Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 786825 (CVE-2021-20254) - <net-fs/samba-{4.12.15, 4.13.8, 4.14.4}: Possible access restriction bypass to delete files (CVE-2021-20254)
Summary: <net-fs/samba-{4.12.15, 4.13.8, 4.14.4}: Possible access restriction bypass t...
Status: RESOLVED FIXED
Alias: CVE-2021-20254
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa+ cve glsa+]
Keywords: CC-ARCHES, STABLEREQ
Depends on:
Blocks:
 
Reported: 2021-04-29 13:58 UTC by Sam James
Modified: 2021-05-26 09:48 UTC (History)
1 user (show)

See Also:
Package list:
net-fs/samba-4.13.9
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2021-04-29 13:58:53 UTC
o CVE-2021-20254: Negative idmap cache entries can cause incorrect group entries
 in the Samba file server process token.

=======
Details
=======

o  CVE-2021-20254:
  The Samba smbd file server must map Windows group identities (SIDs) into unix
  group ids (gids). The code that performs this had a flaw that could allow it
  to read data beyond the end of the array in the case where a negative cache
  entry had been added to the mapping cache. This could cause the calling code
  to return those values into the process token that stores the group
  membership for a user.

  Most commonly this flaw caused the calling code to crash, but an alert user
  (Peter Eriksson, IT Department, Linköping University) found this flaw by
  noticing an unprivileged user was able to delete a file within a network
  share that they should have been disallowed access to.

  Analysis of the code paths has not allowed us to discover a way for a
  remote user to be able to trigger this flaw reproducibly or on demand,
  but this CVE has been issued out of an abundance of caution.
Comment 1 Sam James archtester gentoo-dev Security 2021-04-29 21:16:01 UTC
Bumped in https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f10d6e6b8d366ca8b4cf89205f0e08e67b8de0bc. Tell us when ready to stable - we can replace other bug if needed.
Comment 2 Sam James archtester gentoo-dev Security 2021-05-09 01:53:53 UTC
ping
Comment 3 Sam James archtester gentoo-dev Security 2021-05-24 02:16:59 UTC
amd64 done
Comment 4 Sam James archtester gentoo-dev Security 2021-05-25 00:20:42 UTC
x86 stable
Comment 5 Sam James archtester gentoo-dev Security 2021-05-25 11:05:40 UTC
sparc done
Comment 6 Sam James archtester gentoo-dev Security 2021-05-25 12:34:36 UTC
arm done
Comment 7 Thomas Deutschmann gentoo-dev Security 2021-05-25 13:24:08 UTC
New GLSA request filed.
Comment 8 Sam James archtester gentoo-dev Security 2021-05-25 16:54:33 UTC
arm64 done
Comment 9 Sam James archtester gentoo-dev Security 2021-05-25 16:54:36 UTC
ppc done
Comment 10 Sam James archtester gentoo-dev Security 2021-05-25 16:54:41 UTC
ppc64 done

all arches done
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2021-05-26 09:45:55 UTC
This issue was resolved and addressed in
 GLSA 202105-22 at https://security.gentoo.org/glsa/202105-22
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 12 Larry the Git Cow gentoo-dev 2021-05-26 09:48:22 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a6af5ffd92963345295cf6b245e2e10d658a7965

commit a6af5ffd92963345295cf6b245e2e10d658a7965
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2021-05-26 09:48:05 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2021-05-26 09:48:15 +0000

    net-fs/samba: security cleanup
    
    Bug: https://bugs.gentoo.org/786825
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 net-fs/samba/Manifest            |   2 -
 net-fs/samba/samba-4.13.7.ebuild | 332 ---------------------------------------
 net-fs/samba/samba-4.13.8.ebuild | 332 ---------------------------------------
 3 files changed, 666 deletions(-)