Errata overview
Errata ID 471
Date 2019-04-08
Source package samba
Fixed in version 2:4.7.8-1A~
This update addresses the following issue:
* Samba contains an RPC endpoint emulating the Windows registry service
  API. One of the requests, "winreg_SaveKey", is susceptible to a
  path/symlink traversal vulnerability. Unprivileged users can use it to
  create a new registry hive file anywhere they have unix permissions to
  create a new file within a Samba share. If they are able to create
  symlinks on a Samba share, they can create a new registry hive file
  anywhere they have write access, even outside a Samba share
  Existing share restrictions such as "read only" or share ACLs
  do not prevent new registry hive files being written to the
  filesystem. A file may be written under any share definition wherever
  the user has unix permissions to create a file.
  Existing files cannot be overwritten using this vulnerability, only
  new registry hive files can be created, however the presence of
  existing files with a specific name can be detected.
  Samba writes or detects the file as the authenticated user, but
  by UCS default the "Administrator" account is mapped to root, because
  it is configured as "admin user" in smb.conf.
  For details and possible mitigations see
Additional notes
CVE ID CVE-2019-3880
UCS Bug number #49214