[Pkg-samba-maint] r4188 - branches/samba/squeeze/debian/patches
bubulle at alioth.debian.org
bubulle at alioth.debian.org
Thu Jan 31 09:40:12 UTC 2013
Author: bubulle
Date: 2013-01-31 09:40:12 +0000 (Thu, 31 Jan 2013)
New Revision: 4188
Added:
branches/samba/squeeze/debian/patches/security-CVE-2013-0213.patch
branches/samba/squeeze/debian/patches/security-CVE-2013-0214.patch
Log:
Add security patches for -3squeeze9
Added: branches/samba/squeeze/debian/patches/security-CVE-2013-0213.patch
===================================================================
--- branches/samba/squeeze/debian/patches/security-CVE-2013-0213.patch (rev 0)
+++ branches/samba/squeeze/debian/patches/security-CVE-2013-0213.patch 2013-01-31 09:40:12 UTC (rev 4188)
@@ -0,0 +1,31 @@
+From 72672f8074c0a65918756ad89a8ecc2befc72cf0 Mon Sep 17 00:00:00 2001
+From: Kai Blin <kai at samba.org>
+Date: Fri, 18 Jan 2013 23:11:07 +0100
+Subject: [PATCH] swat: Use X-Frame-Options header to avoid clickjacking
+
+Jann Horn reported a potential clickjacking vulnerability in SWAT where
+the SWAT page could be embedded into an attacker's page using a frame or
+iframe and then used to trick the user to change Samba settings.
+
+Avoid this by telling the browser to refuse the frame embedding via the
+X-Frame-Options: DENY header.
+
+Signed-off-by: Kai Blin <kai at samba.org>
+---
+ source3/web/swat.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+Index: squeeze/source3/web/swat.c
+===================================================================
+--- squeeze.orig/source3/web/swat.c
++++ squeeze/source3/web/swat.c
+@@ -247,7 +247,8 @@
+ if (!cgi_waspost()) {
+ printf("Expires: 0\r\n");
+ }
+- printf("Content-type: text/html\r\n\r\n");
++ printf("Content-type: text/html\r\n");
++ printf("X-Frame-Options: DENY\r\n\r\n");
+
+ if (!include_html("include/header.html")) {
+ printf("<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2//EN\">\n");
Added: branches/samba/squeeze/debian/patches/security-CVE-2013-0214.patch
===================================================================
--- branches/samba/squeeze/debian/patches/security-CVE-2013-0214.patch (rev 0)
+++ branches/samba/squeeze/debian/patches/security-CVE-2013-0214.patch 2013-01-31 09:40:12 UTC (rev 4188)
@@ -0,0 +1,118 @@
+From 052dfd720dbd83c9dbfab78b42230f1aa4544781 Mon Sep 17 00:00:00 2001
+From: Kai Blin <kai at samba.org>
+Date: Mon, 28 Jan 2013 23:13:43 +0100
+Subject: [PATCH] swat: Use additional nonce on XSRF protection
+
+If the user had a weak password on the root account of a machine running
+SWAT, there still was a chance of being targetted by an XSRF on a
+malicious web site targetting the SWAT setup.
+
+Use a random nonce stored in secrets.tdb to close this possible attack
+window. Thanks to Jann Horn for reporting this issue.
