968222 – (CVE-2015-7560) VUL-0: CVE-2015-7560: samba: Getting and setting Windows ACLs on symlinks can change permissions on link target.

Bug 968222 (CVE-2015-7560) - VUL-0: CVE-2015-7560: samba: Getting and setting Windows ACLs on symlinks can change permissions on link target.

Summary: VUL-0: CVE-2015-7560: samba: Getting and setting Windows ACLs on symlinks can...

Status:	RESOLVED FIXED

Alias:	CVE-2015-7560

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P2 - High Severity: Major
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	CVSSv2:SUSE:CVE-2015-7560:4.9:(AV:A/A...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2016-02-25 11:08 UTC by Alexander Bergmann
Modified:	2016-04-27 18:23 UTC (History)
CC List:	7 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 13 Marcus Meissner 2016-03-08 13:49:07 UTC

public now.

https://www.samba.org/samba/security/CVE-2015-7560.html

===========================================================
== Subject:     Incorrect ACL get/set allowed on symlink path.
==
== CVE ID#:     CVE-2015-7560
==
== Versions:    Samba 3.2.0 to 4.4.0rc3
==
== Summary:     Authenticated client could cause Samba to
==              overwrite ACLs with incorrect owner/group.
==
===========================================================

===========
Description
===========

All versions of Samba from 3.2.0 to 4.4.0rc3 inclusive are vulnerable to
a malicious client overwriting the ownership of ACLs using symlinks.

An authenticated malicious client can use SMB1 UNIX extensions to
create a symlink to a file or directory, and then use non-UNIX SMB1
calls to overwrite the contents of the ACL on the file or directory
linked to.

==================
Patch Availability
==================

A patch addressing this defect has been posted to

  https://www.samba.org/samba/security/

Additionally, Samba 4.4.0rc4, 4.3.6, 4.2.9 and 4.1.23 have been issued as
security releases to correct the defect. Patches against older Samba
versions are available at https://www.samba.org/samba/patches/. Samba
vendors and administrators running affected versions are advised to
upgrade or apply the patch as soon as possible.

==========
Workaround
==========

Add the parameter:

unix extensions = no

to the [global] section of your smb.conf and restart smbd.

Alternatively, prohibit the use of SMB1 by setting the parameter:

server min protocol = SMB2

to the [global] section of your smb.conf and restart smbd.

=======
Credits
=======

This problem was found by Jeremy Allison of Google, Inc. and the Samba
Team, who also provided the fix.

Comment 14 Marcus Meissner 2016-03-08 13:49:58 UTC

please also submit for opensuse now. (13.2 and factory is sufficient, leap gets it from 12-sp1)

Comment 15 Bernhard Wiedemann 2016-03-08 15:00:14 UTC

This is an autogenerated message for OBS integration:
This bug (968222) was mentioned in
https://build.opensuse.org/request/show/368484 Factory / samba

Comment 16 Bernhard Wiedemann 2016-03-08 18:00:19 UTC

This is an autogenerated message for OBS integration:
This bug (968222) was mentioned in
https://build.opensuse.org/request/show/368568 13.2 / samba

Comment 17 James McDonough 2016-03-09 11:17:43 UTC

All done from our side.

Comment 20 Marcus Meissner 2016-03-18 10:04:30 UTC

updates are being released now

Comment 21 Swamp Workflow Management 2016-03-18 13:13:17 UTC

openSUSE-SU-2016:0813-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 953382,953972,968222,968223
CVE References: CVE-2015-7560,CVE-2016-0771
Sources used:
openSUSE 13.2 (src):    samba-4.1.23-31.1

Comment 22 Swamp Workflow Management 2016-03-18 13:14:44 UTC

SUSE-SU-2016:0814-1: An update that solves one vulnerability and has four fixes is now available.

Category: security (important)
Bug References: 953382,953972,960249,962177,968222
CVE References: CVE-2015-7560
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    samba-4.1.12-18.8.1
SUSE Linux Enterprise Server 12 (src):    samba-4.1.12-18.8.1
SUSE Linux Enterprise Desktop 12 (src):    samba-4.1.12-18.8.1

Comment 23 Swamp Workflow Management 2016-03-18 13:20:46 UTC

SUSE-SU-2016:0816-1: An update that solves one vulnerability and has 6 fixes is now available.

