[Pkg-samba-maint] r3874 - in branches/samba/lenny/debian: . patches
bubulle at alioth.debian.org
bubulle at alioth.debian.org
Mon Aug 8 07:35:17 UTC 2011
Author: bubulle
Date: 2011-08-08 07:35:17 +0000 (Mon, 08 Aug 2011)
New Revision: 3874
Added:
branches/samba/lenny/debian/patches/security-CVE-2011-2522.patch
Modified:
branches/samba/lenny/debian/changelog
branches/samba/lenny/debian/patches/security-CVE-2011-2694.patch
branches/samba/lenny/debian/patches/series
Log:
Apply patches from Kai Blin to fix CVE-2011-2522, CVE-2011-2694
Modified: branches/samba/lenny/debian/changelog
===================================================================
--- branches/samba/lenny/debian/changelog 2011-08-06 18:13:13 UTC (rev 3873)
+++ branches/samba/lenny/debian/changelog 2011-08-08 07:35:17 UTC (rev 3874)
@@ -1,9 +1,8 @@
-samba (2:3.2.5-4lenny15) UNRELEASED; urgency=low
+samba (2:3.2.5-4lenny15) lenny-security; urgency=medium
- * Security update, fixing the following issue:
- - CVE-2011-2694: possible XSS attack in SWAT
+ * Apply patches from Kai Blin to fix CVE-2011-2522, CVE-2011-2694
- -- Christian Perrier <bubulle at debian.org> Wed, 27 Jul 2011 09:20:22 +0200
+ -- Florian Weimer <fw at deneb.enyo.de> Thu, 04 Aug 2011 19:20:06 +0200
samba (2:3.2.5-4lenny14) oldstable-security; urgency=high
Added: branches/samba/lenny/debian/patches/security-CVE-2011-2522.patch
===================================================================
--- branches/samba/lenny/debian/patches/security-CVE-2011-2522.patch (rev 0)
+++ branches/samba/lenny/debian/patches/security-CVE-2011-2522.patch 2011-08-08 07:35:17 UTC (rev 3874)
@@ -0,0 +1,349 @@
+Goal: Fix Cross-Site Request Forgery vulnerability in SWAT
+
+Fixes: Upstream security fix. CVE-2011-2522
+
+Status wrt upstream: Fixed in 3.5.10
+
+Author: Kai Blin <kai at samba.org>
+
+Ported to 2:3.2.5-4lenny14 by Florian Weimer <fw at deneb.enyo.de>
+
+Index: git/source/web/cgi.c
+===================================================================
+--- git.orig/source/web/cgi.c 2011-08-04 19:32:59.195235059 +0200
++++ git/source/web/cgi.c 2011-08-04 19:40:54.054985618 +0200
+@@ -19,6 +19,7 @@
+
+ #include "includes.h"
+ #include "web/swat_proto.h"
++#include "secrets.h"
+
+ #define MAX_VARIABLES 10000
+
+@@ -42,6 +43,7 @@
+ static const char *baseurl;
+ static char *pathinfo;
+ static char *C_user;
++static char *C_pass;
+ static bool inetd_server;
+ static bool got_request;
+
+@@ -320,7 +322,23 @@
+ exit(0);
+ }
+
+- setuid(0);
++ C_user = SMB_STRDUP(user);
++
++ if (!setuid(0)) {
++ C_pass = secrets_fetch_generic("root", "SWAT");
++ if (C_pass == NULL) {
++ char *tmp_pass = NULL;
++ tmp_pass = generate_random_str(16);
++ if (tmp_pass == NULL) {
++ printf("%sFailed to create random nonce for "
++ "SWAT session\n<br>%s\n", head, tail);
++ exit(0);
++ }
++ secrets_store_generic("root", "SWAT", tmp_pass);
++ C_pass = SMB_STRDUP(tmp_pass);
++ SAFE_FREE(tmp_pass);
++ }
++ }
+ setuid(pwd->pw_uid);
+ if (geteuid() != pwd->pw_uid || getuid() != pwd->pw_uid) {
+ printf("%sFailed to become user %s - uid=%d/%d<br>%s\n",
+@@ -388,6 +406,7 @@
+
+ /* Save the users name */
