[Pkg-samba-maint] [samba] 01/08: Import NMUs from the security team
Andrew Bartlett
abartlet-guest at moszumanska.debian.org
Wed Apr 13 01:33:24 UTC 2016
This is an automated email from the git hooks/post-receive script.
abartlet-guest pushed a commit to branch wheezy
in repository samba.
commit 16d751693d6661c2aba2e6178d7128b719bc0a24
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Apr 11 12:01:33 2016 +1200
Import NMUs from the security team
---
debian/changelog | 25 +++
debian/patches/CVE-2015-5252-v3-6-bso11395.patch | 44 ++++++
debian/patches/CVE-2015-5296-v3-6-bso11536.patch | 113 ++++++++++++++
debian/patches/CVE-2015-5299-v3-6-bso11529.patch | 93 +++++++++++
debian/patches/CVE-2015-7560-v3-6.patch | 172 +++++++++++++++++++++
...-a-corner-case-of-the-symlink-verificatio.patch | 104 +++++++++++++
debian/patches/series | 5 +
debian/patches/waf-as-source.patch | 4 -
8 files changed, 556 insertions(+), 4 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index b8f8f36..df2b1d0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,28 @@
+samba (2:3.6.6-6+deb7u7) wheezy-security; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * s3:smbd: fix a corner case of the symlink verification.
+ Address regression introduced by the patch for CVE-2015-5252. For the
+ share path "/", the introduced checks deny all operations in the share.
+ (Closes: #812429)
+ * CVE-2015-7560: Incorrect ACL get/set allowed on symlink path
+
+ -- Salvatore Bonaccorso <carnil at debian.org> Fri, 11 Mar 2016 21:14:09 +0100
+
+samba (2:3.6.6-6+deb7u6) wheezy-security; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Refresh waf-as-source.patch patch
+ * Add CVE-2015-5252-v3-6-bso11395.patch patch.
+ CVE-2015-5252: Insufficient symlink verification in smbd.
+ * Add CVE-2015-5299-v3-6-bso11529.patch patch.
+ CVE-2015-5299: Missing access control check in shadow copy code.
+ * Add CVE-2015-5296-v3-6-bso11536.patch patch.
+ CVE-2015-5296: Samba client requesting encryption vulnerable to
+ downgrade attack.
+
+ -- Salvatore Bonaccorso <carnil at debian.org> Tue, 22 Dec 2015 08:33:25 +0100
+
samba (2:3.6.6-6+deb7u5) wheezy-security; urgency=high
* Security update
diff --git a/debian/patches/CVE-2015-5252-v3-6-bso11395.patch b/debian/patches/CVE-2015-5252-v3-6-bso11395.patch
new file mode 100644
index 0000000..b7580fb
--- /dev/null
+++ b/debian/patches/CVE-2015-5252-v3-6-bso11395.patch
@@ -0,0 +1,44 @@
+From 2e94b6ec10f1d15e24867bab3063bb85f173406a Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra at samba.org>
+Date: Thu, 9 Jul 2015 10:58:11 -0700
+Subject: [PATCH] CVE-2015-5252: s3: smbd: Fix symlink verification (file
+ access outside the share).
