

Description Andreas Schneider 2018-01-18 14:43:05 UTC
Description of problem:

The new helper function non_widelink_open() introduced with the fix part of the security fix for CVE-2017-2619 cannot reliably handle (non-wide) symlinks to directories if the underlying OS supports to O_DIRECTORY flag to open().

In this case, source3/smbd/open.c::open_directory() may end up calling fd_open() with flags O_RDONLY|O_DIRECTORY. If wide links = no, the flags get passed on to non_widelink_open(), which in turns adds O_NOFOLLOW, calls SMB_VFS_OPEN(), and then checks errno for ELOOP to detect whether a symlink was hit.

However, due to the flag O_DIRECTORY, open() may also return ENOTDIR in this case, and non_widelink_open() won't try to follow the link even if it remains within the share.

Comment 9 Colin.Simpson 2018-03-20 13:55:13 UTC
I have this. If this is ON_QA is it likely to get a release before 6.10 (given this isn't in beta yet from what I can see), and this seems to be what this bug fix is targeting?

Further, is this release imminent without me opening a support case?

Comment 17 errata-xmlrpc 2018-06-19 05:09:07 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.