SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
These are a security releases in order to address the following defect:
o CVE-2017-2619 (Symlink race allows access outside share definition)
=======
Details
=======
o CVE-2017-2619:
All versions of Samba prior to 4.6.1, 4.5.7, 4.4.11 are vulnerable to
a malicious client using a symlink race to allow access to areas of
the server file system not exported under the share definition.
Samba uses the realpath() system call to ensure when a client requests
access to a pathname that it is under the exported share path on the
server file system.
Clients that have write access to the exported part of the file system
via SMB1 unix extensions or NFS to create symlinks can race the server
by renaming a realpath() checked path and then creating a symlink. If
the client wins the race it can cause the server to access the new
symlink target after the exported share path check has been done. This
new symlink target can point to anywhere on the server file system.
This is a difficult race to win, but theoretically possible. Note that
the proof of concept code supplied wins the race reliably only when
the server is slowed down using the strace utility running on the
server. Exploitation of this bug has not been seen in the wild.
Changes:
--------
o Jeremy Allison <jra@samba.org>
* BUG 12496: CVE-2017-2619: Symlink race permits opening files outside share
directory.
o Ralph Boehme <slow@samba.org>
* BUG 12496: CVE-2017-2619: Symlink race permits opening files outside share
directory.
Samba 4.6.2, 4.5.8 and 4.4.13 are released with security fixes
Quote:
Release Announcements
---------------------
These are bug fix releases to address a regression introduced by the security
fixes for CVE-2017-2619 (Symlink race allows access outside share definition).
Please see https://bugzilla.samba.org/show_bug.cgi?id=12721 for details.
Changes:
--------
o Jeremy Allison <jra@samba.org>
* BUG 12721: Fix regression with "follow symlinks = no".
bind-9.10.4-P8, also 9.9.9-P8 and 9.11.0-P5 are released with security fixes.
Quote:
Security Fixes
* rndc "" could trigger an assertion failure in named. This flaw is
disclosed in (CVE-2017-3138). [RT #44924]
* Some chaining (i.e., type CNAME or DNAME) responses to upstream
queries could trigger assertion failures. This flaw is disclosed in
CVE-2017-3137. [RT #44734]
* dns64 with break-dnssec yes; can result in an assertion failure.
This flaw is disclosed in CVE-2017-3136. [RT #44653]
* If a server is configured with a response policy zone (RPZ) that
rewrites an answer with local data, and is also configured for
DNS64 address mapping, a NULL pointer can be read triggering a
server crash. This flaw is disclosed in CVE-2017-3135. [RT #44434]
* named could mishandle authority sections with missing RRSIGs,
triggering an assertion failure. This flaw is disclosed in
CVE-2016-9444. [RT #43632]
* named mishandled some responses where covering RRSIG records were
returned without the requested data, resulting in an assertion
failure. This flaw is disclosed in CVE-2016-9147. [RT #43548]
* named incorrectly tried to cache TKEY records which could trigger
an assertion failure when there was a class mismatch. This flaw is
disclosed in CVE-2016-9131. [RT #43522]
* It was possible to trigger assertions when processing responses
containing answers of type DNAME. This flaw is disclosed in
CVE-2016-8864. [RT #43465]
* It was possible to trigger a assertion when rendering a message
using a specially crafted request. This flaw is disclosed in
CVE-2016-2776. [RT #43139]
* Calling getrrsetbyname() with a non absolute name could trigger an
infinite recursion bug in lwresd or named with lwres configured if,
when combined with a search list entry from resolv.conf, the
resulting name is too long. This flaw is disclosed in
CVE-2016-2775. [RT #42694]
udp.c in the Linux kernel before 4.5 allows remote attackers to execute arbitrary code via UDP traffic that triggers an unsafe second checksum calculation during execution of a recv system call with the MSG_PEEK flag.
commit dfe2042d96065f044a794f684e9f7976a4ca6e24
Author: Eric Dumazet <edumazet@google.com>
Date: Tue Aug 30 00:34:58 2016 -0400
udp: properly support MSG_PEEK with truncated buffers
[ Upstream commit 197c949e7798fbf28cfadc69d9ca0c2abbf93191 ]
Backport of this upstream commit into stable kernels :
89c22d8c3b27 ("net: Fix skb csum races when peeking")
exposed a bug in udp stack vs MSG_PEEK support, when user provides
a buffer smaller than skb payload.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.