+ C_user = SMB_STRDUP(user);
++ C_pass = SMB_STRDUP(user_pass);
+ TALLOC_FREE(pass);
+ return True;
+ }
+@@ -422,6 +441,13 @@
+ return(C_user);
+ }
+
++/***************************************************************************
++return a ptr to the users password
++ ***************************************************************************/
++char *cgi_user_pass(void)
++{
++ return(C_pass);
++}
+
+ /***************************************************************************
+ handle a file download
+Index: git/source/web/statuspage.c
+===================================================================
+--- git.orig/source/web/statuspage.c 2011-08-04 19:32:59.191234363 +0200
++++ git/source/web/statuspage.c 2011-08-04 19:39:30.179152310 +0200
+@@ -245,9 +245,14 @@
+ int nr_running=0;
+ bool waitup = False;
+ TALLOC_CTX *ctx = talloc_stackframe();
++ const char form_name[] = "status";
+
+ smbd_pid = pid_to_procid(pidfile_pid("smbd"));
+
++ if (!verify_xsrf_token(form_name)) {
++ goto output_page;
++ }
++
+ if (cgi_variable("smbd_restart") || cgi_variable("all_restart")) {
+ stop_smbd();
+ start_smbd();
+@@ -324,9 +329,11 @@
+
+ initPid2Machine ();
+
++output_page:
+ printf("<H2>%s</H2>\n", _("Server Status"));
+
+ printf("<FORM method=post>\n");
++ print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
+
+ if (!autorefresh) {
+ printf("<input type=submit value=\"%s\" name=\"autorefresh\">\n", _("Auto Refresh"));
+Index: git/source/web/swat.c
+===================================================================
+--- git.orig/source/web/swat.c 2011-08-04 19:32:59.183277099 +0200
++++ git/source/web/swat.c 2011-08-04 19:53:11.430500287 +0200
+@@ -29,6 +29,8 @@
+
+ #include "includes.h"
+ #include "web/swat_proto.h"
++#include "md5.h"
++#include "swat_proto.h"
+
+ static int demo_mode = False;
+ static int passwd_only = False;
+@@ -50,6 +52,9 @@
+ #define DISABLE_USER_FLAG "disable_user_flag"
+ #define ENABLE_USER_FLAG "enable_user_flag"
+ #define RHOST "remote_host"
++#define XSRF_TOKEN "xsrf"
++#define XSRF_TIME "xsrf_time"
++#define XSRF_TIMEOUT 300
+
+ #define _(x) lang_msg_rotate(talloc_tos(),x)
+
+@@ -138,6 +143,76 @@
+ return parmname;
+ }
+
++void get_xsrf_token(const char *username, const char *pass,
++ const char *formname, time_t xsrf_time, char token_str[33])
++{
++ struct MD5Context md5_ctx;
++ uint8_t token[16];
++ int i;
++
++ token_str[0] = '\0';
++ ZERO_STRUCT(md5_ctx);
++ MD5Init(&md5_ctx);
++
++ MD5Update(&md5_ctx, (uint8_t *)formname, strlen(formname));
++ MD5Update(&md5_ctx, (uint8_t *)&xsrf_time, sizeof(time_t));
++ if (username != NULL) {
++ MD5Update(&md5_ctx, (uint8_t *)username, strlen(username));
++ }
++ if (pass != NULL) {
++ MD5Update(&md5_ctx, (uint8_t *)pass, strlen(pass));
++ }
++
++ MD5Final(token, &md5_ctx);
++
++ for(i = 0; i < sizeof(token); i++) {
++ char tmp[3];
++
++ snprintf(tmp, sizeof(tmp), "%02x", token[i]);
++ strncat(token_str, tmp, sizeof(tmp));
++ }
++}
++
++void print_xsrf_token(const char *username, const char *pass,
++ const char *formname)
++{
++ char token[33];
++ time_t xsrf_time = time(NULL);
++
++ get_xsrf_token(username, pass, formname, xsrf_time, token);