+
+Ensure matching component ends in '/' or '\0'.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11395
+
+Signed-off-by: Jeremy Allison <jra at samba.org>
+Reviewed-by: Volker Lendecke <vl at samba.org>
+---
+ source3/smbd/vfs.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/source3/smbd/vfs.c b/source3/smbd/vfs.c
+index 6c56964..bd93b7f 100644
+--- a/source3/smbd/vfs.c
++++ b/source3/smbd/vfs.c
+@@ -982,6 +982,7 @@ NTSTATUS check_reduced_name(connection_struct *conn, const char *fname)
+ if (!allow_widelinks || !allow_symlinks) {
+ const char *conn_rootdir;
+ size_t rootdir_len;
++ bool matched;
+
+ conn_rootdir = SMB_VFS_CONNECTPATH(conn, fname);
+ if (conn_rootdir == NULL) {
+@@ -992,8 +993,10 @@ NTSTATUS check_reduced_name(connection_struct *conn, const char *fname)
+ }
+
+ rootdir_len = strlen(conn_rootdir);
+- if (strncmp(conn_rootdir, resolved_name,
+- rootdir_len) != 0) {
++ matched = (strncmp(conn_rootdir, resolved_name,
++ rootdir_len) == 0);
++ if (!matched || (resolved_name[rootdir_len] != '/' &&
++ resolved_name[rootdir_len] != '\0')) {
+ DEBUG(2, ("check_reduced_name: Bad access "
+ "attempt: %s is a symlink outside the "
+ "share path\n", fname));
+--
+2.5.0
+
diff --git a/debian/patches/CVE-2015-5296-v3-6-bso11536.patch b/debian/patches/CVE-2015-5296-v3-6-bso11536.patch
new file mode 100644
index 0000000..4b722a5
--- /dev/null
+++ b/debian/patches/CVE-2015-5296-v3-6-bso11536.patch
@@ -0,0 +1,113 @@
+From 25139116756cc285a3a5534834cc276ef1b7baaa Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze at samba.org>
+Date: Wed, 30 Sep 2015 21:17:02 +0200
+Subject: [PATCH 1/2] CVE-2015-5296: s3:libsmb: force signing when requiring
+ encryption in do_connect()
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11536
+
+Signed-off-by: Stefan Metzmacher <metze at samba.org>
+Reviewed-by: Jeremy Allison <jra at samba.org>
+---
+ source3/libsmb/clidfs.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c
+index 23e1471..f153b6b 100644
+--- a/source3/libsmb/clidfs.c
++++ b/source3/libsmb/clidfs.c
+@@ -98,6 +98,11 @@ static struct cli_state *do_connect(TALLOC_CTX *ctx,
+ const char *username;
+ const char *password;
+ NTSTATUS status;
++ int signing_state = get_cmdline_auth_info_signing_state(auth_info);
++
++ if (force_encrypt) {
++ signing_state = Required;
++ }
+
+ /* make a copy so we don't modify the global string 'service' */
+ servicename = talloc_strdup(ctx,share);
+@@ -132,7 +137,7 @@ static struct cli_state *do_connect(TALLOC_CTX *ctx,
+ zero_sockaddr(&ss);
+
+ /* have to open a new connection */
+- c = cli_initialise_ex(get_cmdline_auth_info_signing_state(auth_info));
++ c = cli_initialise_ex(signing_state);
+ if (c == NULL) {
+ d_printf("Connection to %s failed\n", server_n);
+ return NULL;
+--
+2.5.0
+
+
+From 060adb0abdeda51b8b622c6020b5dea0c8dde1cf Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze at samba.org>
+Date: Wed, 30 Sep 2015 21:17:02 +0200
+Subject: [PATCH 2/2] CVE-2015-5296: s3:libsmb: force signing when requiring
+ encryption in SMBC_server_internal()
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11536
+
+Signed-off-by: Stefan Metzmacher <metze at samba.org>
+Reviewed-by: Jeremy Allison <jra at samba.org>
