o CVE-2021-20254: Negative idmap cache entries can cause incorrect group entries
in the Samba file server process token.
The Samba smbd file server must map Windows group identities (SIDs) into unix
group ids (gids). The code that performs this had a flaw that could allow it
to read data beyond the end of the array in the case where a negative cache
entry had been added to the mapping cache. This could cause the calling code
to return those values into the process token that stores the group
membership for a user.
Most commonly this flaw caused the calling code to crash, but an alert user
(Peter Eriksson, IT Department, Linköping University) found this flaw by
noticing an unprivileged user was able to delete a file within a network
share that they should have been disallowed access to.
Analysis of the code paths has not allowed us to discover a way for a
remote user to be able to trigger this flaw reproducibly or on demand,
but this CVE has been issued out of an abundance of caution.
Bumped in https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f10d6e6b8d366ca8b4cf89205f0e08e67b8de0bc. Tell us when ready to stable - we can replace other bug if needed.
New GLSA request filed.
all arches done
This issue was resolved and addressed in
GLSA 202105-22 at https://security.gentoo.org/glsa/202105-22
by GLSA coordinator Thomas Deutschmann (whissi).
The bug has been referenced in the following commit(s):
Author: Thomas Deutschmann <email@example.com>
AuthorDate: 2021-05-26 09:48:05 +0000
Commit: Thomas Deutschmann <firstname.lastname@example.org>
CommitDate: 2021-05-26 09:48:15 +0000
net-fs/samba: security cleanup
Package-Manager: Portage-3.0.18, Repoman-3.0.3
Signed-off-by: Thomas Deutschmann <email@example.com>
net-fs/samba/Manifest | 2 -
net-fs/samba/samba-4.13.7.ebuild | 332 ---------------------------------------
net-fs/samba/samba-4.13.8.ebuild | 332 ---------------------------------------
3 files changed, 666 deletions(-)