[Pkg-samba-maint] r3082 - in branches/samba/lenny/debian: . patches
bubulle at alioth.debian.org
bubulle at alioth.debian.org
Sat Oct 10 07:34:35 UTC 2009
Author: bubulle
Date: 2009-10-10 07:34:24 +0000 (Sat, 10 Oct 2009)
New Revision: 3082
Added:
branches/samba/lenny/debian/patches/security-CVE-2009-2813.patch
branches/samba/lenny/debian/patches/security-CVE-2009-2906.patch
branches/samba/lenny/debian/patches/security-CVE-2009-2948-1.patch
branches/samba/lenny/debian/patches/security-CVE-2009-2948-2.patch
Modified:
branches/samba/lenny/debian/changelog
branches/samba/lenny/debian/patches/series
Log:
Candidate patches for a security update
Modified: branches/samba/lenny/debian/changelog
===================================================================
--- branches/samba/lenny/debian/changelog 2009-10-07 19:31:10 UTC (rev 3081)
+++ branches/samba/lenny/debian/changelog 2009-10-10 07:34:24 UTC (rev 3082)
@@ -1,3 +1,16 @@
+samba (2:3.2.5-4lenny7) stable-security; urgency=high
+
+ * Security update. Fixes the following issues:
+ - CVE-2009-2813: fix information leak with misconfigured
+ /etc/passwd file
+ - CVE-2009-2906: remote DoS against smbd on authenticated
+ connections
+ - CVE-2009-2948: information disclosure by setuid mount.cifs
+ * Thanks to Nico Golde for helping with upstream patch backport
+ for CVE-2009-2948 and CVE-2009-2906
+
+ -- Christian Perrier <bubulle at debian.org> Mon, 28 Sep 2009 22:34:10 +0200
+
samba (2:3.2.5-4lenny6) stable-security; urgency=low
* The former upload (2:3.2.5-4lenny5) was made to the wrong
Added: branches/samba/lenny/debian/patches/security-CVE-2009-2813.patch
===================================================================
--- branches/samba/lenny/debian/patches/security-CVE-2009-2813.patch (rev 0)
+++ branches/samba/lenny/debian/patches/security-CVE-2009-2813.patch 2009-10-10 07:34:24 UTC (rev 3082)
@@ -0,0 +1,57 @@
+Goal: Fix information disclosure with misconfigured /etc/passwd file
+
+Fixes: Upstream security fix. CVE-2009-2813
+
+Status wrt upstream: Fixed in 3.2.15
+
+Author: Apple and Jeremy Allison <jra at samba.org>
+
+diff --git a/source/param/loadparm.c b/source/param/loadparm.c
+index 4556d0b..6df94e1 100644
+--- a/source/param/loadparm.c
++++ b/source/param/loadparm.c
+@@ -5827,6 +5827,11 @@ bool lp_add_home(const char *pszHomename, int iDefaultService,
+ {
+ int i;
+
++ if (pszHomename == NULL || user == NULL || pszHomedir == NULL ||
++ pszHomedir[0] == '\0') {
++ return false;
++ }
++
+ i = add_a_service(ServicePtrs[iDefaultService], pszHomename);
+
+ if (i < 0)
+@@ -7777,7 +7782,7 @@ static void lp_add_auto_services(char *str)
+
+ home = get_user_home_dir(talloc_tos(), p);
+
+- if (home && homes >= 0)
++ if (home && home[0] && homes >= 0)
+ lp_add_home(p, homes, p, home);
+
+ TALLOC_FREE(home);
+diff --git a/source/smbd/service.c b/source/smbd/service.c
