git.samba.org / samba.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: ae5c0e1) | patch
CVE-2023-4091: smbd: use open_access_mask for access check in open_file()
authorRalph Boehme <slow@samba.org>
Tue, 1 Aug 2023 11:04:36 +0000 (13:04 +0200)
committerJule Anger <janger@samba.org>
Sun, 8 Oct 2023 20:06:00 +0000 (22:06 +0200)
commit53c9e1c9d3b660837d4517cfe0f3da2f0744660b
treeba0270f3c4f383301c34183bdc6d129a8a7b9357tree
parentae5c0e1914a92a4cc73f37ff18a266b7d39d5b42commit | diff
CVE-2023-4091: smbd: use open_access_mask for access check in open_file()

If the client requested FILE_OVERWRITE[_IF], we're implicitly adding
FILE_WRITE_DATA to the open_access_mask in open_file_ntcreate(), but for the
access check we're using access_mask which doesn't contain the additional
right, which means we can end up truncating a file for which the user has
only read-only access via an SD.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439

Signed-off-by: Ralph Boehme <slow@samba.org>
selftest/knownfail.d/samba3.smb2.acls [deleted file] blob | history
source3/smbd/open.c diff | blob | history
Samba Shared Repository