samba: fix CVE-2023-4091

A vulnerability was discovered in Samba, where the flaw allows SMB clients to truncate files, even with read-only permissions when the Samba VFS module "acl_xattr" is configured with "acl_xattr:ignore system acls = yes". The SMB protocol allows opening files when the client requests read-only access but then implicitly truncates the opened file to 0 bytes if the client specifies a separate OVERWRITE create disposition request. The issue arises in configurations that bypass kernel file system permissions checks, relying solely on Samba's permissions. References: https://nvd.nist.gov/vuln/detail/CVE-2023-4091 Fix is patched to the function call smbd_check_access_rights_fsp() of open_file(), But in samba_4.14.14 smbd_check_access_rights() is used, from samba_4.15.0 onwards smbd_check_access_rights() was replaced with smbd_check_access_rights_fsp() and samba_4.14.14 is still vulnerable through smbd_check_access_rights(). Ref: https://github.com/samba-team/samba/commit/3f61369d153419158c0f223e6f81c0bb07275833 https://github.com/samba-team/samba/commit/26dc10bdb2cff3eece4a2874931b4058f9f87d68 Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Archana Polampalli <archana.polampalli@windriver.com> 2023-11-23 06:13:07 +0000
committer: Armin Kuster <akuster808@gmail.com> 2023-12-13 13:35:51 -0500
commit: ad3dc46c878ae8bd90e720c672d159fe5763dbe3 (patch)
tree: 5beeee0002ea6f89070dc519c71b2b855f9805f2
parent: 01c0aaaf620f9eeb073f39ce5149f08bb6a32cb0 (diff)
download: meta-openembedded-ad3dc46c878ae8bd90e720c672d159fe5763dbe3.tar.gz
3 files changed, 254 insertions, 0 deletions
diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2023-4091-0001.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-4091-0001.patch
new file mode 100644
index 0000000000..908ab85baf
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-4091-0001.patch
@@ -0,0 +1,193 @@
+From b08a60160e6ab8d982d31844bcbf7ab67ff3a8de Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Tue, 1 Aug 2023 12:30:00 +0200
+Subject: [PATCH 2/2] CVE-2023-4091: smbtorture: test overwrite dispositions on
+ read-only file
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439
+Signed-off-by: Ralph Boehme <slow@samba.org>
+CVE: CVE-2023-4091
+Upstream-Status: Backport [https://github.com/samba-team/samba/commit/b08a60160e6ab8d982d31844bcbf7ab67ff3a8de]
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ selftest/knownfail.d/samba3.smb2.acls |   1 +
+ source4/torture/smb2/acls.c           | 145 ++++++++++++++++++++++++++
+ 2 files changed, 146 insertions(+)
+ create mode 100644 selftest/knownfail.d/samba3.smb2.acls
+diff --git a/selftest/knownfail.d/samba3.smb2.acls b/selftest/knownfail.d/samba3.smb2.acls
+new file mode 100644
+index 0000000..18df260
+--- /dev/null
+++ b/selftest/knownfail.d/samba3.smb2.acls
+@@ -0,0 +1 @@
+^samba3.smb2.acls.OVERWRITE_READ_ONLY_FILE
+diff --git a/source4/torture/smb2/acls.c b/source4/torture/smb2/acls.c
+index 4f4538b..d26caeb 100644
+--- a/source4/torture/smb2/acls.c
+++ b/source4/torture/smb2/acls.c
+@@ -3023,6 +3023,149 @@ done:
+        return ret;
+ }
+static bool test_overwrite_read_only_file(struct torture_context *tctx,
+                                         struct smb2_tree *tree)
+{
+       NTSTATUS status;
+       struct smb2_create c;
+       const char *fname = BASEDIR "\\test_overwrite_read_only_file.txt";
+       struct smb2_handle handle = {{0}};
+       union smb_fileinfo q;
+       union smb_setfileinfo set;
+       struct security_descriptor *sd = NULL, *sd_orig = NULL;
+       const char *owner_sid = NULL;
+       int i;
+       bool ret = true;
+
+       struct tcase {
+               int disposition;
+               const char *disposition_string;
+               NTSTATUS expected_status;
+       } tcases[] = {
+#define TCASE(d, s) {                          \
+               .disposition = d,               \
