Bug 1144902 - (CVE-2019-10218) VUL-0: CVE-2019-10218: samba: Samba servers can inject relative paths in directory entry lists
(CVE-2019-10218)
VUL-0: CVE-2019-10218: samba: Samba servers can inject relative paths in dire...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/239272/
CVSSv3:SUSE:CVE-2019-10218:5.3:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-08-08 14:31 UTC by Johannes Segitz
Modified: 2022-07-22 17:05 UTC (History)
7 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Johannes Segitz 2019-08-08 14:31:25 UTC
This is a embargoed bug. This means that this information is not public. Please
- do not talk to other people about this unless they're involved in fixing the issue
- do not submit this into OBS (e.g. fix Leap) until this is public
- do not make this bug public
- Please be aware that the SUSE:SLE-12-SP5:GA and SUSE:SLE-15-SP1:GA codestreams are available via OBS.
  This means that you can't submit security fixes for embargoed issues to these GA codestreams under
  development until they become public.

In doubt please talk to us on IRC (#security) or send us a mail. More information is also available at
https://pes.suse.de/Maintenance-Security/Security_Workflow/#index2h3
Comment 6 Swamp Workflow Management 2019-10-24 11:59:11 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2019-11-07.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64394
Comment 9 Marcus Meissner 2019-10-29 10:38:09 UTC
https://www.samba.org/samba/security/CVE-2019-10218.html


CVE-2019-10218.html

===========================================================
== Subject:     Client code can return filenames containing
==              path separators.
==
== CVE ID#:     CVE-2019-10218
==
== Versions:    All versions of Samba.
==
== Summary:     Malicious servers can cause Samba client
                code to return filenames containing path
                separators to calling code.
===========================================================

===========
Description
===========

Samba client code (libsmbclient) returns server-supplied filenames to
calling code without checking for pathname separators (such as "/" or
"../") in the server returned names.

A malicious server can craft a pathname containing separators and
return this to client code, causing the client to use this access local
pathnames for reading or writing instead of SMB network pathnames.

This access is done using the local privileges of the client.  

This attack can be achieved using any of SMB1/2/3 as it is not reliant
on any specific SMB protocol version.

Specifically, samba client tools like smbget and smbclient's mget use
the server supplied 'final' name component as a local name when
obtaining multiple files.  While the design of these tools is that
server can always choose the file names, this vulnerability is that it
allows a remote server to create local files outside the current
working directory.

Users of the libsmbclient library external to Samba may also be
vulnerable if they use server returned filenames without adequate
checking and pass them to functions that do local filesystem access.

Note that the Gnome GVFS client library is not believed to be
vulnerable, as it always passes server-returned pathnames back to the
SMB share they were returned from. Such malformed pathnames are then
rejected by the server.

==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    http://www.samba.org/samba/security/

Additionally, Samba 4.11.2, 4.10.10 and 4.9.15 have been issued as
security releases to correct the defect.  Samba administrators are
advised to upgrade to these releases or apply the patch as soon as
possible.

==================
CVSSv3 calculation
==================

CVSSv3: AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N (5.3)

==========
Workaround
==========

None.

=======
Credits
=======

Originally reported by Michael Hanselmann.

Patches provided by Jeremy Allison of the Samba Team and Google.

