| commit | 9cd1ad18af07098588163c0b5b69408e4002a7aa | |
| author | Ralph Boehme <slow@samba.org> | |
| Tue, 1 Aug 2023 11:04:36 +0000 (1 13:04 +0200) | ||
| committer | Jule Anger <janger@samba.org> | |
| Mon, 9 Oct 2023 20:14:05 +0000 (9 22:14 +0200) | ||
| tree | 6e47ce578233e7803466b08e0cb8438dd124e231 | treesnapshot (tar.gz zip) |
| parent | 2761477b76c2eafd0c851dfdff998e730e433c4c | commitdiff |
CVE-2023-4091: smbd: use open_access_mask for access check in open_file()
If the client requested FILE_OVERWRITE[_IF], we're implicitly adding
FILE_WRITE_DATA to the open_access_mask in open_file_ntcreate(), but for the
access check we're using access_mask which doesn't contain the additional
right, which means we can end up truncating a file for which the user has
only read-only access via an SD.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439
Signed-off-by: Ralph Boehme <slow@samba.org>
If the client requested FILE_OVERWRITE[_IF], we're implicitly adding
FILE_WRITE_DATA to the open_access_mask in open_file_ntcreate(), but for the
access check we're using access_mask which doesn't contain the additional
right, which means we can end up truncating a file for which the user has
only read-only access via an SD.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439
Signed-off-by: Ralph Boehme <slow@samba.org>
| selftest/knownfail.d/samba3.smb2.acls | [deleted file] | blobblamehistory |
| source3/smbd/open.c | diffblobblamehistory |