As per upstream advisory: Samba client code (libsmbclient) returns server-supplied filenames to calling code without checking for pathname separators (such as "/" or "../") in the server returned names. A malicious server can craft a pathname containing separators and return this to client code, causing the client to use this access local pathnames for reading or writing instead of SMB network pathnames. This access is done using the local privileges of the client. This attack can be achieved using any of SMB1/2/3 as it is not reliant on any specific SMB protocol version. Specifically, samba client tools like smbget and smbclient's mget use the server supplied 'final' name component as a local name when obtaining multiple files. While the design of these tools is that server can always choose the file names, this vulnerability is that it allows a remote server to create local files outside the current working directory. Users of the libsmbclient library external to Samba may also be vulnerable if they use server returned filenames without adequate checking and pass them to functions that do local filesystem access. Note that the Gnome GVFS client library is not believed to be vulnerable, as it always passes server-returned pathnames back to the SMB share they were returned from. Such malformed pathnames are then rejected by the server. Upstream bug: https://bugzilla.samba.org/show_bug.cgi?id=14071
Acknowledgments: Name: the Samba project Upstream: Michael Hanselmann
External References: https://www.samba.org/samba/security/CVE-2019-10218.html
Created samba tracking bugs for this issue: Affects: fedora-all [bug 1766558]
This issue has been addressed in the following products: Red Hat Gluster Storage 3.5 for RHEL 7 Via RHSA-2020:0943 https://access.redhat.com/errata/RHSA-2020:0943
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-10218
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:1084 https://access.redhat.com/errata/RHSA-2020:1084
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:1878 https://access.redhat.com/errata/RHSA-2020:1878