Category: security (important)
Bug References: 953382,953972,960249,962177,964023,966271,968222
CVE References: CVE-2015-7560
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    samba-4.2.4-11.1
SUSE Linux Enterprise Server 12-SP1 (src):    samba-4.2.4-11.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    samba-4.2.4-11.1

Comment 24 Swamp Workflow Management 2016-03-21 13:13:05 UTC

SUSE-SU-2016:0837-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 967017,968222
CVE References: CVE-2015-7560
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    samba-3.6.3-67.2
SUSE Linux Enterprise Server 11-SP4 (src):    samba-3.6.3-67.2, samba-doc-3.6.3-67.2
SUSE Linux Enterprise Desktop 11-SP4 (src):    samba-3.6.3-67.2, samba-doc-3.6.3-67.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    samba-3.6.3-67.2

Comment 25 Swamp Workflow Management 2016-03-24 14:10:50 UTC

openSUSE-SU-2016:0877-1: An update that solves one vulnerability and has 6 fixes is now available.

Category: security (important)
Bug References: 953382,953972,960249,962177,964023,966271,968222
CVE References: CVE-2015-7560
Sources used:
openSUSE Leap 42.1 (src):    samba-4.2.4-12.1

Comment 26 Swamp Workflow Management 2016-04-01 10:00:57 UTC

SUSE-SU-2016:0905-1: An update that solves one vulnerability and has three fixes is now available.

Category: security (important)
Bug References: 936909,953382,967017,968222
CVE References: CVE-2015-7560
Sources used:
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    samba-3.6.3-48.2, samba-doc-3.6.3-48.2
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    samba-3.6.3-48.2

Product List: SUSE Linux Enterprise Server 11-SP2-LTSS
SUSE Linux Enterprise Debuginfo 11-SP2

Comment 27 Swamp Workflow Management 2016-04-17 13:18:16 UTC

openSUSE-SU-2016:1064-1: An update that solves 16 vulnerabilities and has 17 fixes is now available.

Category: security (important)
Bug References: 898031,901813,912457,913238,913547,914279,917376,919309,924519,936862,942716,946051,947552,949022,958581,958582,958583,958584,958585,958586,964023,966271,968222,968973,971965,972197,973031,973032,973033,973034,973036,973832,974629
CVE References: CVE-2014-8143,CVE-2015-0240,CVE-2015-3223,CVE-2015-5252,CVE-2015-5296,CVE-2015-5299,CVE-2015-5330,CVE-2015-5370,CVE-2015-7560,CVE-2015-8467,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2115,CVE-2016-2118
Sources used:
openSUSE 13.2 (src):    samba-4.2.4-34.1

Comment 28 Swamp Workflow Management 2016-04-20 10:09:47 UTC

openSUSE-SU-2016:1106-1: An update that fixes 17 vulnerabilities is now available.

Category: security (important)
Bug References: 844720,849224,853347,917376,936862,958582,958583,958584,958586,968222,971965,973031,973032,973033,973034,973035,973036
CVE References: CVE-2012-6150,CVE-2013-4408,CVE-2013-4496,CVE-2015-0240,CVE-2015-5252,CVE-2015-5296,CVE-2015-5299,CVE-2015-5330,CVE-2015-5370,CVE-2015-7560,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2114,CVE-2016-2115,CVE-2016-2118
Sources used:
openSUSE 13.1 (src):    samba-4.2.4-3.54.2

Comment 29 Swamp Workflow Management 2016-04-20 10:12:56 UTC

openSUSE-SU-2016:1107-1: An update that fixes 17 vulnerabilities is now available.

Category: security (important)
Bug References: 844720,849224,853347,917376,936862,958582,958583,958584,958586,968222,971965,973031,973032,973033,973034,973035,973036
CVE References: CVE-2012-6150,CVE-2013-4408,CVE-2013-4496,CVE-2015-0240,CVE-2015-5252,CVE-2015-5296,CVE-2015-5299,CVE-2015-5330,CVE-2015-5370,CVE-2015-7560,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2114,CVE-2016-2115,CVE-2016-2118
Sources used:
openSUSE Evergreen 11.4 (src):    samba-3.6.3-141.1, samba-doc-3.6.3-141.1