+---
+ source3/libsmb/libsmb_server.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/source3/libsmb/libsmb_server.c b/source3/libsmb/libsmb_server.c
+index 45be660..167f2c9 100644
+--- a/source3/libsmb/libsmb_server.c
++++ b/source3/libsmb/libsmb_server.c
+@@ -258,6 +258,7 @@ SMBC_server_internal(TALLOC_CTX *ctx,
+ const char *username_used;
+ NTSTATUS status;
+ char *newserver, *newshare;
++ int signing_state = Undefined;
+
+ zero_sockaddr(&ss);
+ ZERO_STRUCT(c);
+@@ -404,8 +405,12 @@ again:
+
+ zero_sockaddr(&ss);
+
++ if (context->internal->smb_encryption_level != SMBC_ENCRYPTLEVEL_NONE) {
++ signing_state = Required;
++ }
++
+ /* have to open a new connection */
+- if ((c = cli_initialise()) == NULL) {
++ if ((c = cli_initialise_ex(signing_state)) == NULL) {
+ errno = ENOMEM;
+ return NULL;
+ }
+@@ -750,6 +755,7 @@ SMBC_attr_server(TALLOC_CTX *ctx,
+ ipc_srv = SMBC_find_server(ctx, context, server, "*IPC$",
+ pp_workgroup, pp_username, pp_password);
+ if (!ipc_srv) {
++ int signing_state = Undefined;
+
+ /* We didn't find a cached connection. Get the password */
+ if (!*pp_password || (*pp_password)[0] == '\0') {
+@@ -771,6 +777,9 @@ SMBC_attr_server(TALLOC_CTX *ctx,
+ if (smbc_getOptionUseCCache(context)) {
+ flags |= CLI_FULL_CONNECTION_USE_CCACHE;
+ }
++ if (context->internal->smb_encryption_level != SMBC_ENCRYPTLEVEL_NONE) {
++ signing_state = Required;
++ }
+
+ zero_sockaddr(&ss);
+ nt_status = cli_full_connection(&ipc_cli,
+@@ -780,7 +789,7 @@ SMBC_attr_server(TALLOC_CTX *ctx,
+ *pp_workgroup,
+ *pp_password,
+ flags,
+- Undefined);
++ signing_state);
+ if (! NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(1,("cli_full_connection failed! (%s)\n",
+ nt_errstr(nt_status)));
+--
+2.5.0
+
diff --git a/debian/patches/CVE-2015-5299-v3-6-bso11529.patch b/debian/patches/CVE-2015-5299-v3-6-bso11529.patch
new file mode 100644
index 0000000..5507b99
--- /dev/null
+++ b/debian/patches/CVE-2015-5299-v3-6-bso11529.patch
@@ -0,0 +1,93 @@
+From 8e49de7754f7171a58a1f94dee0f1138dbee3c60 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra at samba.org>
+Date: Fri, 23 Oct 2015 14:54:31 -0700
+Subject: [PATCH] CVE-2015-5299: s3-shadow-copy2: fix missing access check on
+ snapdir
+
+Fix originally from <partha at exablox.com>
+
+https://bugzilla.samba.org/show_bug.cgi?id=11529
+
+Signed-off-by: Jeremy Allison <jra at samba.org>
+Reviewed-by: David Disseldorp <ddiss at samba.org>
+---
+ source3/modules/vfs_shadow_copy2.c | 47 ++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 47 insertions(+)
+
+--- a/source3/modules/vfs_shadow_copy2.c
++++ b/source3/modules/vfs_shadow_copy2.c
+@@ -96,6 +96,8 @@
+ */
+
+ #include "includes.h"
++#include "smbd/globals.h"
++#include "../libcli/security/security.h"
+ #include "system/filesys.h"
+ #include "include/ntioctl.h"
+ #include "smbd/proto.h"
+@@ -1072,6 +1074,43 @@ static void shadow_copy2_sort_data(vfs_h
+ return;
+ }
+
++static bool check_access_snapdir(struct vfs_handle_struct *handle,
++ const char *path)
++{
++ struct smb_filename smb_fname;
++ int ret;
++ NTSTATUS status;
++ uint32_t access_granted = 0;
++
++ ZERO_STRUCT(smb_fname);
++ smb_fname.base_name = talloc_asprintf(talloc_tos(),