+index 1c8ffbd..5d9b9df 100644
+--- a/source/smbd/service.c
++++ b/source/smbd/service.c
+@@ -55,6 +55,10 @@ bool set_conn_connectpath(connection_struct *conn, const char *connectpath)
+ const char *s = connectpath;
+ bool start_of_name_component = true;
+
++ if (connectpath == NULL || connectpath[0] == '\0') {
++ return false;
++ }
++
+ destname = SMB_STRDUP(connectpath);
+ if (!destname) {
+ return false;
+@@ -327,7 +331,7 @@ int add_home_service(const char *service, const char *username, const char *home
+ {
+ int iHomeService;
+
+- if (!service || !homedir)
++ if (!service || !homedir || homedir[0] == '\0')
+ return -1;
+
+ if ((iHomeService = lp_servicenumber(HOMES_NAME)) < 0) {
Added: branches/samba/lenny/debian/patches/security-CVE-2009-2906.patch
===================================================================
--- branches/samba/lenny/debian/patches/security-CVE-2009-2906.patch (rev 0)
+++ branches/samba/lenny/debian/patches/security-CVE-2009-2906.patch 2009-10-10 07:34:24 UTC (rev 3082)
@@ -0,0 +1,97 @@
+Goal: Fix remote DoS against smbd on authenticated
+ connections
+
+Fixes: Upstream security fix. CVE-2009-2906
+
+Status wrt upstream: Fixed in 3.2.15
+
+Author: Jeremy Allison
+
+diff -Nurad samba-3.2.5.orig/source/include/smb.h samba-3.2.5/source/include/smb.h
+--- samba-3.2.5.orig/source/include/smb.h 2009-10-09 17:24:51.000000000 +0200
++++ samba-3.2.5/source/include/smb.h 2009-10-09 17:25:26.000000000 +0200
+@@ -758,6 +758,7 @@
+ struct timeval request_time; /* When was this first issued? */
+ struct timeval end_time; /* When does this time out? */
+ bool encrypted;
++ bool processed;
+ DATA_BLOB buf;
+ DATA_BLOB private_data;
+ };
+diff -Nurad samba-3.2.5.orig/source/smbd/process.c samba-3.2.5/source/smbd/process.c
+--- samba-3.2.5.orig/source/smbd/process.c 2009-10-09 17:24:51.000000000 +0200
++++ samba-3.2.5/source/smbd/process.c 2009-10-09 17:31:16.000000000 +0200
+@@ -434,6 +434,7 @@
+ msg->request_time = request_time;
+ msg->end_time = end_time;
+ msg->encrypted = req->encrypted;
++ msg->processed = false;
+
+ if (private_data) {
+ msg->private_data = data_blob_talloc(msg, private_data,
+@@ -489,6 +490,14 @@
+ DEBUG(10,("schedule_deferred_open_smb_message: [%d] msg_mid = %u\n", i++,
+ (unsigned int)msg_mid ));
+ if (mid == msg_mid) {
++ if (pml->processed) {
++ /* A processed message should not be
++ * rescheduled. */
++ DEBUG(0,("schedule_deferred_open_smb_message: LOGIC ERROR "
++ "message mid %u was already processed\n",
++ (unsigned int)msg_mid ));
++ continue;
++ }
+ DEBUG(10,("schedule_deferred_open_smb_message: scheduling mid %u\n",
+ mid ));
+ pml->end_time.tv_sec = 0;
+@@ -503,7 +512,7 @@
+ }
+
+ /****************************************************************************
+- Return true if this mid is on the deferred queue.
++ Return true if this mid is on the deferred queue and was not yet processed.
