Bug 1741727 (CVE-2019-10220) - CVE-2019-10220 kernel: CIFS: Relative paths injection in directory entry lists
Summary: CVE-2019-10220 kernel: CIFS: Relative paths injection in directory entry lists
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2019-10220
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1777399
Blocks: 1741728
TreeView+ depends on / blocked
 
Reported: 2019-08-16 00:41 UTC by Pedro Sampaio
Modified: 2023-03-24 15:15 UTC (History)
50 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel's SMB client. Path separators are not checked by cifs.ko when parsing directory listings back. A bad server can return relative paths that will be returned as-is to userspace potentially leading to manipulating of files outside shared mount points. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed: 2019-12-16 03:33:01 UTC
Embargoed:


Attachments (Terms of Use)

Description Pedro Sampaio 2019-08-16 00:41:52 UTC
A flaw was found in the Linux kernel SMB client. Path separators are not checked by cifs.ko when parsing directory listings back, so a bad server
can return relative paths that will be returned as-is to userspace potencially leading to manipulating of files outside shared mount points.

Upstream patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/fs?id=4f11918ab93bc113ec0831ed2ab7b88847d44dd7

Comment 1 Pedro Sampaio 2019-08-16 00:41:57 UTC
Acknowledgments:

Name: the SUSE Labs samba team
Upstream: Michael Hanselmann

Comment 2 Marian Rehak 2019-11-27 15:16:44 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1777399]

Comment 3 Salvatore Bonaccorso 2019-11-27 20:05:42 UTC
Hi

https://bugzilla.redhat.com/show_bug.cgi?id=1741728 is not publicly accessible, which I assume contains more information. Can you make those available? Is the issue fixed upstream?

Regards,
Salvatore

Comment 4 Salvatore Bonaccorso 2019-11-27 20:10:11 UTC
Seems related to the SuSE bugzilla entry at https://bugzilla.suse.com/show_bug.cgi?id=1144903

Comment 5 Justin M. Forbes 2019-12-02 14:18:07 UTC
This was fixed for Fedora with the 5.3.8 stable kernel updates.

Comment 6 Petr Matousek 2019-12-06 13:00:00 UTC
Hi Salvatore,

In reply to comment #3:
> https://bugzilla.redhat.com/show_bug.cgi?id=1741728 is not publicly
> accessible, which I assume contains more information. Can you make those
> available?

no, sorry.

> Is the issue fixed upstream?

This issue was solved on the VFS level not on the per filesystem level.
Please see comment #0.

Thank you,
--
Petr Matousek / Red Hat Product Security

Comment 7 Wade Mealing 2019-12-09 04:05:47 UTC
Gday,

I think that this was fixed here:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/fs?id=4f11918ab93bc113ec0831ed2ab7b88847d44dd7

Which kinda negates the need for this fix as its fixing it for all networked filesystems on the vfs level.

Does this answre your question ?

Comment 8 Salvatore Bonaccorso 2019-12-13 14:16:32 UTC
Many thanks for confirming!

Comment 9 Wade Mealing 2019-12-16 03:32:36 UTC
No problem , thanks for the follow up.


Note You need to log in before you can comment on or make changes to this bug.