[Bug 1701073] Re: CVE-2017-2619 regression breaks symlinks to directories
Testing this branch for artful: https://code.launchpad.net/~ahasenack/ubuntu/+source/samba/+git/samba/+ref /artful-samba-dir-symlink-1701073 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1701073 Title: CVE-2017-2619 regression breaks symlinks to directories To manage notifications about this bug go to: https://bugs.launchpad.net/samba/+bug/1701073/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1701073] Re: CVE-2017-2619 regression breaks symlinks
Confirmed. The bug will happen wherever opening a symlink to a directory
with O_DIRECTORY||O_NOFOLLOW returns ENOTDIR instead of ELOOP (and you
have to be using protocol SMB2 or higher):
xenial:
andreas@nsn7:~$ mkdir -p /tmp/cve/a
andreas@nsn7:~$ ln -s /tmp/cve/a /tmp/cve/b
andreas@nsn7:~$ python -c 'import os; os.open("/tmp/cve/b",
os.O_DIRECTORY|os.O_NOFOLLOW)'
Traceback (most recent call last):
File "", line 1, in
OSError: [Errno 40] Too many levels of symbolic links: '/tmp/cve/b'
andreas@nsn7:~$
Same thing on artful:
root@15-89:~# mkdir -p /tmp/cve/a
root@15-89:~# ln -s /tmp/cve/a /tmp/cve/b
root@15-89:~# python -c 'import os; os.open("/tmp/cve/b",
os.O_DIRECTORY|os.O_NOFOLLOW)'
Traceback (most recent call last):
File "", line 1, in
OSError: [Errno 20] Not a directory: '/tmp/cve/b'
root@15-89:~#
Samba is only checking for ELOOP, which means the ENOTDIR error surfaces:
(my [cve] share points at /cve)
root@15-89:~# ls -la /cve
total 12
drwxr-xr-x 3 root root 4096 Jun 30 19:20 .
drwxr-xr-x 24 root root 4096 Jun 30 19:20 ..
drwxr-xr-x 2 root root 4096 Jun 30 19:20 a
lrwxrwxrwx 1 root root1 Jun 30 19:20 b -> a
root@15-89:~# smbclient //localhost/cve -U ubuntu%ubuntu -m SMB2 -c "ls /b/"
WARNING: The "syslog" option is deprecated
Domain=[ARTFUL] OS=[] Server=[]
NT_STATUS_NOT_A_DIRECTORY listing \b\
root@15-89:~#
When using SMB1 (which is the default, so you get the same without specifying
-m):
root@15-89:~# smbclient //localhost/cve -U ubuntu%ubuntu -m SMB -c "ls /b/"
WARNING: Ignoring invalid value 'SMB' for parameter 'client max protocol'
WARNING: The "syslog" option is deprecated
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.5.8-Ubuntu]
b D0 Fri Jun 30 19:20:37 2017
30831504 blocks of size 1024. 23550704 blocks available
On my xenial LXD samba container, it works all the time, and my host is
xenial too, so it's the right kernel. I'll double check with a VM,
though.
** Changed in: samba (Ubuntu)
Status: New => In Progress
** Changed in: samba (Ubuntu)
Assignee: (unassigned) => Andreas Hasenack (ahasenack)
** Summary changed:
- CVE-2017-2619 regression breaks symlinks
+ CVE-2017-2619 regression breaks symlinks to directories
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1701073
Title:
CVE-2017-2619 regression breaks symlinks to directories
To manage notifications about this bug go to:
https://bugs.launchpad.net/samba/+bug/1701073/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1701073] Re: CVE-2017-2619 regression breaks symlinks
Note: if you use smbclient with -m SMB2, which is what windows7+ uses, you will see the same failure when doing "ls /opt/opt/*": root@xenial-samba-symlink-1701073:~# smbclient //localhost/cve-root -U ubuntu%ubuntu -c "ls /opt/opt/*" WARNING: The "syslog" option is deprecated Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu] . D0 Fri Jun 30 18:51:00 2017 .. D0 Fri Jun 30 18:11:18 2017 smb.confN 1245 Fri Jun 30 18:50:58 2017 rootD0 Fri Jun 30 18:11:18 2017 opt D0 Fri Jun 30 18:51:00 2017 246776448 blocks of size 1024. 246351744 blocks available root@xenial-samba-symlink-1701073:~# smbclient //localhost/cve-root -U ubuntu%ubuntu -c "ls /opt/opt/*" -m SMB2 WARNING: The "syslog" option is deprecated Domain=[XENIAL] OS=[] Server=[] NT_STATUS_ACCESS_DENIED listing \opt\opt\* root@xenial-samba-symlink-1701073:~# I'm still investigating, I'm not getting the exact errors described in the upstream samba bug. They hint that it may depend on the kernel version as well. I'll stop trying with lxd and use VMs because of that. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1701073 Title: CVE-2017-2619 regression breaks symlinks To manage notifications about this bug go to: https://bugs.launchpad.net/samba/+bug/1701073/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1701073] Re: CVE-2017-2619 regression breaks symlinks
