Bug 958582 - (CVE-2015-5252) VUL-0: CVE-2015-5252: samba: Insufficient symlink verification (file access outside the share)
(CVE-2015-5252)
VUL-0: CVE-2015-5252: samba: Insufficient symlink verification (file access o...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
maint:running:62372:moderate CVSSv2:S...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-12-10 06:34 UTC by Marcus Meissner
Modified: 2016-04-20 10:12 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 6 Marcus Meissner 2015-12-10 07:09:11 UTC
3.x patches were not yet attached
Comment 7 Marcus Meissner 2015-12-10 07:24:57 UTC
QA REPRODUCER:

problem seems to be in share definitions 

/share
/share1

giving access to /share  without leading / will also give access to /share1 

(see description).

perhaps the samba team can improve on this reproduction description.
Comment 8 SMASH SMASH 2015-12-10 10:20:27 UTC
An update workflow for this issue was started.

This issue was rated as "important".
Please submit fixed packages until "Dec. 17, 2015".

When done, reassign the bug to "security-team@suse.de".
/update/121110/.
Comment 9 Swamp Workflow Management 2015-12-10 11:09:33 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-12-24.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62372
Comment 10 SMASH SMASH 2015-12-10 11:09:53 UTC
An update workflow for this issue was started.

This issue was rated as "important".
Please submit fixed packages until "Dec. 17, 2015".

When done, reassign the bug to "security-team@suse.de".
/update/62372/.
Comment 11 Swamp Workflow Management 2015-12-10 23:00:32 UTC
bugbot adjusting priority
Comment 14 Marcus Meissner 2015-12-16 11:51:47 UTC
is public now

https://www.samba.org/samba/security/CVE-2015-5252.html
===========================================================
== Subject:     Insufficient symlink verification in smbd.
==
== CVE ID#:     CVE-2015-5252
==
== Versions:    All versions of Samba, from 3.0.0 to 4.3.2
==
== Summary:     Insufficient symlink verification could allow
==		data access outside share path.
==
===========================================================

===========
Description
===========

All versions of Samba from 3.0.0 to 4.3.2 inclusive are vulnerable to
a bug in symlink verification, which under certain circumstances could
allow client access to files outside the exported share path.

If a Samba share is configured with a path that shares a common path
prefix with another directory on the file system, the smbd daemon may
allow the client to follow a symlink pointing to a file or directory
in that other directory, even if the share parameter "wide links" is
set to "no" (the default).

For example. Given two directories on the file system:

/share/

/share1/

If a Samba share is created as follows:

[sharename]
	path = /share
	wide links = no

Then a symlink with the path

/share/symlink -> /share1/file

would be followed by smbd, due to the fact that only the string
"/share" is checked to see if it matches the target path. This means a
path that starts with "/share", such as "/share1" will also match.

==================
Patch Availability
==================

Patches addressing this defect have been posted to

 https://www.samba.org/samba/history/security.html

Additionally, Samba 4.3.3, 4.2.7 and 4.1.22 have been issued as
security releases to correct the defect.
Samba vendors and administrators running affected versions are
advised to upgrade or apply the patch as soon as possible.

===========
Workarounds
===========

Ensure all exported share paths do not share base path names with
other directories on the file system.

Please note, setting the smb.conf variable "follow symlinks = no" is
*NOT* a workaround for this problem, as this only prohibits smbd from
following a symlink at the end of a path.

A symlink could be created that points to the directory which shares a
base path name instead, and smbd would still follow that link. For
example, with the above share definition, given a symlink of:

/share/symlink -> /share1

a client could send a relative path such as "symlink/file", which
would still be followed by smbd as the end component "file" of
"symlink/file" is *NOT* a symlink, and so is not affected by "follow
symlinks = no".

=======
Credits
=======

The problem was found by Jan "Yenya" Kasprzak and the Computer Systems
Unit team at Faculty of Informatics, Masaryk University. The fix was
created by Jeremy Allison of Google.
Comment 15 Bernhard Wiedemann 2015-12-16 17:00:23 UTC
This is an autogenerated message for OBS integration:
This bug (958582) was mentioned in
https://build.opensuse.org/request/show/349211 Factory / samba
Comment 16 Swamp Workflow Management 2015-12-18 20:14:30 UTC
SUSE-SU-2015:2304-1: An update that solves 6 vulnerabilities and has 17 fixes is now available.

