NEWS[4.19.3]: Samba 4.19.3 Available for Download

[samba-web.git] / security / CVE-2013-6442.html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<title>Samba - Security Announcement Archive</title>
</head>

<body>

   <H2>CVE-2013-6442.html:</H2>

<p>
<pre>
===========================================================
== Subject:     smbcacls will remove the ACL on a file
==              or directory when changing owner or group
==              owner.
==
== CVE ID#:     CVE-2013-6442
==
== Versions:    All versions of Samba later than 4.0.0
==
== Summary:     smbcacls can remove a file or directory
==              ACL by mistake.
==
===========================================================

===========
Description
===========

Samba versions 4.0.0 and above have a flaw in the smbcacls command. If
smbcacls is used with the "-C|--chown name" or "-G|--chgrp name"
command options it will remove the existing ACL on the object being
modified, leaving the file or directory unprotected.

==================
Patch Availability
==================

Patches addressing this issue have been posted to:

    http://www.samba.org/samba/security/

Samba versions 4.0.16 and 4.1.6 have been released to address this
issue.

==========
Workaround
==========

Use server based tools (chown) to modify owners on files and
directories.

=======
Credits
=======

This problem was found by an internal audit of the Samba code by Noel
Power of SuSE.

Patch provided by Jeremy Allison of the Samba team.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================
</pre>
</body>
</html>