++ "%s",
++ path);
++ if (smb_fname.base_name == NULL) {
++ return false;
++ }
++
++ ret = SMB_VFS_NEXT_STAT(handle, &smb_fname);
++ if (ret != 0 || !S_ISDIR(smb_fname.st.st_ex_mode)) {
++ TALLOC_FREE(smb_fname.base_name);
++ return false;
++ }
++
++ status = smbd_check_open_rights(handle->conn,
++ &smb_fname,
++ SEC_DIR_LIST,
++ &access_granted);
++ if (!NT_STATUS_IS_OK(status)) {
++ DEBUG(0,("user does not have list permission "
++ "on snapdir %s\n",
++ smb_fname.base_name));
++ TALLOC_FREE(smb_fname.base_name);
++ return false;
++ }
++ TALLOC_FREE(smb_fname.base_name);
++ return true;
++}
++
+ static int shadow_copy2_get_shadow_copy_data(
+ vfs_handle_struct *handle, files_struct *fsp,
+ struct shadow_copy_data *shadow_copy2_data,
+@@ -1081,6 +1120,7 @@ static int shadow_copy2_get_shadow_copy_
+ const char *snapdir;
+ SMB_STRUCT_DIRENT *d;
+ TALLOC_CTX *tmp_ctx = talloc_stackframe();
++ bool ret;
+
+ snapdir = shadow_copy2_find_snapdir(tmp_ctx, handle, fsp->fsp_name);
+ if (snapdir == NULL) {
+@@ -1090,6 +1130,13 @@ static int shadow_copy2_get_shadow_copy_
+ talloc_free(tmp_ctx);
+ return -1;
+ }
++ ret = check_access_snapdir(handle, snapdir);
++ if (!ret) {
++ DEBUG(0,("access denied on listing snapdir %s\n", snapdir));
++ errno = EACCES;
++ talloc_free(tmp_ctx);
++ return -1;
++ }
+
+ p = SMB_VFS_NEXT_OPENDIR(handle, snapdir, NULL, 0);
+
diff --git a/debian/patches/CVE-2015-7560-v3-6.patch b/debian/patches/CVE-2015-7560-v3-6.patch
new file mode 100644
index 0000000..8474056
--- /dev/null
+++ b/debian/patches/CVE-2015-7560-v3-6.patch
@@ -0,0 +1,172 @@
+From eb27f9b7bf9c1dc902d9545eecf805831bd4e46c Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra at samba.org>
+Date: Tue, 5 Jan 2016 11:18:12 -0800
+Subject: [PATCH 1/8] CVE-2015-7560: s3: smbd: Add refuse_symlink() function
+ that can be used to prevent operations on a symlink.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
+
+Signed-off-by: Jeremy Allison <jra at samba.org>
+Reviewed-by: Michael Adam <obnox at samba.org>
+---
+ source3/smbd/trans2.c | 28 ++++++++++++++++++++++++++++
+ 1 file changed, 28 insertions(+)
+
+--- a/source3/smbd/trans2.c
++++ b/source3/smbd/trans2.c
+@@ -50,6 +50,34 @@ static char *store_file_unix_basic_info2
+ files_struct *fsp,
+ const SMB_STRUCT_STAT *psbuf);
+
++/****************************************************************************
++ Check if an open file handle or pathname is a symlink.
++****************************************************************************/
++
++static NTSTATUS refuse_symlink(connection_struct *conn,
++ const files_struct *fsp,
++ const char *name)
++{
++ SMB_STRUCT_STAT sbuf;
++ const SMB_STRUCT_STAT *pst = NULL;
++
++ if (fsp) {
++ pst = &fsp->fsp_name->st;
++ } else {
++ int ret = vfs_stat_smb_fname(conn,
++ name,
++ &sbuf);
++ if (ret == -1) {
++ return map_nt_error_from_unix(errno);
++ }
++ pst = &sbuf;
++ }
++ if (S_ISLNK(pst->st_ex_mode)) {
++ return NT_STATUS_ACCESS_DENIED;
++ }
++ return NT_STATUS_OK;
++}
++
+ /********************************************************************
+ Roundup a value to the nearest allocation roundup size boundary.
+ Only do this for Windows clients.
