The long road to a fix for CVE-2021-20316

Posted Feb 10, 2022 23:53 UTC (Thu) by xecycle (subscriber, #140261)
Parent article: The long road to a fix for CVE-2021-20316

I wonder how did the “LTS” distros respond? That said it’s hard to fix in old versions, seems it would be another slog for packagers who decide to backport all fixes. Or did they simply push a new version?

The long road to a fix for CVE-2021-20316

Posted Feb 11, 2022 0:27 UTC (Fri) by LtWorf (subscriber, #124958) [Link]

At this point they can either push the new version or just drop it from the repository. No other alternative

The long road to a fix for CVE-2021-20316

Posted Feb 11, 2022 7:43 UTC (Fri) by pbonzini (subscriber, #60935) [Link]

They will either leave it unpatched (certainly in patch updates, possibly in minor releases too) or switch to a new version. It happens rarely, but sometimes there just isn't a choice.

The long road to a fix for CVE-2021-20316

Posted Feb 11, 2022 9:31 UTC (Fri) by NYKevin (subscriber, #129325) [Link]

Technically, it depends on your threat model. If you know that attackers cannot create symlinks (for example, because you've patched Samba to disallow this operation, and you don't give untrusted users local shell access), then in principle there is no security hole. But I doubt that distros can make that kind of guarantee with respect to end user deployments.

Nevertheless, if you're an IT department deploying Samba on e.g. a NAS, you probably *can* make that sort of guarantee. I'm not saying this is a good idea, however.

The long road to a fix for CVE-2021-20316

Posted Feb 11, 2022 15:16 UTC (Fri) by tialaramex (subscriber, #21167) [Link]

Sometimes, this happens to operating systems and you suck it up.

Windows NT 4 was known to be broken. IIRC some of its system calls (syscalls aren't *supposed* to be ABI compatibility points in Windows, but in practice if enough people rely on one then Microsoft can't change it) were just inherently insecure as with the old path based calls Samba is using here, there was no way to fix them without a rewrite of the relevant OS components and potentially breaking all the affected software.

If you went to Microsoft and said, "Look, this important security stuff is broken in NT4, where's a fix?" their answer was "Windows 2000". Is that a free upgrade? Nope, tough. If you want the important security fixes, buy the new operating system.

Life is like that. The people who own the building where I live discovered that their fire insulation wasn't up to specification in some voids, so they spent a pile of money fixing it and it came out of normal operating funds (thus paid for by home owners like me). But after Grenfell, lots of people in tall buildings found out that the entire outer layer of their building was a fire hazard and the consequence was their homes became unsaleable and (unless Government decides to step in and fix it or force the builders to fix it, which they still haven't many years later) they would need to spend far more money than they have to solve the problem and be able to sell their home. Ouch.