Category: security (important)
Bug References: 295284,773464,872912,901813,902421,910378,912457,913304,923374,931854,936909,939051,947552,949022,951660,953382,954658,958581,958582,958583,958584,958585,958586
CVE References: CVE-2015-3223,CVE-2015-5252,CVE-2015-5296,CVE-2015-5299,CVE-2015-5330,CVE-2015-8467
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    ldb-1.1.24-4.3.1, samba-4.1.12-18.3.1, talloc-2.1.5-3.4.1, tdb-1.3.8-2.3.1, tevent-0.9.26-3.3.1
SUSE Linux Enterprise Server 12 (src):    ldb-1.1.24-4.3.1, samba-4.1.12-18.3.1, talloc-2.1.5-3.4.1, tdb-1.3.8-2.3.1, tevent-0.9.26-3.3.1
SUSE Linux Enterprise Desktop 12 (src):    ldb-1.1.24-4.3.1, samba-4.1.12-18.3.1, talloc-2.1.5-3.4.1, tdb-1.3.8-2.3.1, tevent-0.9.26-3.3.1
Comment 17 Swamp Workflow Management 2015-12-18 21:11:56 UTC
SUSE-SU-2015:2305-1: An update that solves 6 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 949022,951660,954658,958581,958582,958583,958584,958585,958586
CVE References: CVE-2015-3223,CVE-2015-5252,CVE-2015-5296,CVE-2015-5299,CVE-2015-5330,CVE-2015-8467
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    ldb-1.1.24-4.1, samba-4.2.4-6.1, talloc-2.1.5-4.1, tdb-1.3.8-4.1, tevent-0.9.26-4.1
SUSE Linux Enterprise Server 12-SP1 (src):    ldb-1.1.24-4.1, samba-4.2.4-6.1, talloc-2.1.5-4.1, tdb-1.3.8-4.1, tevent-0.9.26-4.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    ldb-1.1.24-4.1, samba-4.2.4-6.1, talloc-2.1.5-4.1, tdb-1.3.8-4.1, tevent-0.9.26-4.1
Comment 18 James McDonough 2015-12-23 22:10:57 UTC
Submitted for SLE10SP3 (both gplv3 and gplv2 versions).  It complained but submitted to SLE11SP1.  And it refused to submit in SLES9 for Teradata.

packages for the SLE9 and SLE11SP1 can be found in  
home:lmuelle:branches:OBS_Maintained:samba
Comment 19 Swamp Workflow Management 2015-12-24 02:11:45 UTC
openSUSE-SU-2015:2354-1: An update that solves 6 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 949022,951660,954658,958581,958582,958583,958584,958585,958586
CVE References: CVE-2015-3223,CVE-2015-5252,CVE-2015-5296,CVE-2015-5299,CVE-2015-5330,CVE-2015-8467
Sources used:
openSUSE Leap 42.1 (src):    ldb-1.1.24-7.1, samba-4.2.4-9.2, talloc-2.1.5-7.1, tdb-1.3.8-7.1, tevent-0.9.26-7.1
Comment 20 Swamp Workflow Management 2015-12-24 15:12:11 UTC
openSUSE-SU-2015:2356-1: An update that solves 7 vulnerabilities and has 6 fixes is now available.

Category: security (important)
Bug References: 939050,939051,949022,951660,953382,954658,958580,958581,958582,958583,958584,958585,958586
CVE References: CVE-2015-3223,CVE-2015-5252,CVE-2015-5296,CVE-2015-5299,CVE-2015-5330,CVE-2015-7540,CVE-2015-8467
Sources used:
openSUSE 13.2 (src):    ldb-1.1.24-3.4.1, samba-4.1.22-21.1, talloc-2.1.5-2.6.1, tdb-1.3.8-3.1, tevent-0.9.26-3.1
openSUSE 13.1 (src):    ldb-1.1.24-3.7.1, samba-4.1.22-3.46.1, talloc-2.1.5-7.10.1, tdb-1.3.8-4.7.1, tevent-0.9.26-4.7.1
Comment 21 Swamp Workflow Management 2016-01-05 19:16:44 UTC
SUSE-SU-2016:0032-1: An update that solves four vulnerabilities and has 8 fixes is now available.

