Bug 1213386 (CVE-2020-25720)

Summary:	VUL-0: CVE-2020-25720: samba: create Child permission should not allow full write to all attributes
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Thomas Leroy <thomas.leroy>
Component:	Incidents	Assignee:	Security Team bot <security-team>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P3 - Medium	CC:	samba-maintainers, scabrero
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
Whiteboard:
Found By:	---	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Thomas Leroy 2023-07-17 09:04:41 UTC

CVE-2020-25720

Create Child permission should not allow full write to all attributes

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25720
https://gitlab.com/samba-team/samba/-/merge_requests/2514
https://gitlab.com/samba-team/samba/-/commit/cc64ea24daa649dc8de4a212c7abfbe111095655
https://bugzilla.samba.org/show_bug.cgi?id=14810

Comment 1 Thomas Leroy 2023-07-17 09:45:57 UTC

A few commits mentioning this CVE have been backported to a stable branch:
b7af8aa2552e0690aac58fb98e3134b71f678ece
307b2e65d51903f6805460a2633ebe809d4052ab
3ecdec683b60cf100b1c031841b709c91191c8f2

But I don't think these fully fix the issue.

Comment 2 Samuel Cabrero 2023-12-20 10:28:43 UTC

It was fixed in samba 4.17.8 and only affects samba when running as an AD DC (was tech-preview, dropped in 15-SP5). Reassign to security team to close it.

Comment 3 Thomas Leroy 2024-01-05 08:28:23 UTC

(In reply to Samuel Cabrero from comment #2)
> It was fixed in samba 4.17.8 and only affects samba when running as an AD DC
> (was tech-preview, dropped in 15-SP5). Reassign to security team to close it.

Thanks Samuel. So for all maintained codestreams, AD DC mode is either in tech-preview or dropped (for codestreams more recent than 15-SP5?) ?

Comment 4 Samuel Cabrero 2024-01-05 09:45:28 UTC

(In reply to Thomas Leroy from comment #3)
> (In reply to Samuel Cabrero from comment #2)
> > It was fixed in samba 4.17.8 and only affects samba when running as an AD DC
> > (was tech-preview, dropped in 15-SP5). Reassign to security team to close it.
> 
> Thanks Samuel. So for all maintained codestreams, AD DC mode is either in
> tech-preview or dropped (for codestreams more recent than 15-SP5?) ?

Yes, it has always been in tech-preview.

Comment 5 Thomas Leroy 2024-01-05 12:41:12 UTC

(In reply to Samuel Cabrero from comment #4)
> (In reply to Thomas Leroy from comment #3)
> > (In reply to Samuel Cabrero from comment #2)
> > > It was fixed in samba 4.17.8 and only affects samba when running as an AD DC
> > > (was tech-preview, dropped in 15-SP5). Reassign to security team to close it.
> > 
> > Thanks Samuel. So for all maintained codestreams, AD DC mode is either in
> > tech-preview or dropped (for codestreams more recent than 15-SP5?) ?
> 
> Yes, it has always been in tech-preview.

Thanks. So SUSE:ALP:Source:Standard:1.0 and SUSE:SLE-15-SP5:Update are not affected, and the rest is wontfix. Closing.

Comment 6 Maintenance Automation 2024-02-27 12:30:30 UTC

SUSE-SU-2023:2929-1: An update that solves six vulnerabilities and has two security fixes can now be installed.

Category: security (important)
Bug References: 1212375, 1213170, 1213171, 1213172, 1213173, 1213174, 1213384, 1213386
CVE References: CVE-2020-25720, CVE-2022-2127, CVE-2023-3347, CVE-2023-34966, CVE-2023-34967, CVE-2023-34968
Sources used:
openSUSE Leap 15.5 (src): samba-4.17.9+git.367.dae41ffdd1f-150500.3.5.1
Basesystem Module 15-SP5 (src): samba-4.17.9+git.367.dae41ffdd1f-150500.3.5.1
SUSE Linux Enterprise High Availability Extension 15 SP5 (src): samba-4.17.9+git.367.dae41ffdd1f-150500.3.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.