+               .disposition_string = #d,       \
+               .expected_status = s,           \
+       }
+               TCASE(NTCREATEX_DISP_OPEN, NT_STATUS_OK),
+               TCASE(NTCREATEX_DISP_SUPERSEDE, NT_STATUS_ACCESS_DENIED),
+               TCASE(NTCREATEX_DISP_OVERWRITE, NT_STATUS_ACCESS_DENIED),
+               TCASE(NTCREATEX_DISP_OVERWRITE_IF, NT_STATUS_ACCESS_DENIED),
+       };
+#undef TCASE
+
+       ret = smb2_util_setup_dir(tctx, tree, BASEDIR);
+       torture_assert_goto(tctx, ret, ret, done, "smb2_util_setup_dir not ok");
+
+       c = (struct smb2_create) {
+               .in.desired_access = SEC_STD_READ_CONTROL |
+                       SEC_STD_WRITE_DAC |
+                       SEC_STD_WRITE_OWNER,
+               .in.file_attributes = FILE_ATTRIBUTE_NORMAL,
+               .in.share_access = NTCREATEX_SHARE_ACCESS_READ |
+                       NTCREATEX_SHARE_ACCESS_WRITE,
+               .in.create_disposition = NTCREATEX_DISP_OPEN_IF,
+               .in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS,
+               .in.fname = fname,
+       };
+
+       status = smb2_create(tree, tctx, &c);
+       torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+                                       "smb2_create failed\n");
+       handle = c.out.file.handle;
+
+       torture_comment(tctx, "get the original sd\n");
+
+       ZERO_STRUCT(q);
+       q.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
+       q.query_secdesc.in.file.handle = handle;
+       q.query_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER;
+
+       status = smb2_getinfo_file(tree, tctx, &q);
+       torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+                                       "smb2_getinfo_file failed\n");
+       sd_orig = q.query_secdesc.out.sd;
+
+       owner_sid = dom_sid_string(tctx, sd_orig->owner_sid);
+
+       sd = security_descriptor_dacl_create(tctx,
+                                       0, NULL, NULL,
+                                       owner_sid,
+                                       SEC_ACE_TYPE_ACCESS_ALLOWED,
+                                       SEC_FILE_READ_DATA,
+                                       0,
+                                       NULL);
+
+       ZERO_STRUCT(set);
+       set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
+       set.set_secdesc.in.file.handle = handle;
+       set.set_secdesc.in.secinfo_flags = SECINFO_DACL;
+       set.set_secdesc.in.sd = sd;
+
+       status = smb2_setinfo_file(tree, &set);
+       torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+                                       "smb2_setinfo_file failed\n");
+
+       smb2_util_close(tree, handle);
+       ZERO_STRUCT(handle);
+
+       for (i = 0; i < ARRAY_SIZE(tcases); i++) {
+               torture_comment(tctx, "Verify open with %s dispostion\n",
+                               tcases[i].disposition_string);
+
+               c = (struct smb2_create) {
+                       .in.create_disposition = tcases[i].disposition,
+                       .in.desired_access = SEC_FILE_READ_DATA,
+                       .in.file_attributes = FILE_ATTRIBUTE_NORMAL,
+                       .in.share_access = NTCREATEX_SHARE_ACCESS_MASK,
+                       .in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS,
+                       .in.fname = fname,
+               };
+
+               status = smb2_create(tree, tctx, &c);
+               smb2_util_close(tree, c.out.file.handle);
+               torture_assert_ntstatus_equal_goto(
+                       tctx, status, tcases[i].expected_status, ret, done,
+                       "smb2_create failed\n");
+       };
+
+       torture_comment(tctx, "put back original sd\n");
+
+       c = (struct smb2_create) {
+               .in.desired_access = SEC_STD_WRITE_DAC,
+               .in.file_attributes = FILE_ATTRIBUTE_NORMAL,