+@@ -180,12 +208,22 @@ NTSTATUS get_ea_names_from_file(TALLOC_C
+ char **names, **tmp;
+ size_t num_names;
+ ssize_t sizeret = -1;
++ NTSTATUS status;
++
++ if (pnames) {
++ *pnames = NULL;
++ }
++ *pnum_names = 0;
+
+ if (!lp_ea_support(SNUM(conn))) {
+- if (pnames) {
+- *pnames = NULL;
+- }
+- *pnum_names = 0;
++ return NT_STATUS_OK;
++ }
++
++ status = refuse_symlink(conn, fsp, fname);
++ if (!NT_STATUS_IS_OK(status)) {
++ /*
++ * Just return no EA's on a symlink.
++ */
+ return NT_STATUS_OK;
+ }
+
+@@ -235,10 +273,6 @@ NTSTATUS get_ea_names_from_file(TALLOC_C
+
+ if (sizeret == 0) {
+ TALLOC_FREE(names);
+- if (pnames) {
+- *pnames = NULL;
+- }
+- *pnum_names = 0;
+ return NT_STATUS_OK;
+ }
+
+@@ -506,6 +540,7 @@ NTSTATUS set_ea(connection_struct *conn,
+ const struct smb_filename *smb_fname, struct ea_list *ea_list)
+ {
+ char *fname = NULL;
++ NTSTATUS status;
+
+ if (!lp_ea_support(SNUM(conn))) {
+ return NT_STATUS_EAS_NOT_SUPPORTED;
+@@ -515,6 +550,12 @@ NTSTATUS set_ea(connection_struct *conn,
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
++ status = refuse_symlink(conn, fsp, smb_fname->base_name);
++ if (!NT_STATUS_IS_OK(status)) {
++ return status;
++ }
++
++
+ /* For now setting EAs on streams isn't supported. */
+ fname = smb_fname->base_name;
+
+@@ -4809,6 +4850,13 @@ NTSTATUS smbd_do_qfilepathinfo(connectio
+ uint16 num_file_acls = 0;
+ uint16 num_def_acls = 0;
+
++ status = refuse_symlink(conn,
++ fsp,
++ smb_fname->base_name);
++ if (!NT_STATUS_IS_OK(status)) {
++ return status;
++ }
++
+ if (fsp && fsp->fh->fd != -1) {
+ file_acl = SMB_VFS_SYS_ACL_GET_FD(fsp);
+ } else {
+@@ -6324,6 +6372,7 @@ static NTSTATUS smb_set_posix_acl(connec
+ uint16 num_def_acls;
+ bool valid_file_acls = True;
+ bool valid_def_acls = True;
++ NTSTATUS status;
+
+ if (total_data < SMB_POSIX_ACL_HEADER_SIZE) {
+ return NT_STATUS_INVALID_PARAMETER;
+@@ -6351,6 +6400,11 @@ static NTSTATUS smb_set_posix_acl(connec
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
++ status = refuse_symlink(conn, fsp, smb_fname->base_name);
++ if (!NT_STATUS_IS_OK(status)) {
++ return status;
++ }
++
+ DEBUG(10,("smb_set_posix_acl: file %s num_file_acls = %u, num_def_acls = %u\n",
+ smb_fname ? smb_fname_str_dbg(smb_fname) : fsp_str_dbg(fsp),
+ (unsigned int)num_file_acls,
+--- a/source3/smbd/nttrans.c
++++ b/source3/smbd/nttrans.c
+@@ -859,6 +859,12 @@ NTSTATUS set_sd(files_struct *fsp, uint8
+ return status;
+ }
+
++ if (S_ISLNK(fsp->fsp_name->st.st_ex_mode)) {
++ DEBUG(10, ("ACL set on symlink %s denied.\n",
++ fsp_str_dbg(fsp)));
++ return NT_STATUS_ACCESS_DENIED;
++ }
++
+ if (psd->owner_sid == NULL) {
+ security_info_sent &= ~SECINFO_OWNER;
+ }
+@@ -1886,6 +1892,12 @@ NTSTATUS smbd_do_query_security_desc(con
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
++ if (S_ISLNK(fsp->fsp_name->st.st_ex_mode)) {
++ DEBUG(10, ("ACL get on symlink %s denied.\n",
++ fsp_str_dbg(fsp)));
++ return NT_STATUS_ACCESS_DENIED;
++ }
++
