Ubuntu
samba package

CVE-2019-10197 restricted share escape by user

Bug #1842533 reported by Bryce Harrington
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
samba
Unknown
Unknown
samba (Ubuntu)
Fix Released
Undecided
Bryce Harrington

Bug Description

samba (2:4.10.7+dfsg-0ubuntu2) eoan; urgency=medium

  * SECURITY UPDATE: restricted share escape by user
    - debian/patches/CVE-2019-10197-01-v4-10.patch: smbd: separate
      out impersonation debug info into a new function.
    - debian/patches/CVE-2019-10197-02-v4-10.patch: smbd: make sure that
      change_to_user_internal() always resets current_user.done_chdir
    - debian/patches/CVE-2019-10197-03-v4-10.patch: smbd: make sure we
      reset current_user.{need,done}_chdir in become_root()
    - debian/patches/CVE-2019-10197-04-v4-10.patch: selftest: make
      fsrvp_share its own independent subdirectory
    - debian/patches/CVE-2019-10197-05-v4-10.patch:
      test_smbclient_s3.sh: add regression test for the no permission
      on share root problem
    - debian/patches/CVE-2019-10197-06-v4-10.patch: smbd: split
      change_to_user_impersonate() out of change_to_user_internal()
    - CVE-2019-10197

 -- Steve Beattie <email address hidden> Fri, 30 Aug 2019 11:07:19 -0700

A PPA build with this patch is available from the security team at:
https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages

I've also uploaded it to my own PPA here, to doublecheck the build:
https://launchpad.net/~bryce/+archive/ubuntu/samba-cve-2019-10197/+packages

See original description

CVE References

Bryce Harrington (bryce)
information type: Public → Private Security
Changed in samba (Ubuntu):
status: New → In Progress
assignee: nobody → Bryce Harrington (bryce)
summary: - CVE-2019-10197
+ CVE-2019-10197 restricted share escape by user
Bryce Harrington (bryce)
description: updated
Revision history for this message
Bryce Harrington (bryce) wrote :

Building this locally with `git ubuntu build` failed with an error about symbols discrepancy:

  dpkg-gensymbols: error: some new symbols appeared in the symbols file: see diff output below
  dpkg-gensymbols: error: some symbols or patterns disappeared in the symbols file: see diff output below
  dpkg-gensymbols: warning: debian/libsmbclient/DEBIAN/symbols doesn't match completely debian/libsmbclient.symbols
  dh_makeshlibs: failing due to earlier errors
  make[1]: *** [debian/rules:255: override_dh_makeshlibs] Error 255
  make: *** [debian/rules:87: binary] Error 2
  dpkg-buildpackage: error: fakeroot debian/rules binary subprocess returned exit status 2

09/03/2019 18:41:28 - ERROR:Failed to build

However, the patchset does not remove any symbols, and the only function it adds is a static internal routine for printing some information. So I think this is a spurious error, but am doing a build in a PPA just to doublecheck.

Apart from that, the upload looks good to go:

√ Codereviewed patches
√ Verified patches match what was proposed upstream
√ Verified changelog text and format
√ Verified patches listed correctly in d/p/series

I don't have authorization to the upstream bug report, so was unable to verify that, but the change makes sense for fixing the issue it alludes to.

Bryce Harrington (bryce)
information type: Private Security → Public Security
Revision history for this message
Bryce Harrington (bryce) wrote :

The samba change itself was fine, but its upload to proposed led to a build failure caused by a new glibc in proposed (https://bugs.launchpad.net/ubuntu/+source/python3.7/+bug/1842618). That bug is resolved now, and cpaelzer said on it that samba's build has succeeded.

Changed in samba (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:4.10.7+dfsg-0ubuntu2

---------------
samba (2:4.10.7+dfsg-0ubuntu2) eoan; urgency=medium

  * SECURITY UPDATE: restricted share escape by user (LP: #1842533)
    - debian/patches/CVE-2019-10197-01-v4-10.patch: smbd: separate
      out impersonation debug info into a new function.
    - debian/patches/CVE-2019-10197-02-v4-10.patch: smbd: make sure that
      change_to_user_internal() always resets current_user.done_chdir
    - debian/patches/CVE-2019-10197-03-v4-10.patch: smbd: make sure we
      reset current_user.{need,done}_chdir in become_root()
    - debian/patches/CVE-2019-10197-04-v4-10.patch: selftest: make
      fsrvp_share its own independent subdirectory
    - debian/patches/CVE-2019-10197-05-v4-10.patch:
      test_smbclient_s3.sh: add regression test for the no permission
      on share root problem
    - debian/patches/CVE-2019-10197-06-v4-10.patch: smbd: split
      change_to_user_impersonate() out of change_to_user_internal()
    - CVE-2019-10197

 -- Steve Beattie <email address hidden> Fri, 30 Aug 2019 11:07:19 -0700

Changed in samba (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.