Category: security (important)
Bug References: 295284,773464,901813,912457,913304,934299,948244,949022,958582,958583,958584,958586
CVE References: CVE-2015-5252,CVE-2015-5296,CVE-2015-5299,CVE-2015-5330
Sources used:
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    samba-3.6.3-45.2, samba-doc-3.6.3-45.2
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    samba-3.6.3-45.2
Comment 22 Marcus Meissner 2016-01-11 13:08:35 UTC
done
Comment 25 Swamp Workflow Management 2016-01-19 12:14:15 UTC
SUSE-SU-2016:0164-1: An update that solves four vulnerabilities and has 7 fixes is now available.

Category: security (important)
Bug References: 295284,912457,934299,936909,948244,949022,953382,958582,958583,958584,958586
CVE References: CVE-2015-5252,CVE-2015-5296,CVE-2015-5299,CVE-2015-5330
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    samba-3.6.3-64.1
SUSE Linux Enterprise Software Development Kit 11-SP3 (src):    samba-3.6.3-64.1
SUSE Linux Enterprise Server for VMWare 11-SP3 (src):    samba-3.6.3-64.1, samba-doc-3.6.3-64.1
SUSE Linux Enterprise Server 11-SP4 (src):    samba-3.6.3-64.1, samba-doc-3.6.3-64.1
SUSE Linux Enterprise Server 11-SP3 (src):    samba-3.6.3-64.1, samba-doc-3.6.3-64.1
SUSE Linux Enterprise Desktop 11-SP4 (src):    samba-3.6.3-64.1, samba-doc-3.6.3-64.1
SUSE Linux Enterprise Desktop 11-SP3 (src):    samba-3.6.3-64.1, samba-doc-3.6.3-64.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    samba-3.6.3-64.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    samba-3.6.3-64.1
Comment 27 Swamp Workflow Management 2016-04-15 10:21:39 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2016-04-22.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62632
Comment 28 Swamp Workflow Management 2016-04-17 13:14:48 UTC
openSUSE-SU-2016:1064-1: An update that solves 16 vulnerabilities and has 17 fixes is now available.

Category: security (important)
Bug References: 898031,901813,912457,913238,913547,914279,917376,919309,924519,936862,942716,946051,947552,949022,958581,958582,958583,958584,958585,958586,964023,966271,968222,968973,971965,972197,973031,973032,973033,973034,973036,973832,974629
CVE References: CVE-2014-8143,CVE-2015-0240,CVE-2015-3223,CVE-2015-5252,CVE-2015-5296,CVE-2015-5299,CVE-2015-5330,CVE-2015-5370,CVE-2015-7560,CVE-2015-8467,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2115,CVE-2016-2118
Sources used:
openSUSE 13.2 (src):    samba-4.2.4-34.1
Comment 29 Swamp Workflow Management 2016-04-19 19:08:08 UTC
SUSE-SU-2016:1105-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 913087,958582,973031,973032
CVE References: CVE-2015-5252,CVE-2016-2110,CVE-2016-2111
Sources used:
SUSE Linux Enterprise Server 10 SP4 LTSS (src):    samba-3.0.36-0.13.32.1, samba-doc-3.0.36-0.12.32.1
Comment 30 Swamp Workflow Management 2016-04-20 10:09:07 UTC
openSUSE-SU-2016:1106-1: An update that fixes 17 vulnerabilities is now available.

Category: security (important)
Bug References: 844720,849224,853347,917376,936862,958582,958583,958584,958586,968222,971965,973031,973032,973033,973034,973035,973036
CVE References: CVE-2012-6150,CVE-2013-4408,CVE-2013-4496,CVE-2015-0240,CVE-2015-5252,CVE-2015-5296,CVE-2015-5299,CVE-2015-5330,CVE-2015-5370,CVE-2015-7560,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2114,CVE-2016-2115,CVE-2016-2118
Sources used:
openSUSE 13.1 (src):    samba-4.2.4-3.54.2
Comment 31 Swamp Workflow Management 2016-04-20 10:12:12 UTC
openSUSE-SU-2016:1107-1: An update that fixes 17 vulnerabilities is now available.

Category: security (important)
Bug References: 844720,849224,853347,917376,936862,958582,958583,958584,958586,968222,971965,973031,973032,973033,973034,973035,973036
CVE References: CVE-2012-6150,CVE-2013-4408,CVE-2013-4496,CVE-2015-0240,CVE-2015-5252,CVE-2015-5296,CVE-2015-5299,CVE-2015-5330,CVE-2015-5370,CVE-2015-7560,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2114,CVE-2016-2115,CVE-2016-2118
Sources used:
openSUSE Evergreen 11.4 (src):    samba-3.6.3-141.1, samba-doc-3.6.3-141.1