++ printf("<input type=\"hidden\" name=\"%s\" value=\"%s\">\n",
++ XSRF_TOKEN, token);
++ printf("<input type=\"hidden\" name=\"%s\" value=\"%lld\">\n",
++ XSRF_TIME, (long long int)xsrf_time);
++}
++
++bool verify_xsrf_token(const char *formname)
++{
++ char expected[33];
++ const char *username = cgi_user_name();
++ const char *pass = cgi_user_pass();
++ const char *token = cgi_variable_nonull(XSRF_TOKEN);
++ const char *time_str = cgi_variable_nonull(XSRF_TIME);
++ time_t xsrf_time = 0;
++ time_t now = time(NULL);
++
++ if (sizeof(time_t) == sizeof(int)) {
++ xsrf_time = atoi(time_str);
++ } else if (sizeof(time_t) == sizeof(long)) {
++ xsrf_time = atol(time_str);
++ } else if (sizeof(time_t) == sizeof(long long)) {
++ xsrf_time = atoll(time_str);
++ }
++
++ if (abs(now - xsrf_time) > XSRF_TIMEOUT) {
++ return false;
++ }
++
++ get_xsrf_token(username, pass, formname, xsrf_time, expected);
++ return (strncmp(expected, token, sizeof(expected)) == 0);
++}
++
++
+ /****************************************************************************
+ include a lump of html in a page
+ ****************************************************************************/
+@@ -607,13 +682,20 @@
+ static void viewconfig_page(void)
+ {
+ int full_view=0;
++ const char form_name[] = "viewconfig";
++
++ if (!verify_xsrf_token(form_name)) {
++ goto output_page;
++ }
+
+ if (cgi_variable("full_view")) {
+ full_view = 1;
+ }
+
++output_page:
+ printf("<H2>%s</H2>\n", _("Current Config"));
+ printf("<form method=post>\n");
++ print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
+
+ if (full_view) {
+ printf("<input type=submit name=\"normal_view\" value=\"%s\">\n", _("Normal View"));
+@@ -633,18 +715,25 @@
+ static void wizard_params_page(void)
+ {
+ unsigned int parm_filter = FLAG_WIZARD;
++ const char form_name[] = "wizard_params";
+
+ /* Here we first set and commit all the parameters that were selected
+ in the previous screen. */
+
+ printf("<H2>%s</H2>\n", _("Wizard Parameter Edit Page"));
+
++ if (!verify_xsrf_token(form_name)) {
++ goto output_page;
++ }
++
+ if (cgi_variable("Commit")) {
+ commit_parameters(GLOBAL_SECTION_SNUM);
+ save_reload(0);
+ }
+
++output_page:
+ printf("<form name=\"swatform\" method=post action=wizard_params>\n");
++ print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
+
+ if (have_write_access) {
+ printf("<input type=submit name=\"Commit\" value=\"Commit Changes\">\n");
+@@ -680,6 +769,11 @@
+ int have_home = -1;
+ int HomeExpo = 0;
+ int SerType = 0;
++ const char form_name[] = "wizard";
++
++ if (!verify_xsrf_token(form_name)) {
++ goto output_page;
++ }
+
+ if (cgi_variable("Rewrite")) {
+ (void) rewritecfg_file();
+@@ -770,10 +864,12 @@
+ winstype = 3;
+
+ role = lp_server_role();
+-
++
++output_page:
+ /* Here we go ... */
+ printf("<H2>%s</H2>\n", _("Samba Configuration Wizard"));
+ printf("<form method=post action=wizard>\n");
++ print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
+
+ if (have_write_access) {
+ printf("%s\n", _("The \"Rewrite smb.conf file\" button will clear the smb.conf file of all default values and of comments."));
