git.samba.org / samba.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 2ff6cbc) | patch
CVE-2023-4091: smbd: use open_access_mask for access check in open_file()
authorRalph Boehme <slow@samba.org>
Tue, 1 Aug 2023 11:04:36 +0000 (13:04 +0200)
committerJule Anger <janger@samba.org>
Sun, 8 Oct 2023 20:05:54 +0000 (22:05 +0200)
commit6b6495c7125540f5bacc27ef76440340cf0fd58e
tree68815673afef7381649b25e66fc7ee746c33d0e4tree
parent2ff6cbcd3accaf7953de9fe0a05d0c2176af6b3ccommit | diff
CVE-2023-4091: smbd: use open_access_mask for access check in open_file()

If the client requested FILE_OVERWRITE[_IF], we're implicitly adding
FILE_WRITE_DATA to the open_access_mask in open_file_ntcreate(), but for the
access check we're using access_mask which doesn't contain the additional
right, which means we can end up truncating a file for which the user has
only read-only access via an SD.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439

Signed-off-by: Ralph Boehme <slow@samba.org>
selftest/knownfail.d/samba3.smb2.acls [deleted file] blob | history
source3/smbd/open.c diff | blob | history
Samba Shared Repository