Ubuntu
samba package

Cannot access anything under a subdirectory if symlinks are disallowed

Bug #1675698 reported by David Macek
42
This bug affects 8 people
Affects Status Importance Assigned to Milestone
samba
Unknown
Unknown
samba (Debian)
Fix Released
Unknown
samba (Ubuntu)
Invalid
Undecided
Unassigned
Precise
Fix Released
High
Marc Deslauriers
Trusty
Fix Released
High
Marc Deslauriers
Xenial
Fix Released
High
Marc Deslauriers
Yakkety
Fix Released
High
Marc Deslauriers
Zesty
Invalid
Undecided
Unassigned

Bug Description

After upgrading to 4.3.11+dfsg-0ubuntu0.14.04.6, some of my shares broke in a curious way. The affected shares have `follow symlinks = no`; the ones with `follow symlinks = yes` aren't affected AFAICT. Allowing symlinks on one of the affected shares mitigates the issue for that share.

The issue is that access to anything under a direct subdirectory of the share doesn't work. I can create a directory in `\\srv\share`, e.g. `\\srv\share\foo`, but I can't create any files or directories inside it, e.g. creating `\\srv\share\foo\bar` ends up with error 50 (The request is not supported). Attempts to access existing files or directories at this level produce error 59 (An unexpected network error occured).

The log at level 2 says:

```
../source3/smbd/vfs.c:1298(check_reduced_name)
  check_reduced_name: Bad access attempt: branches is a symlink to foo/bar

```

... or:

```
../source3/smbd/vfs.c:1298(check_reduced_name)
  check_reduced_name: Bad access attempt: . is a symlink to foo
```

CVE References

Revision history for this message
David Macek (david-macek-0) wrote :

Among the clients I tested with are Windows 10 (current stable -- AU) and Windows Server 2012 R2.

Revision history for this message
Mathieu Vedie (mvedie) wrote :

I experienced same issue since this morning but i havent made any upgrade.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for reporting this issue, I can reproduce it.

Revision history for this message
David Macek (david-macek-0) wrote :

The linked Debian bug doesn't mention that `follow symlinks` is the trigger. I don't have much time today to follow this further, but it would be great if someone else could coordinate with Debian maintainers so that they don't have to do redundant work.

Revision history for this message
Mikael Willberg (mig-j) wrote :

The same issue here, I just upgraded the samba to 2:4.3.11+dfsg-0ubuntu0.16.04.5, have "follow symlinks = no" and debug states the same issue that samba thinks folders are symlinks. So changing "follow symlinks = yes" will hide the issue not solve it.

Marc Deslauriers (mdeslaur)
Changed in samba (Ubuntu Precise):
status: New → Confirmed
Changed in samba (Ubuntu Trusty):
status: New → Confirmed
Changed in samba (Ubuntu Xenial):
status: New → Confirmed
Changed in samba (Ubuntu Yakkety):
status: New → Confirmed
Changed in samba (Ubuntu Precise):
importance: Undecided → High
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in samba (Ubuntu Trusty):
importance: Undecided → High
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in samba (Ubuntu Xenial):
importance: Undecided → High
Changed in samba (Ubuntu Yakkety):
importance: Undecided → High
Changed in samba (Ubuntu Xenial):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in samba (Ubuntu Yakkety):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in samba (Ubuntu Zesty):
status: New → Confirmed
Bug Watch Updater (bug-watch-updater)
Changed in samba (Debian):
status: Unknown → Confirmed
Revision history for this message
kfmes (kfmes) wrote :

I have same issue, after package update . and changed option 'follow symlinks = no' .
but I will wait for bug fixed.

Revision history for this message
Heiko Lechner (no-spam-to-me) wrote :

Downgraded to 4.3.8 until a fix is offered

Revision history for this message
Jeremy Allison (jra-samba) wrote :

Fixes for this have been uploaded to:

https://bugzilla.samba.org/show_bug.cgi?id=12721

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I have uploaded packages to the security team PPA that contain the patches from the Samba bug here:

https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages

Once they have been reviewed upstream, I'll put them through QA and will release them as a regression fix.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:4.4.5+dfsg-2ubuntu5.5

---------------
samba (2:4.4.5+dfsg-2ubuntu5.5) yakkety-security; urgency=medium

  * SECURITY REGRESSION: follow symlinks issue (LP: #1675698)
    - debian/patches/CVE-2017-2619/bug12721-*.patch: add fixes from Samba
      bug #12721.
  * Add missing prerequisite for previous update
    - debian/patches/CVE-2017-2619/bug12172.patch: handle non-existant
      files and wildcards in source3/modules/vfs_shadow_copy2.c.

 -- Marc Deslauriers <email address hidden> Tue, 28 Mar 2017 07:31:03 -0400

Changed in samba (Ubuntu Yakkety):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:4.3.11+dfsg-0ubuntu0.16.04.6

---------------
samba (2:4.3.11+dfsg-0ubuntu0.16.04.6) xenial-security; urgency=medium

  * SECURITY REGRESSION: follow symlinks issue (LP: #1675698)
    - debian/patches/CVE-2017-2619/bug12721-*.patch: add fixes from Samba
      bug #12721.
  * Add missing prerequisite for previous update
    - debian/patches/CVE-2017-2619/bug12172.patch: handle non-existant
      files and wildcards in source3/modules/vfs_shadow_copy2.c.

 -- Marc Deslauriers <email address hidden> Tue, 28 Mar 2017 08:31:57 -0400

Changed in samba (Ubuntu Xenial):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:3.6.25-0ubuntu0.12.04.10

---------------
samba (2:3.6.25-0ubuntu0.12.04.10) precise-security; urgency=medium

  * SECURITY REGRESSION: follow symlinks issue (LP: #1675698)
    - debian/patches/bug12721-*.patch: add backported fixes from Samba bug
      #12721.
  * debian/patches/*: fix CVE number in patch filenames.

 -- Marc Deslauriers <email address hidden> Tue, 28 Mar 2017 09:43:30 -0400

Changed in samba (Ubuntu Precise):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:4.3.11+dfsg-0ubuntu0.14.04.7

---------------
samba (2:4.3.11+dfsg-0ubuntu0.14.04.7) trusty-security; urgency=medium

  * SECURITY REGRESSION: follow symlinks issue (LP: #1675698)
    - debian/patches/CVE-2017-2619/bug12721-*.patch: add fixes from Samba
      bug #12721.
  * Add missing prerequisite for previous update
    - debian/patches/CVE-2017-2619/bug12172.patch: handle non-existant
      files and wildcards in source3/modules/vfs_shadow_copy2.c.

 -- Marc Deslauriers <email address hidden> Tue, 28 Mar 2017 09:28:06 -0400

Changed in samba (Ubuntu Trusty):
status: Confirmed → Fix Released
Marc Deslauriers (mdeslaur)
Changed in samba (Ubuntu Zesty):
status: Confirmed → Invalid
Bug Watch Updater (bug-watch-updater)
Changed in samba (Debian):
status: Confirmed → Fix Committed
Bug Watch Updater (bug-watch-updater)
Changed in samba (Debian):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.