master

分支 (20)

标签 (16)

管理

管理

master

openEuler-20.03-LTS-SP4

openEuler-20.03-LTS-SP3

openEuler-20.03-LTS-SP1

openEuler-22.03-LTS

openEuler-22.03-LTS-SP2

openEuler-22.03-LTS-SP1

openEuler-22.03-LTS-Next

openEuler-23.09

openEuler-23.03

openEuler-22.09

openEuler-22.03-LTS-LoongArch

openEuler-20.03-LTS-SP2

openEuler-20.03-LTS

openEuler-20.03-LTS-Next

openEuler-21.03

openEuler-21.09

openEuler-20.09

openEuler1.0

openEuler1.0-base

openEuler-23.09-rc5

openEuler-22.03-LTS-SP1-release

openEuler-22.09-release

openEuler-22.09-rc5

openEuler-22.09-20220829

openEuler-22.03-LTS-20220331

openEuler-22.03-LTS-round5

openEuler-22.03-LTS-round3

openEuler-22.03-LTS-round2

openEuler-22.03-LTS-round1

openEuler-20.03-LTS-SP3-release

openEuler-20.03-LTS-SP2-20210624

openEuler-21.03-20210330

openEuler-20.09-20200929

openEuler-20.03-LTS-20200606

openEuler-20.03-LTS-tag

samba
/
backport-0002-CVE-2023-4091.patch

From 3c432b144690353b7c86daf38612a2e19eb82084 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Tue, 1 Aug 2023 13:04:36 +0200
Subject: [PATCH 05/28] CVE-2023-4091: smbd: use open_access_mask for access
 check in open_file()

If the client requested FILE_OVERWRITE[_IF], we're implicitly adding
FILE_WRITE_DATA to the open_access_mask in open_file_ntcreate(), but for the
access check we're using access_mask which doesn't contain the additional
right, which means we can end up truncating a file for which the user has
only read-only access via an SD.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439

Signed-off-by: Ralph Boehme <slow@samba.org>

Conflict: NA
Reference: https://download.samba.org/pub/samba/patches/security/samba-4.18.8-security-2023-10-10.patch
[PATCH 05/28] CVE-2023-4091: smbd: use open_access_mask for access
 check in open_file()
---
 selftest/knownfail.d/samba3.smb2.acls | 1 -
 source3/smbd/open.c                   | 4 ++--
 2 files changed, 2 insertions(+), 3 deletions(-)
 delete mode 100644 selftest/knownfail.d/samba3.smb2.acls

diff --git a/selftest/knownfail.d/samba3.smb2.acls b/selftest/knownfail.d/samba3.smb2.acls
deleted file mode 100644
index 18df260c0e5..00000000000
--- a/selftest/knownfail.d/samba3.smb2.acls
+++ /dev/null
@@ -1 +0,0 @@
-^samba3.smb2.acls.OVERWRITE_READ_ONLY_FILE
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index 94f50becb24..0c9ddfe7c94 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -1442,7 +1442,7 @@ static NTSTATUS open_file(struct smb_request *req,
 						dirfsp,
 						fsp,
 						false,
-						access_mask);
+						open_access_mask);

 				if (!NT_STATUS_IS_OK(status)) {
 					DBG_DEBUG("smbd_check_access_rights_fsp"
@@ -1633,7 +1633,7 @@ static NTSTATUS open_file(struct smb_request *req,
 			status = smbd_check_access_rights_fsp(dirfsp,
 							      fsp,
 							      false,
-							      access_mask);
+							      open_access_mask);

 			if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND) &&
 			    posix_open &&
--
2.34.1