Advisory by Jeremy Allison of the Samba Team and Google and Andrew
Bartlett of the Samba Team and Catalyst.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================
Comment 10 Swamp Workflow Management 2019-10-29 14:19:27 UTC
SUSE-SU-2019:14202-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1144902
CVE References: CVE-2019-10218
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    samba-3.6.3-94.23.1, samba-doc-3.6.3-94.23.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    samba-3.6.3-94.23.1, samba-doc-3.6.3-94.23.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    samba-3.6.3-94.23.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    samba-3.6.3-94.23.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2019-10-30 20:13:12 UTC
SUSE-SU-2019:2866-1: An update that solves three vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1144902,1148539,1152143,1154289,1154598
CVE References: CVE-2019-10218,CVE-2019-14833,CVE-2019-14847
Sources used:
SUSE Linux Enterprise Module for Python2 15-SP1 (src):    samba-4.9.5+git.210.ab0549acb05-3.14.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    samba-4.9.5+git.210.ab0549acb05-3.14.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    samba-4.9.5+git.210.ab0549acb05-3.14.1
SUSE Linux Enterprise High Availability 15-SP1 (src):    samba-4.9.5+git.210.ab0549acb05-3.14.1
SUSE Enterprise Storage 6 (src):    samba-4.9.5+git.210.ab0549acb05-3.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2019-10-30 20:15:09 UTC
SUSE-SU-2019:2868-1: An update that solves three vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1125601,1127153,1130245,1134452,1144902,1154289,1154598
CVE References: CVE-2019-10218,CVE-2019-14833,CVE-2019-14847
Sources used:
SUSE Linux Enterprise Module for Packagehub Subpackages 15 (src):    samba-4.7.11+git.186.d75219614c3-4.30.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    samba-4.7.11+git.186.d75219614c3-4.30.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    samba-4.7.11+git.186.d75219614c3-4.30.1
SUSE Linux Enterprise High Availability 15 (src):    samba-4.7.11+git.186.d75219614c3-4.30.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2019-10-31 17:15:52 UTC
SUSE-SU-2019:2875-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1144902
CVE References: CVE-2019-10218
Sources used:
SUSE OpenStack Cloud 7 (src):    samba-4.2.4-28.36.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    samba-4.2.4-28.36.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    samba-4.2.4-28.36.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    samba-4.2.4-28.36.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    samba-4.2.4-28.36.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    samba-4.2.4-28.36.1
SUSE Linux Enterprise High Availability 12-SP1 (src):    samba-4.2.4-28.36.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2019-11-04 20:12:51 UTC
SUSE-SU-2019:2890-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1144902
CVE References: CVE-2019-10218
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    samba-4.6.16+git.169.064abe062be-3.46.1
SUSE OpenStack Cloud 8 (src):    samba-4.6.16+git.169.064abe062be-3.46.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    samba-4.6.16+git.169.064abe062be-3.46.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    samba-4.6.16+git.169.064abe062be-3.46.1
SUSE Linux Enterprise Server 12-SP4 (src):    samba-4.6.16+git.169.064abe062be-3.46.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    samba-4.6.16+git.169.064abe062be-3.46.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    samba-4.6.16+git.169.064abe062be-3.46.1
SUSE Linux Enterprise High Availability 12-SP4 (src):    samba-4.6.16+git.169.064abe062be-3.46.1
SUSE Linux Enterprise High Availability 12-SP3 (src):    samba-4.6.16+git.169.064abe062be-3.46.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    samba-4.6.16+git.169.064abe062be-3.46.1
SUSE Enterprise Storage 5 (src):    samba-4.6.16+git.169.064abe062be-3.46.1
HPE Helion Openstack 8 (src):    samba-4.6.16+git.169.064abe062be-3.46.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Samuel Cabrero 2019-11-05 11:04:58 UTC
Reassign to security team for check and close.
Comment 16 Swamp Workflow Management 2019-11-05 14:11:58 UTC
SUSE-SU-2019:2893-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1144902
CVE References: CVE-2019-10218
Sources used:
SUSE OpenStack Cloud 7 (src):    samba-4.4.2-38.28.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    samba-4.4.2-38.28.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    samba-4.4.2-38.28.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    samba-4.4.2-38.28.1
SUSE Linux Enterprise High Availability 12-SP2 (src):    samba-4.4.2-38.28.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Swamp Workflow Management 2019-11-05 20:17:28 UTC
openSUSE-SU-2019:2442-1: An update that solves three vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1144902,1148539,1152143,1154289,1154598
CVE References: CVE-2019-10218,CVE-2019-14833,CVE-2019-14847
Sources used:
openSUSE Leap 15.1 (src):    samba-4.9.5+git.210.ab0549acb05-lp151.2.9.1
Comment 18 Swamp Workflow Management 2019-11-09 17:13:57 UTC
openSUSE-SU-2019:2458-1: An update that solves three vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1125601,1127153,1130245,1134452,1144902,1154289,1154598
CVE References: CVE-2019-10218,CVE-2019-14833,CVE-2019-14847
Sources used:
openSUSE Leap 15.0 (src):    samba-4.7.11+git.186.d75219614c3-lp150.3.18.2
Comment 23 Alexandros Toptsoglou 2020-06-29 08:38:33 UTC
Done
Comment 25 Swamp Workflow Management 2020-09-17 19:14:30 UTC
SUSE-SU-2020:2673-1: An update that fixes 15 vulnerabilities is now available.

Category: security (important)
Bug References: 1141267,1144902,1154289,1154598,1158108,1158109,1160850,1160852,1160888,1169850,1169851,1173159,1173160,1173359,1174120
CVE References: CVE-2019-10197,CVE-2019-10218,CVE-2019-14833,CVE-2019-14847,CVE-2019-14861,CVE-2019-14870,CVE-2019-14902,CVE-2019-14907,CVE-2019-19344,CVE-2020-10700,CVE-2020-10704,CVE-2020-10730,CVE-2020-10745,CVE-2020-10760,CVE-2020-14303
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    ldb-1.5.8-3.5.1, samba-4.10.17+git.203.862547088ca-3.14.1
SUSE Linux Enterprise Server 12-SP5 (src):    ldb-1.5.8-3.5.1, samba-4.10.17+git.203.862547088ca-3.14.1
SUSE Linux Enterprise High Availability 12-SP5 (src):    samba-4.10.17+git.203.862547088ca-3.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.