+
+Signed-off-by: Kai Blin <kai at samba.org>
+---
+ source3/web/cgi.c | 39 ++++++++++++++++++++++++++-------------
+ source3/web/swat.c | 2 ++
+ source3/web/swat_proto.h | 1 +
+ 3 files changed, 29 insertions(+), 13 deletions(-)
+
+diff --git a/source3/web/cgi.c b/source3/web/cgi.c
+index 0c8e9cb..afa2e63 100644
+--- a/source3/web/cgi.c
++++ b/source3/web/cgi.c
+@@ -45,6 +45,7 @@ static const char *baseurl;
+ static char *pathinfo;
+ static char *C_user;
+ static char *C_pass;
++static char *C_nonce;
+ static bool inetd_server;
+ static bool got_request;
+
+@@ -326,19 +327,7 @@ static void cgi_web_auth(void)
+ C_user = SMB_STRDUP(user);
+
+ if (!setuid(0)) {
+- C_pass = secrets_fetch_generic("root", "SWAT");
+- if (C_pass == NULL) {
+- char *tmp_pass = NULL;
+- tmp_pass = generate_random_str(talloc_tos(), 16);
+- if (tmp_pass == NULL) {
+- printf("%sFailed to create random nonce for "
+- "SWAT session\n<br>%s\n", head, tail);
+- exit(0);
+- }
+- secrets_store_generic("root", "SWAT", tmp_pass);
+- C_pass = SMB_STRDUP(tmp_pass);
+- TALLOC_FREE(tmp_pass);
+- }
++ C_pass = SMB_STRDUP(cgi_nonce());
+ }
+ setuid(pwd->pw_uid);
+ if (geteuid() != pwd->pw_uid || getuid() != pwd->pw_uid) {
+@@ -451,6 +440,30 @@ char *cgi_user_pass(void)
+ }
+
+ /***************************************************************************
++return a ptr to the nonce
++ ***************************************************************************/
++char *cgi_nonce(void)
++{
++ const char *head = "Content-Type: text/html\r\n\r\n<HTML><BODY><H1>SWAT installation Error</H1>\n";
++ const char *tail = "</BODY></HTML>\r\n";
++ C_nonce = secrets_fetch_generic("root", "SWAT");
++ if (C_nonce == NULL) {
++ char *tmp_pass = NULL;
++ tmp_pass = generate_random_str(talloc_tos(), 16);
++ if (tmp_pass == NULL) {
++ printf("%sFailed to create random nonce for "
++ "SWAT session\n<br>%s\n", head, tail);
++ exit(0);
++ }
++ secrets_store_generic("root", "SWAT", tmp_pass);
++ C_nonce = SMB_STRDUP(tmp_pass);
++ TALLOC_FREE(tmp_pass);
++ }
++ return(C_nonce);
++}
++
++
++/***************************************************************************
+ handle a file download
+ ***************************************************************************/
+ static void cgi_download(char *file)
+diff --git a/source3/web/swat.c b/source3/web/swat.c
+index 754e3ce..c63eae3 100644
+--- a/source3/web/swat.c
++++ b/source3/web/swat.c
+@@ -148,6 +148,7 @@ void get_xsrf_token(const char *username, const char *pass,
+ struct MD5Context md5_ctx;
+ uint8_t token[16];
+ int i;
++ char *nonce = cgi_nonce();
+
+ token_str[0] = '\0';
+ ZERO_STRUCT(md5_ctx);
+@@ -161,6 +162,7 @@ void get_xsrf_token(const char *username, const char *pass,
+ if (pass != NULL) {
+ MD5Update(&md5_ctx, (uint8_t *)pass, strlen(pass));
+ }
++ MD5Update(&md5_ctx, (uint8_t *)nonce, strlen(nonce));
+
+ MD5Final(token, &md5_ctx);
+
+diff --git a/source3/web/swat_proto.h b/source3/web/swat_proto.h
+index 424a3af..fe51b1f 100644
+--- a/source3/web/swat_proto.h
++++ b/source3/web/swat_proto.h
+@@ -32,6 +32,7 @@ const char *cgi_variable_nonull(const char *name);
+ bool am_root(void);
+ char *cgi_user_name(void);
+ char *cgi_user_pass(void);
++char *cgi_nonce(void);
+ void cgi_setup(const char *rootdir, int auth_required);
+ const char *cgi_baseurl(void);
+ const char *cgi_pathinfo(void);
+--
+1.7.0.4
+
More information about the Pkg-samba-maint
mailing list