Confirmed. The bug will happen wherever opening a symlink to a directory
with O_DIRECTORY||O_NOFOLLOW returns ENOTDIR instead of ELOOP (and you
have to be using protocol SMB2 or higher):
xenial:
andreas@nsn7:~$ mkdir -p /tmp/cve/a
andreas@nsn7:~$ ln -s /tmp/cve/a /tmp/cve/b
andreas@nsn7:~$ python -c 'import os; os.open("/tmp/cve/b",
os.O_DIRECTORY|os.O_NOFOLLOW)'
Traceback (most recent call last):
File "<string>", line 1, in <module>
OSError: [Errno 40] Too many levels of symbolic links: '/tmp/cve/b'
andreas@nsn7:~$
Same thing on artful:
root@15-89:~# mkdir -p /tmp/cve/a
root@15-89:~# ln -s /tmp/cve/a /tmp/cve/b
root@15-89:~# python -c 'import os; os.open("/tmp/cve/b",
os.O_DIRECTORY|os.O_NOFOLLOW)'
Traceback (most recent call last):
File "<string>", line 1, in <module>
OSError: [Errno 20] Not a directory: '/tmp/cve/b'
root@15-89:~#
Samba is only checking for ELOOP, which means the ENOTDIR error surfaces:
(my [cve] share points at /cve)
root@15-89:~# ls -la /cve
total 12
drwxr-xr-x 3 root root 4096 Jun 30 19:20 .
drwxr-xr-x 24 root root 4096 Jun 30 19:20 ..
drwxr-xr-x 2 root root 4096 Jun 30 19:20 a
lrwxrwxrwx 1 root root 1 Jun 30 19:20 b -> a
root@15-89:~# smbclient //localhost/cve -U ubuntu%ubuntu -m SMB2 -c "ls /b/"
WARNING: The "syslog" option is deprecated
Domain=[ARTFUL] OS=[] Server=[]
NT_STATUS_NOT_A_DIRECTORY listing \b\
root@15-89:~#
When using SMB1 (which is the default, so you get the same without specifying
-m):
root@15-89:~# smbclient //localhost/cve -U ubuntu%ubuntu -m SMB -c "ls /b/"
WARNING: Ignoring invalid value 'SMB' for parameter 'client max protocol'
WARNING: The "syslog" option is deprecated
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.5.8-Ubuntu]
b D 0 Fri Jun 30 19:20:37 2017
30831504 blocks of size 1024. 23550704 blocks available
On my xenial LXD samba container, it works all the time, and my host is
xenial too, so it's the right kernel. I'll double check with a VM,
though.
** Changed in: samba (Ubuntu)
Status: New => In Progress
** Changed in: samba (Ubuntu)
Assignee: (unassigned) => Andreas Hasenack (ahasenack)
** Summary changed:
- CVE-2017-2619 regression breaks symlinks
+ CVE-2017-2619 regression breaks symlinks to directories
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1701073
Title:
CVE-2017-2619 regression breaks symlinks to directories
To manage notifications about this bug go to:
https://bugs.launchpad.net/samba/+bug/1701073/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