+               .in.share_access = NTCREATEX_SHARE_ACCESS_MASK,
+               .in.create_disposition = NTCREATEX_DISP_OPEN_IF,
+               .in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS,
+               .in.fname = fname,
+       };
+
+       status = smb2_create(tree, tctx, &c);
+       torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+                                       "smb2_create failed\n");
+       handle = c.out.file.handle;
+
+       ZERO_STRUCT(set);
+       set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
+       set.set_secdesc.in.file.handle = handle;
+       set.set_secdesc.in.secinfo_flags = SECINFO_DACL;
+       set.set_secdesc.in.sd = sd_orig;
+
+       status = smb2_setinfo_file(tree, &set);
+       torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+                                       "smb2_setinfo_file failed\n");
+
+       smb2_util_close(tree, handle);
+       ZERO_STRUCT(handle);
+
+done:
+       smb2_util_close(tree, handle);
+       smb2_util_unlink(tree, fname);
+       smb2_deltree(tree, BASEDIR);
+       return ret;
+}
+
+
+ /*
+    basic testing of SMB2 ACLs
+ */
+@@ -3051,6 +3194,8 @@ struct torture_suite *torture_smb2_acls_init(TALLOC_CTX *ctx)
+                        test_deny1);
+        torture_suite_add_1smb2_test(suite, "MXAC-NOT-GRANTED",
+                        test_mxac_not_granted);
+       torture_suite_add_1smb2_test(suite, "OVERWRITE_READ_ONLY_FILE",
+                       test_overwrite_read_only_file);
+        suite->description = talloc_strdup(suite, "SMB2-ACLS tests");
+--
+2.40.0
diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2023-4091-0002.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-4091-0002.patch
new file mode 100644
index 0000000000..43d3b4929f
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-4091-0002.patch
@@ -0,0 +1,59 @@
+From 8b26f634372f11edcbea33dfd68a3d57889dfcc5 Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Tue, 1 Aug 2023 13:04:36 +0200
+Subject: [PATCH] CVE-2023-4091: smbd: use open_access_mask for access check in
+    open_file()
+If the client requested FILE_OVERWRITE[_IF], we're implicitly adding
+FILE_WRITE_DATA to the open_access_mask in open_file_ntcreate(), but for the
+access check we're using access_mask which doesn't contain the additional
+right, which means we can end up truncating a file for which the user has
+only read-only access via an SD.
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439
+Signed-off-by: Ralph Boehme <slow@samba.org>
+CVE: CVE-2023-4091
+Upstream-Status: Backport [https://github.com/samba-team/samba/commit/8b26f634372f11edcbea33dfd68a3d57889dfcc5]
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ selftest/knownfail.d/samba3.smb2.acls | 1 -
+ source3/smbd/open.c                   | 4 ++--
+ 2 files changed, 2 insertions(+), 3 deletions(-)
+ delete mode 100644 selftest/knownfail.d/samba3.smb2.acls
+diff --git a/selftest/knownfail.d/samba3.smb2.acls b/selftest/knownfail.d/samba3.smb2.acls
+deleted file mode 100644
+index 18df260..0000000
+--- a/selftest/knownfail.d/samba3.smb2.acls
+++ /dev/null
+@@ -1 +0,0 @@
+-^samba3.smb2.acls.OVERWRITE_READ_ONLY_FILE
+diff --git a/source3/smbd/open.c b/source3/smbd/open.c
+index 2c3bf9e..4bec5cb 100644
+--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
+@@ -1402,7 +1402,7 @@ static NTSTATUS open_file(files_struct *fsp,
+                                                conn->cwd_fsp,
+                                                smb_fname,
+                                                false,
+-                                               access_mask);
+                                               open_access_mask);
+ 
+                                if (!NT_STATUS_IS_OK(status)) {
+                                        DEBUG(10, ("open_file: "
+@@ -1585,7 +1585,7 @@ static NTSTATUS open_file(files_struct *fsp,