+@@ -842,9 +938,14 @@
+ {
+ unsigned int parm_filter = FLAG_BASIC;
+ int mode = 0;
++ const char form_name[] = "globals";
+
+ printf("<H2>%s</H2>\n", _("Global Parameters"));
+
++ if (!verify_xsrf_token(form_name)) {
++ goto output_page;
++ }
++
+ if (cgi_variable("Commit")) {
+ commit_parameters(GLOBAL_SECTION_SNUM);
+ save_reload(0);
+@@ -857,7 +958,9 @@
+ if ( cgi_variable("AdvMode"))
+ mode = 1;
+
++output_page:
+ printf("<form name=\"swatform\" method=post action=globals>\n");
++ print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
+
+ ViewModeBoxes( mode );
+ switch ( mode ) {
+@@ -896,12 +999,16 @@
+ int i;
+ int mode = 0;
+ unsigned int parm_filter = FLAG_BASIC;
++ const char form_name[] = "shares";
++
++ printf("<H2>%s</H2>\n", _("Share Parameters"));
++ if (!verify_xsrf_token(form_name)) {
++ goto output_page;
++ }
+
+ if (share)
+ snum = lp_servicenumber(share);
+
+- printf("<H2>%s</H2>\n", _("Share Parameters"));
+-
+ if (cgi_variable("Commit") && snum >= 0) {
+ commit_parameters(snum);
+ save_reload(0);
+@@ -926,10 +1033,6 @@
+ }
+ }
+
+- printf("<FORM name=\"swatform\" method=post>\n");
+-
+- printf("<table>\n");
+-
+ if ( cgi_variable("ViewMode") )
+ mode = atoi(cgi_variable_nonull("ViewMode"));
+ if ( cgi_variable("BasicMode"))
+@@ -937,6 +1040,12 @@
+ if ( cgi_variable("AdvMode"))
+ mode = 1;
+
++output_page:
++ printf("<FORM name=\"swatform\" method=post>\n");
++ print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
++
++ printf("<table>\n");
++
+ ViewModeBoxes( mode );
+ switch ( mode ) {
+ case 0:
Modified: branches/samba/lenny/debian/patches/security-CVE-2011-2694.patch
===================================================================
--- branches/samba/lenny/debian/patches/security-CVE-2011-2694.patch 2011-08-06 18:13:13 UTC (rev 3873)
+++ branches/samba/lenny/debian/patches/security-CVE-2011-2694.patch 2011-08-08 07:35:17 UTC (rev 3874)
@@ -6,11 +6,13 @@
Author: Kai Blin <kai at samba.org>
-Index: lenny/source/web/swat.c
-===================================================================
---- lenny.orig/source/web/swat.c
-+++ lenny/source/web/swat.c
-@@ -1116,11 +1116,9 @@
+Ported to 2:3.2.5-4lenny14 by Florian Weimer <fw at deneb.enyo.de>
+
+diff --git a/source/web/swat.c b/source/web/swat.c
+index 15e2e26..1e88547 100644
+--- a/source/web/swat.c
++++ b/source/web/swat.c
+@@ -1224,11 +1224,9 @@ static void chg_passwd(void)
if(cgi_variable(CHG_S_PASSWD_FLAG)) {
printf("<p>");
if (rslt == True) {
@@ -24,7 +26,7 @@
}
}
-@@ -1134,14 +1132,6 @@
+@@ -1242,14 +1240,6 @@ static void passwd_page(void)
{
const char *new_name = cgi_user_name();
Modified: branches/samba/lenny/debian/patches/series
===================================================================
--- branches/samba/lenny/debian/patches/series 2011-08-06 18:13:13 UTC (rev 3873)
+++ branches/samba/lenny/debian/patches/series 2011-08-08 07:35:17 UTC (rev 3874)
@@ -46,4 +46,5 @@
security-CVE-2010-2063.patch
security-CVE-2010-3069.patch
security-CVE-2011-0719.patch
+security-CVE-2011-2522.patch
security-CVE-2011-2694.patch
More information about the Pkg-samba-maint
mailing list