git.samba.org / samba.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: b08a601) | patch
CVE-2023-4091: smbd: use open_access_mask for access check in open_file()
authorRalph Boehme <slow@samba.org>
Tue, 1 Aug 2023 11:04:36 +0000 (13:04 +0200)
committerJule Anger <janger@samba.org>
Mon, 9 Oct 2023 20:16:07 +0000 (22:16 +0200)
commit8b26f634372f11edcbea33dfd68a3d57889dfcc5
tree8f33d9994a02267a5323ebe16892259be4927c3ftree
parentb08a60160e6ab8d982d31844bcbf7ab67ff3a8decommit | diff
CVE-2023-4091: smbd: use open_access_mask for access check in open_file()

If the client requested FILE_OVERWRITE[_IF], we're implicitly adding
FILE_WRITE_DATA to the open_access_mask in open_file_ntcreate(), but for the
access check we're using access_mask which doesn't contain the additional
right, which means we can end up truncating a file for which the user has
only read-only access via an SD.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439

Signed-off-by: Ralph Boehme <slow@samba.org>
selftest/knownfail.d/samba3.smb2.acls [deleted file] blob | history
source3/smbd/open.c diff | blob | history
Samba Shared Repository