| commit | b70f4f8681ca1b0818d42f600fd8bbdd74c29346 | |
| author | Ralph Boehme <slow@samba.org> | |
| Tue, 1 Aug 2023 11:04:36 +0000 (1 13:04 +0200) | ||
| committer | Jule Anger <janger@samba.org> | |
| Tue, 10 Oct 2023 14:49:39 +0000 (10 14:49 +0000) | ||
| tree | b881ea984d9cddc7c2feda998c192fba1589f65e | treesnapshot (tar.gz zip) |
| parent | b1fd65694185c26f1e196d84ee8756300e631bd5 | commitdiff |
CVE-2023-4091: smbd: use open_access_mask for access check in open_file()
If the client requested FILE_OVERWRITE[_IF], we're implicitly adding
FILE_WRITE_DATA to the open_access_mask in open_file_ntcreate(), but for the
access check we're using access_mask which doesn't contain the additional
right, which means we can end up truncating a file for which the user has
only read-only access via an SD.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439
Signed-off-by: Ralph Boehme <slow@samba.org>
If the client requested FILE_OVERWRITE[_IF], we're implicitly adding
FILE_WRITE_DATA to the open_access_mask in open_file_ntcreate(), but for the
access check we're using access_mask which doesn't contain the additional
right, which means we can end up truncating a file for which the user has
only read-only access via an SD.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439
Signed-off-by: Ralph Boehme <slow@samba.org>
| selftest/knownfail.d/samba3.smb2.acls | [deleted file] | blobblamehistory |
| source3/smbd/open.c | diffblobblamehistory |