Arch Linux Security Advisory ASA-201911-6
=========================================

Severity: Medium
Date    : 2019-11-03
CVE-ID  : CVE-2019-10218 CVE-2019-14833 CVE-2019-14847
Package : samba
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-1057

Summary
=======

The package samba before version 4.10.10-1 is vulnerable to multiple
issues including arbitrary filesystem access, insufficient validation
and denial of service.

Resolution
==========

Upgrade to 4.10.10-1.

# pacman -Syu "samba>=4.10.10-1"

The problems have been fixed upstream in version 4.10.10.

Workaround
==========

None.

Description
===========

- CVE-2019-10218 (arbitrary filesystem access)

An issue has been found in Samba before 4.10.10 where a malicious
server can craft a pathname containing separators and return this to
client code, causing the client to use this access local pathnames for
reading or writing instead of SMB network pathnames.

- CVE-2019-14833 (insufficient validation)

A security issue has been found in Samba before 4.10.10, where the
check password script does not receive the full password string when
the password contains multi-byte (non-ASCII) characters.
Since Samba Version 4.5.0 a Samba AD DC can use a custom command to
verify the password complexity. The command can be specified with the
"check password script" smb.conf parameter. This command is called when
Samba handles a user password change or a new user password is set. The
script receives the new cleartext password string in order to run
custom password complexity checks like dictionary checks to avoid weak
user passwords. If the check password script parameter is not
specified, Samba runs the internal password quality checks. The
internal check makes sure that a password contains characters from
three of five different characters categories.

- CVE-2019-14847 (denial of service)

A denial of service has been found in Samba before 4.10.10, where users
with the "get changes" extended access right can crash the AD DC LDAP
server by requesting an attribute using the range= syntax.
By default, the supported versions of Samba impacted by this issue run
using the "standard" process model, which is unaffected. This is
controlled by the -M or --model parameter to the samba binary.
Unsupported Samba versions before Samba 4.7 use a single process for
the LDAP server, and so are impacted. Samba 4.8, 4.9 and 4.10 are
impacted if -M prefork or -M single is used. To mitigate this issue,
select -M standard (the default).

Impact
======

An attacker is able to access and write on files via arbitrary paths or
crash the application.

References
==========

https://www.samba.org/samba/security/CVE-2019-10218.html
https://www.samba.org/samba/ftp/patches/security/samba-4.10.9-security-2019-10-29.patch
https://www.samba.org/samba/security/CVE-2019-14833.html
https://download.samba.org/pub/samba/patches/security/samba-4.10.9-security-2019-10-29.patch
https://www.samba.org/samba/security/CVE-2019-14847.html
https://security.archlinux.org/CVE-2019-10218
https://security.archlinux.org/CVE-2019-14833
https://security.archlinux.org/CVE-2019-14847