[3.8] samba: Save registry file outside share as unprivileged user (CVE-2019-3880)
Samba contains an RPC endpoint emulating the Windows registry service
API. One of the requests, “winreg_SaveKey”, is susceptible to a
path/symlink traversal vulnerability. Unprivileged users can use it to
create a new registry hive file anywhere they have unix permissions to
create a new file within a Samba share. If they are able to create
symlinks on a Samba share, they can create a new registry hive file
anywhere they have write access, even outside a Samba share
definition.
Affected Versions:
All versions of samba since samba 3.2.0
Fixed In Version:
samba 4.8.11, 4.9.6 and 4.10.2
References:
https://www.samba.org/samba/security/CVE-2019-3880.html
https://www.samba.org/samba/history/security.html
Patch:
https://download.samba.org/pub/samba/patches/security/samba-4.8.10-security-2019-04-08.patch
(from redmine: issue id 10248, created on 2019-04-15, closed on 2019-04-18)
- Relations:
- parent #10246 (closed)