+ ****************************************************************************/
+
+ bool open_was_deferred(uint16 mid)
+@@ -511,7 +520,7 @@
+ struct pending_message_list *pml;
+
+ for (pml = deferred_open_queue; pml; pml = pml->next) {
+- if (SVAL(pml->buf.data,smb_mid) == mid) {
++ if (SVAL(pml->buf.data,smb_mid) == mid && !pml->processed) {
+ return True;
+ }
+ }
+@@ -778,6 +787,10 @@
+ /* We leave this message on the queue so the open code can
+ know this is a retry. */
+ DEBUG(5,("receive_message_or_smb: returning deferred open smb message.\n"));
++
++ /* Mark the message as processed so this is not
++ * re-processed in error. */
++ msg->processed = true;
+ return NT_STATUS_OK;
+ }
+ }
+@@ -1469,6 +1482,7 @@
+
+ static void construct_reply(char *inbuf, int size, size_t unread_bytes, bool encrypted)
+ {
++ struct pending_message_list *pml = NULL;
+ uint8 type = CVAL(inbuf,smb_com);
+ connection_struct *conn;
+ struct smb_request *req;
+@@ -1484,6 +1498,13 @@
+
+ conn = switch_message(type, req, size);
+
++ /* If this was a deferred message and it's still there and
++ * was processed, remove it. */
++ pml = get_open_deferred_message(req->mid);
++ if (pml && pml->processed) {
++ remove_deferred_open_smb_message(req->mid);
++ }
++
+ if (req->unread_bytes) {
+ /* writeX failed. drain socket. */
+ if (drain_socket(smbd_server_fd(), req->unread_bytes) !=
Added: branches/samba/lenny/debian/patches/security-CVE-2009-2948-1.patch
===================================================================
--- branches/samba/lenny/debian/patches/security-CVE-2009-2948-1.patch (rev 0)
+++ branches/samba/lenny/debian/patches/security-CVE-2009-2948-1.patch 2009-10-10 07:34:24 UTC (rev 3082)
@@ -0,0 +1,60 @@
+Goal: Fix information disclosure by setuid mount.cifs. 1/2
+
+Fixes: Upstream security fix. CVE-2009-2948
+
+Status wrt upstream: Fixed in 3.2.15
+
+Author: Jeff Layton <jlayton at redhat.com>
+ Nico Golde <nion at pool.math.tu-berlin.de> (backport to 3.2.5)
+
+From e4bd1535a1ccf085ccc8f03c2bac307c34f0fd37 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton at redhat.com>
+Date: Fri, 25 Sep 2009 07:03:44 -0400
+Subject: [PATCH] mount.cifs: check access of credential files before opening
+
+It's possible for an unprivileged user to pass a setuid mount.cifs a
+credential or password file to which he does not have access. This can cause
+mount.cifs to open the file on his behalf and possibly leak the info in the
+first few lines of the file.
+
+Check the access permissions of the file before opening it.
+
+Reported-by: Ronald Volgers <r.c.volgers at student.utwente.nl>
+Signed-off-by: Jeff Layton <jlayton at redhat.com>
+Acked-by: Steve French <sfrench at us.ibm.com>
+---
+ source/client/mount.cifs.c | 11 +++++++++++
+ 1 files changed, 11 insertions(+), 0 deletions(-)
+
+diff --git a/source/client/mount.cifs.c b/source/client/mount.cifs.c
+index d05115b..cee9188 100644
+--- a/source/client/mount.cifs.c
++++ b/source/client/mount.cifs.c
+@@ -199,6 +199,11 @@ static int open_cred_file(char * file_name)
+ char * temp_val;
+ FILE * fs;
+ int i, length;
++
++ i = access(file_name, R_OK);
++ if (i)
++ return i;
++
+ fs = fopen(file_name,"r");
+ if(fs == NULL)
+ return errno;
+@@ -321,6 +326,12 @@ static int get_password_from_file(int file_descript, char * filename)
+ }
+
+ if(filename != NULL) {
++ rc = access(filename, R_OK);
++ if (rc) {
++ fprintf(stderr, "mount.cifs failed: access check of %s failed: %s\n",
++ filename, strerror(errno));
++ exit(2);
++ }
+ file_descript = open(filename, O_RDONLY);
+ if(file_descript < 0) {
+ printf("mount.cifs failed. %s attempting to open password file %s\n",
+--
+1.6.0.6
+
Added: branches/samba/lenny/debian/patches/security-CVE-2009-2948-2.patch
===================================================================
--- branches/samba/lenny/debian/patches/security-CVE-2009-2948-2.patch (rev 0)