+                                conn->cwd_fsp,
+                                smb_fname,
+                                false,
+-                               access_mask);
+                               open_access_mask);
+ 
+                if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND) &&
+                                (fsp->posix_flags & FSP_POSIX_FLAGS_OPEN) &&
+-- 
+2.40.0
diff --git a/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb b/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb
index aa27592cb0..dcb4d8137f 100644
--- a/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb
+++ b/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb
@@ -49,6 +49,8 @@ SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \
           file://CVE-2023-34968_0009.patch \
           file://CVE-2023-34968_0010.patch \
           file://CVE-2023-34968_0011.patch \
+           file://CVE-2023-4091-0001.patch \
+           file://CVE-2023-4091-0002.patch \
           "
 SRC_URI:append:libc-musl = " \
author	Archana Polampalli <archana.polampalli@windriver.com>	2023-11-23 06:13:07 +0000
committer	Armin Kuster <akuster808@gmail.com>	2023-12-13 13:35:51 -0500
commit	ad3dc46c878ae8bd90e720c672d159fe5763dbe3 (patch)
tree	5beeee0002ea6f89070dc519c71b2b855f9805f2
parent	01c0aaaf620f9eeb073f39ce5149f08bb6a32cb0 (diff)
download	meta-openembedded-ad3dc46c878ae8bd90e720c672d159fe5763dbe3.tar.gz

diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2023-4091-0001.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-4091-0001.patch new file mode 100644 index 0000000000..908ab85baf --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-4091-0001.patch
@@ -0,0 +1,193 @@
		1	From b08a60160e6ab8d982d31844bcbf7ab67ff3a8de Mon Sep 17 00:00:00 2001
		2	From: Ralph Boehme <slow@samba.org>
		3	Date: Tue, 1 Aug 2023 12:30:00 +0200
		4	Subject: [PATCH 2/2] CVE-2023-4091: smbtorture: test overwrite dispositions on
		5	read-only file
		6
		7	BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439
		8
		9	Signed-off-by: Ralph Boehme <slow@samba.org>
		10
		11	CVE: CVE-2023-4091
		12
		13	Upstream-Status: Backport [https://github.com/samba-team/samba/commit/b08a60160e6ab8d982d31844bcbf7ab67ff3a8de]
		14
		15	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		16	---
		17	selftest/knownfail.d/samba3.smb2.acls \| 1 +
		18	source4/torture/smb2/acls.c \| 145 ++++++++++++++++++++++++++
		19	2 files changed, 146 insertions(+)
		20	create mode 100644 selftest/knownfail.d/samba3.smb2.acls
		21
		22	diff --git a/selftest/knownfail.d/samba3.smb2.acls b/selftest/knownfail.d/samba3.smb2.acls
		23	new file mode 100644
		24	index 0000000..18df260
		25	--- /dev/null
		26	+++ b/selftest/knownfail.d/samba3.smb2.acls
		27	@@ -0,0 +1 @@
		28	+^samba3.smb2.acls.OVERWRITE_READ_ONLY_FILE
		29	diff --git a/source4/torture/smb2/acls.c b/source4/torture/smb2/acls.c
		30	index 4f4538b..d26caeb 100644
		31	--- a/source4/torture/smb2/acls.c
		32	+++ b/source4/torture/smb2/acls.c
		33	@@ -3023,6 +3023,149 @@ done:
		34	return ret;
		35	}
		36
		37	+static bool test_overwrite_read_only_file(struct torture_context *tctx,
		38	+ struct smb2_tree *tree)
		39	+{
		40	+ NTSTATUS status;
		41	+ struct smb2_create c;
		42	+ const char *fname = BASEDIR "\\test_overwrite_read_only_file.txt";
		43	+ struct smb2_handle handle = {{0}};
		44	+ union smb_fileinfo q;
		45	+ union smb_setfileinfo set;
		46	+ struct security_descriptor sd = NULL, sd_orig = NULL;
		47	+ const char *owner_sid = NULL;
		48	+ int i;
		49	+ bool ret = true;
		50	+
		51	+ struct tcase {
		52	+ int disposition;
		53	+ const char *disposition_string;
		54	+ NTSTATUS expected_status;
		55	+ } tcases[] = {
		56	+#define TCASE(d, s) { \
		57	+ .disposition = d, \
		58	+ .disposition_string = #d, \
		59	+ .expected_status = s, \
		60	+ }
		61	+ TCASE(NTCREATEX_DISP_OPEN, NT_STATUS_OK),
		62	+ TCASE(NTCREATEX_DISP_SUPERSEDE, NT_STATUS_ACCESS_DENIED),