Ok, checking out what's going on here. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1701073 Title: CVE-2017-2619 regression breaks symlinks To manage notifications about this bug go to: https://bugs.launchpad.net/samba/+bug/1701073/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1536181] Re: bind9-resolvconf service doesn't work
** Merge proposal unlinked: https://code.launchpad.net/~ahasenack/ubuntu/+source/bind9/+git/bind9/+merge/326619 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1536181 Title: bind9-resolvconf service doesn't work To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1536181/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1701687] Re: Please merge 1:9.10.3.dfsg.P4-10.1ubuntu6 -> 1:9.10.3.dfsg.P4-12.3
** Merge proposal linked: https://code.launchpad.net/~ahasenack/ubuntu/+source/bind9/+git/bind9/+merge/326619 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to bind9 in Ubuntu. https://bugs.launchpad.net/bugs/1701687 Title: Please merge 1:9.10.3.dfsg.P4-10.1ubuntu6 -> 1:9.10.3.dfsg.P4-12.3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1701687/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1701687] [NEW] Please merge 1:9.10.3.dfsg.P4-10.1ubuntu6 -> 1:9.10.3.dfsg.P4-12.3
Public bug reported: Please sync with debian and merge 1:9.10.3.dfsg.P4-10.1ubuntu6 -> 1:9.10.3.dfsg.P4-12.3 ** Affects: bind9 (Ubuntu) Importance: Low Assignee: Andreas Hasenack (ahasenack) Status: In Progress -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to bind9 in Ubuntu. https://bugs.launchpad.net/bugs/1701687 Title: Please merge 1:9.10.3.dfsg.P4-10.1ubuntu6 -> 1:9.10.3.dfsg.P4-12.3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1701687/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1700611] Re: sources.list file created for ESM is world-readable, leaks subscriber token to all local users
** Also affects: ubuntu-advantage-script via https://github.com/CanonicalLtd/ubuntu-advantage-script/issues/22 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to ubuntu-advantage-tools in Ubuntu. https://bugs.launchpad.net/bugs/1700611 Title: sources.list file created for ESM is world-readable, leaks subscriber token to all local users To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-advantage-script/+bug/1700611/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1700611] Re: sources.list file created for ESM is world-readable, leaks subscriber token to all local users
There seems to be a difference in behavior in apt. Precise's apt-cache, for example, doesn't seem to care: ubuntu@precise-esm:~$ l /etc/apt/sources.list.d/staging-ubuntu-esm-precise.list -rw--- 1 root root 200 Jun 7 18:35 /etc/apt/sources.list.d/staging-ubuntu-esm-precise.list ubuntu@precise-esm:~$ apt-cache policy landscape-client landscape-client: Installed: (none) Candidate: 14.12-0ubuntu0.12.04 Version table: 14.12-0ubuntu0.12.04 0 500 http://br.archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages 100 /var/lib/dpkg/status 12.04.3-0ubuntu1 0 500 http://br.archive.ubuntu.com/ubuntu/ precise/main amd64 Packages ubuntu@precise-esm:~$ sudo apt-cache policy landscape-client landscape-client: Installed: (none) Candidate: 14.12-0ubuntu5.12.04 Version table: 14.12-0ubuntu5.12.04 0 500 https://extended.security.staging.ubuntu.com/ubuntu/ precise/main amd64 Packages 14.12-0ubuntu0.12.04 0 500 http://br.archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages 100 /var/lib/dpkg/status 12.04.3-0ubuntu1 0 500 http://br.archive.ubuntu.com/ubuntu/ precise/main amd64 Packages So I would be OK for this change on precise, and also trusty (just tested) where it has the same behavior as precise. But from xenial onwards it breaks apt-cache as a whole for non-root users: ubuntu@xenial-test:~$ apt-cache search juju E: Opening /etc/apt/sources.list.d/juju-ubuntu-stable-xenial.list - ifstream::ifstream (13: Permission denied) E: The list of sources could not be read. ubuntu@xenial-test:~$ -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to ubuntu-advantage-tools in Ubuntu. https://bugs.launchpad.net/bugs/1700611 Title: sources.list file created for ESM is world-readable, leaks subscriber token to all local users To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-advantage-script/+bug/1700611/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