+++ branches/samba/lenny/debian/patches/security-CVE-2009-2948-2.patch 2009-10-10 07:34:24 UTC (rev 3082)
@@ -0,0 +1,100 @@
+Goal: Fix information disclosure by setuid mount.cifs. 2/2
+
+Fixes: Upstream security fix. CVE-2009-2948
+
+Status wrt upstream: Fixed in 3.2.15
+
+Author: Jeff Layton <jlayton at redhat.com>
+ Nico Golde <nion at pool.math.tu-berlin.de> (backport to 3.2.5)
+
+diff -Nurad samba-3.2.5/source/client/mount.cifs.c samba-3.2.5.new/source/client/mount.cifs.c
+--- samba-3.2.5/source/client/mount.cifs.c 2008-11-18 16:17:17.000000000 +0100
++++ samba-3.2.5.new/source/client/mount.cifs.c 2009-10-07 16:01:17.000000000 +0200
+@@ -371,9 +371,6 @@
+ return 1;
+ data = *optionsp;
+
+- if(verboseflag)
+- printf("parsing options: %s\n", data);
+-
+ /* BB fixme check for separator override BB */
+
+ if (getuid()) {
+@@ -460,17 +457,26 @@
+ } else if (strncmp(data, "pass", 4) == 0) {
+ if (!value || !*value) {
+ if(got_password) {
+- printf("\npassword specified twice, ignoring second\n");
++ fprintf(stderr, "\npassword specified twice, ignoring second\n");
+ } else
+ got_password = 1;
+- } else if (strnlen(value, 17) < 17) {
+- if(got_password)
+- printf("\nmount.cifs warning - password specified twice\n");
+- got_password = 1;
++ } else if (strnlen(value, MOUNT_PASSWD_SIZE) < MOUNT_PASSWD_SIZE) {
++ if (got_password) {
++ fprintf(stderr, "\nmount.cifs warning - password specified twice\n");
++ } else {
++ mountpassword = strndup(value, MOUNT_PASSWD_SIZE);
++ if (!mountpassword) {
++ fprintf(stderr, "mount.cifs error: %s", strerror(ENOMEM));
++ SAFE_FREE(out);
++ return 1;
++ }
++ got_password = 1;
++ }
+ } else {
+- printf("password too long\n");
++ fprintf(stderr, "password too long\n");
+ return 1;
+ }
++ goto nocopy;
+ } else if (strncmp(data, "sec", 3) == 0) {
+ if (value) {
+ if (!strcmp(value, "none"))
+@@ -1336,15 +1342,6 @@
+ strlcat(options,domain_name,options_size);
+ }
+ }
+- if(mountpassword) {
+- /* Commas have to be doubled, or else they will
+- look like the parameter separator */
+-/* if(sep is not set)*/
+- if(retry == 0)
+- check_for_comma(&mountpassword);
+- strlcat(options,",pass=",options_size);
+- strlcat(options,mountpassword,options_size);
+- }
+
+ strlcat(options,",ver=",options_size);
+ strlcat(options,MOUNT_CIFS_VERSION_MAJOR,options_size);
+@@ -1357,12 +1354,26 @@
+ strlcat(options,",prefixpath=",options_size);
+ strlcat(options,prefixpath,options_size); /* no need to cat the / */
+ }
+- if(verboseflag)
+- printf("\nmount.cifs kernel mount options %s \n",options);
+
+ /* convert all '\\' to '/' in share portion so that /proc/mounts looks pretty */
+ replace_char(dev_name, '\\', '/', strlen(share_name));
+
++ if(verboseflag)
++ fprintf(stderr, "\nmount.cifs kernel mount options: %s", options);
++
++ if (mountpassword) {
++ /*
++ * Commas have to be doubled, or else they will
++ * look like the parameter separator
++ */
++ if(retry == 0)
++ check_for_comma(&mountpassword);
++ strlcat(options,",pass=",options_size);
++ strlcat(options,mountpassword,options_size);
++ if (verboseflag)
++ fprintf(stderr, ",pass=********");
++ }
++
+ if(mount(dev_name, mountpoint, "cifs", flags, options)) {
+ /* remember to kill daemon on error */
+ switch (errno) {
Modified: branches/samba/lenny/debian/patches/series
===================================================================
--- branches/samba/lenny/debian/patches/series 2009-10-07 19:31:10 UTC (rev 3081)
+++ branches/samba/lenny/debian/patches/series 2009-10-10 07:34:24 UTC (rev 3082)
@@ -32,3 +32,8 @@
bug_526229-upstream_6301.patch
security-CVE-2009-1886.patch
security-CVE-2009-1888.patch
+security-CVE-2009-2813.patch
+security-CVE-2009-2906.patch
+security-CVE-2009-2948-1.patch
+security-CVE-2009-2948-2.patch
+
More information about the Pkg-samba-maint
mailing list