		63	+ TCASE(NTCREATEX_DISP_OVERWRITE, NT_STATUS_ACCESS_DENIED),
		64	+ TCASE(NTCREATEX_DISP_OVERWRITE_IF, NT_STATUS_ACCESS_DENIED),
		65	+ };
		66	+#undef TCASE
		67	+
		68	+ ret = smb2_util_setup_dir(tctx, tree, BASEDIR);
		69	+ torture_assert_goto(tctx, ret, ret, done, "smb2_util_setup_dir not ok");
		70	+
		71	+ c = (struct smb2_create) {
		72	+ .in.desired_access = SEC_STD_READ_CONTROL \|
		73	+ SEC_STD_WRITE_DAC \|
		74	+ SEC_STD_WRITE_OWNER,
		75	+ .in.file_attributes = FILE_ATTRIBUTE_NORMAL,
		76	+ .in.share_access = NTCREATEX_SHARE_ACCESS_READ \|
		77	+ NTCREATEX_SHARE_ACCESS_WRITE,
		78	+ .in.create_disposition = NTCREATEX_DISP_OPEN_IF,
		79	+ .in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS,
		80	+ .in.fname = fname,
		81	+ };
		82	+
		83	+ status = smb2_create(tree, tctx, &c);
		84	+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
		85	+ "smb2_create failed\n");
		86	+ handle = c.out.file.handle;
		87	+
		88	+ torture_comment(tctx, "get the original sd\n");
		89	+
		90	+ ZERO_STRUCT(q);
		91	+ q.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
		92	+ q.query_secdesc.in.file.handle = handle;
		93	+ q.query_secdesc.in.secinfo_flags = SECINFO_DACL \| SECINFO_OWNER;
		94	+
		95	+ status = smb2_getinfo_file(tree, tctx, &q);
		96	+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
		97	+ "smb2_getinfo_file failed\n");
		98	+ sd_orig = q.query_secdesc.out.sd;
		99	+
		100	+ owner_sid = dom_sid_string(tctx, sd_orig->owner_sid);
		101	+
		102	+ sd = security_descriptor_dacl_create(tctx,
		103	+ 0, NULL, NULL,
		104	+ owner_sid,
		105	+ SEC_ACE_TYPE_ACCESS_ALLOWED,
		106	+ SEC_FILE_READ_DATA,
		107	+ 0,
		108	+ NULL);
		109	+
		110	+ ZERO_STRUCT(set);
		111	+ set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
		112	+ set.set_secdesc.in.file.handle = handle;
		113	+ set.set_secdesc.in.secinfo_flags = SECINFO_DACL;
		114	+ set.set_secdesc.in.sd = sd;
		115	+
		116	+ status = smb2_setinfo_file(tree, &set);
		117	+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
		118	+ "smb2_setinfo_file failed\n");
		119	+
		120	+ smb2_util_close(tree, handle);
		121	+ ZERO_STRUCT(handle);
		122	+
		123	+ for (i = 0; i < ARRAY_SIZE(tcases); i++) {
		124	+ torture_comment(tctx, "Verify open with %s dispostion\n",
		125	+ tcases[i].disposition_string);
		126	+
		127	+ c = (struct smb2_create) {
		128	+ .in.create_disposition = tcases[i].disposition,
		129	+ .in.desired_access = SEC_FILE_READ_DATA,
		130	+ .in.file_attributes = FILE_ATTRIBUTE_NORMAL,
		131	+ .in.share_access = NTCREATEX_SHARE_ACCESS_MASK,
		132	+ .in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS,
		133	+ .in.fname = fname,
		134	+ };
		135	+
		136	+ status = smb2_create(tree, tctx, &c);
		137	+ smb2_util_close(tree, c.out.file.handle);
		138	+ torture_assert_ntstatus_equal_goto(
		139	+ tctx, status, tcases[i].expected_status, ret, done,
		140	+ "smb2_create failed\n");
		141	+ };
		142	+
		143	+ torture_comment(tctx, "put back original sd\n");
		144	+
		145	+ c = (struct smb2_create) {
		146	+ .in.desired_access = SEC_STD_WRITE_DAC,
		147	+ .in.file_attributes = FILE_ATTRIBUTE_NORMAL,
		148	+ .in.share_access = NTCREATEX_SHARE_ACCESS_MASK,
		149	+ .in.create_disposition = NTCREATEX_DISP_OPEN_IF,
		150	+ .in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS,
		151	+ .in.fname = fname,
		152	+ };
		153	+
		154	+ status = smb2_create(tree, tctx, &c);
		155	+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
		156	+ "smb2_create failed\n");
		157	+ handle = c.out.file.handle;
		158	+
		159	+ ZERO_STRUCT(set);
		160	+ set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
		161	+ set.set_secdesc.in.file.handle = handle;
		162	+ set.set_secdesc.in.secinfo_flags = SECINFO_DACL;
		163	+ set.set_secdesc.in.sd = sd_orig;
		164	+
		165	+ status = smb2_setinfo_file(tree, &set);
		166	+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
		167	+ "smb2_setinfo_file failed\n");
