[Pkg-samba-maint] r3298 - in branches/samba/lenny/debian: . patches

Sat Feb 13 23:11:12 UTC 2010

tags 568942 pending
thanks

Author: vorlon
Date: 2010-02-13 23:11:07 +0000 (Sat, 13 Feb 2010)
New Revision: 3298

Added:
   branches/samba/lenny/debian/patches/security-CVE-2010-0547.patch
Modified:
   branches/samba/lenny/debian/changelog
   branches/samba/lenny/debian/patches/series
Log:
* Security update, fixing the following issues in mount.cifs:
  - CVE-2010-0547: fix a denial-of-service problem where a user can corrupt
    /etc/mtab, preventing further filesystem mounts and unmounts by other
    users.  Closes: #568942.

Modified: branches/samba/lenny/debian/changelog
===================================================================

--- branches/samba/lenny/debian/changelog	2010-02-13 23:08:11 UTC (rev 3297)
+++ branches/samba/lenny/debian/changelog	2010-02-13 23:11:07 UTC (rev 3298)
@@ -1,9 +1,12 @@
 samba (2:3.2.5-4lenny9) UNRELEASED; urgency=low
 
-  * Security update, fixing the following issues:
+  * Security update, fixing the following issues in mount.cifs:
     - CVE-2009-3297: fix a race condition that allows an attacker with local
       access to mount remote filesystems over arbitrary mount points via
       a symlink attack.  Closes: #567554.
+    - CVE-2010-0547: fix a denial-of-service problem where a user can corrupt
+      /etc/mtab, preventing further filesystem mounts and unmounts by other
+      users.  Closes: #568942.
 
  -- Steve Langasek <vorlon at debian.org>  Sat, 13 Feb 2010 14:27:42 -0800
 

Added: branches/samba/lenny/debian/patches/security-CVE-2010-0547.patch
===================================================================
--- branches/samba/lenny/debian/patches/security-CVE-2010-0547.patch	                        (rev 0)
+++ branches/samba/lenny/debian/patches/security-CVE-2010-0547.patch	2010-02-13 23:11:07 UTC (rev 3298)
@@ -0,0 +1,70 @@
+From fbd13a1b7f7513311d59f8d501ba2b77f4af2aa6 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton at redhat.com>
+Date: Tue, 26 Jan 2010 09:16:41 -0500
+Subject: [PATCH 6/7] mount.cifs: check for invalid characters in device name and mountpoint
+
+It's apparently possible to corrupt the mtab if you pass embedded
+newlines to addmntent. Apparently tabs are also a problem with certain
+earlier glibc versions. Backslashes are also a minor issue apparently,
+but we can't reasonably filter those.
+
+Make sure that neither the devname or mountpoint contain any problematic
+characters before allowing the mount to proceed.
+
+Signed-off-by: Jeff Layton <jlayton at redhat.com>
+---
+ source/client/mount.cifs.c |   34 ++++++++++++++++++++++++++++++++++
+ 1 files changed, 34 insertions(+), 0 deletions(-)
+
+Index: lenny/source/client/mount.cifs.c
+===================================================================
+--- lenny.orig/source/client/mount.cifs.c
++++ lenny/source/client/mount.cifs.c
+@@ -1017,6 +1017,36 @@
+ 	return 1;
+ }
+ 
++/*
++ * This function borrowed from fuse-utils...
++ *
++ * glibc's addmntent (at least as of 2.10 or so) doesn't properly encode
++ * newlines embedded within the text fields. To make sure no one corrupts
++ * the mtab, fail the mount if there are embedded newlines.
++ */
++static int check_newline(const char *progname, const char *name)
++{
++    char *s;
++    for (s = "\n"; *s; s++) {
++        if (strchr(name, *s)) {
++            fprintf(stderr, "%s: illegal character 0x%02x in mount entry\n",
++                    progname, *s);
++            return EX_USAGE;
++        }
++    }
++    return 0;
++}
++
++static int check_mtab(const char *progname, const char *devname,
++			const char *dir)
++{
++	if (check_newline(progname, devname) == -1 ||
++	    check_newline(progname, dir) == -1)
++		return EX_USAGE;
++	return 0;
++}
++
++
+ int main(int argc, char ** argv)
+ {
+ 	int c;
+@@ -1385,6 +1415,10 @@
+ 			fprintf(stderr, ",pass=********");
+ 	}
+ 
++	rc = check_mtab(thisprogram, dev_name, mountpoint);
++	if (rc)
++		goto mount_exit;
++
+ 	if(mount(dev_name, ".", "cifs", flags, options)) {
+ 	/* remember to kill daemon on error */
+ 		switch (errno) {

Modified: branches/samba/lenny/debian/patches/series
===================================================================
--- branches/samba/lenny/debian/patches/series	2010-02-13 23:08:11 UTC (rev 3297)
+++ branches/samba/lenny/debian/patches/series	2010-02-13 23:11:07 UTC (rev 3298)
@@ -40,3 +40,4 @@
 bug_561545_upstream_6969.patch
 bug_561545_upstream_7005.patch
 security-CVE-2009-3297.patch
+security-CVE-2010-0547.patch