		168	+
		169	+ smb2_util_close(tree, handle);
		170	+ ZERO_STRUCT(handle);
		171	+
		172	+done:
		173	+ smb2_util_close(tree, handle);
		174	+ smb2_util_unlink(tree, fname);
		175	+ smb2_deltree(tree, BASEDIR);
		176	+ return ret;
		177	+}
		178	+
		179	+
		180	/*
		181	basic testing of SMB2 ACLs
		182	*/
		183	@@ -3051,6 +3194,8 @@ struct torture_suite torture_smb2_acls_init(TALLOC_CTX ctx)
		184	test_deny1);
		185	torture_suite_add_1smb2_test(suite, "MXAC-NOT-GRANTED",
		186	test_mxac_not_granted);
		187	+ torture_suite_add_1smb2_test(suite, "OVERWRITE_READ_ONLY_FILE",
		188	+ test_overwrite_read_only_file);
		189
		190	suite->description = talloc_strdup(suite, "SMB2-ACLS tests");
		191
		192	--
		193	2.40.0


diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2023-4091-0002.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-4091-0002.patch new file mode 100644 index 0000000000..43d3b4929f --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-4091-0002.patch
@@ -0,0 +1,59 @@
		1	From 8b26f634372f11edcbea33dfd68a3d57889dfcc5 Mon Sep 17 00:00:00 2001
		2	From: Ralph Boehme <slow@samba.org>
		3	Date: Tue, 1 Aug 2023 13:04:36 +0200
		4	Subject: [PATCH] CVE-2023-4091: smbd: use open_access_mask for access check in
		5	open_file()
		6
		7	If the client requested FILE_OVERWRITE[_IF], we're implicitly adding
		8	FILE_WRITE_DATA to the open_access_mask in open_file_ntcreate(), but for the
		9	access check we're using access_mask which doesn't contain the additional
		10	right, which means we can end up truncating a file for which the user has
		11	only read-only access via an SD.
		12
		13	BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439
		14
		15	Signed-off-by: Ralph Boehme <slow@samba.org>
		16
		17	CVE: CVE-2023-4091
		18
		19	Upstream-Status: Backport [https://github.com/samba-team/samba/commit/8b26f634372f11edcbea33dfd68a3d57889dfcc5]
		20
		21	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		22	---
		23	selftest/knownfail.d/samba3.smb2.acls \| 1 -
		24	source3/smbd/open.c \| 4 ++--
		25	2 files changed, 2 insertions(+), 3 deletions(-)
		26	delete mode 100644 selftest/knownfail.d/samba3.smb2.acls
		27
		28	diff --git a/selftest/knownfail.d/samba3.smb2.acls b/selftest/knownfail.d/samba3.smb2.acls
		29	deleted file mode 100644
		30	index 18df260..0000000
		31	--- a/selftest/knownfail.d/samba3.smb2.acls
		32	+++ /dev/null
		33	@@ -1 +0,0 @@
		34	-^samba3.smb2.acls.OVERWRITE_READ_ONLY_FILE
		35	diff --git a/source3/smbd/open.c b/source3/smbd/open.c
		36	index 2c3bf9e..4bec5cb 100644
		37	--- a/source3/smbd/open.c
		38	+++ b/source3/smbd/open.c
		39	@@ -1402,7 +1402,7 @@ static NTSTATUS open_file(files_struct *fsp,
		40	conn->cwd_fsp,
		41	smb_fname,
		42	false,
		43	- access_mask);
		44	+ open_access_mask);
		45
		46	if (!NT_STATUS_IS_OK(status)) {
		47	DEBUG(10, ("open_file: "
		48	@@ -1585,7 +1585,7 @@ static NTSTATUS open_file(files_struct *fsp,
		49	conn->cwd_fsp,
		50	smb_fname,
		51	false,
		52	- access_mask);
		53	+ open_access_mask);
		54
		55	if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND) &&
		56	(fsp->posix_flags & FSP_POSIX_FLAGS_OPEN) &&
		57	--
		58	2.40.0
		59


diff --git a/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb b/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb index aa27592cb0..dcb4d8137f 100644 --- a/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb +++ b/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb
@@ -49,6 +49,8 @@ SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \
49	file://CVE-2023-34968_0009.patch \	49	file://CVE-2023-34968_0009.patch \
50	file://CVE-2023-34968_0010.patch \	50	file://CVE-2023-34968_0010.patch \
51	file://CVE-2023-34968_0011.patch \	51	file://CVE-2023-34968_0011.patch \
		52	file://CVE-2023-4091-0001.patch \
		53	file://CVE-2023-4091-0002.patch \
52	"	54	"
53		55
54	SRC_URI:append:libc-musl = " \	56	SRC_URI:append:libc-musl = " \