+ if (security_info_wanted & (SECINFO_DACL|SECINFO_OWNER|
+ SECINFO_GROUP|SECINFO_SACL)) {
+ /* Don't return SECINFO_LABEL if anything else was
diff --git a/debian/patches/s3-smbd-fix-a-corner-case-of-the-symlink-verificatio.patch b/debian/patches/s3-smbd-fix-a-corner-case-of-the-symlink-verificatio.patch
new file mode 100644
index 0000000..11130f2
--- /dev/null
+++ b/debian/patches/s3-smbd-fix-a-corner-case-of-the-symlink-verificatio.patch
@@ -0,0 +1,104 @@
+From ada59ec7b3a5ed0478d11da2fe0c90991d137288 Mon Sep 17 00:00:00 2001
+From: Michael Adam <obnox at samba.org>
+Date: Wed, 23 Dec 2015 18:01:23 +0100
+Subject: [PATCH] s3:smbd: fix a corner case of the symlink verification
+
+Commit 7606c0db257b3f9d84da5b2bf5fbb4034cc8d77d fixes the
+path checks in check_reduced_name[_with_privilege]() to
+prevent unintended access via wide links.
+
+The fix fails to correctly treat a corner case where the share
+path is "/". This case is important for some real world
+scenarios, notably the use of the glusterfs VFS module:
+
+For the share path "/", the newly introduced checks deny all
+operations in the share.
+
+This change fixes the checks for the corner case.
+The point is that the assumptions on which the original
+checks are based are not true for the rootdir "/" case.
+This is the case where the rootdir starts _and ends_ with
+a slash. Hence a subdirectory does not continue with a
+slash after the rootdir, since the candidate path has
+been normalized.
+
+This fix just omits the string comparison and the
+next character checks in the case of rootdir "/",
+which is correct because we know that the candidate
+path is normalized and hence starts with a '/'.
+
+The patch is fairly minimal, but changes indentation,
+hence best viewed with 'git show -w'.
+
+A side effect is that the rootdir="/" case needs
+one strncmp less.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11647
+
+Pair-Programmed-With: Jose A. Rivera <jarrpa at samba.org>
+
+Signed-off-by: Michael Adam <obnox at samba.org>
+Signed-off-by: Jose A. Rivera <jarrpa at samba.org>
+Reviewed-by: Jeremy Allison <jra at samba.org>
+
+Autobuild-User(master): Michael Adam <obnox at samba.org>
+Autobuild-Date(master): Thu Dec 24 00:57:31 CET 2015 on sn-devel-144
+---
+ source3/smbd/vfs.c | 78 +++++++++++++++++++++++++++++++++++++-----------------
+ 1 file changed, 53 insertions(+), 25 deletions(-)
+
+--- a/source3/smbd/vfs.c
++++ b/source3/smbd/vfs.c
+@@ -982,7 +982,6 @@ NTSTATUS check_reduced_name(connection_s
+ if (!allow_widelinks || !allow_symlinks) {
+ const char *conn_rootdir;
+ size_t rootdir_len;
+- bool matched;
+
+ conn_rootdir = SMB_VFS_CONNECTPATH(conn, fname);
+ if (conn_rootdir == NULL) {
+@@ -993,17 +992,33 @@ NTSTATUS check_reduced_name(connection_s
+ }
+
+ rootdir_len = strlen(conn_rootdir);
+- matched = (strncmp(conn_rootdir, resolved_name,
+- rootdir_len) == 0);
+- if (!matched || (resolved_name[rootdir_len] != '/' &&
+- resolved_name[rootdir_len] != '\0')) {
+- DEBUG(2, ("check_reduced_name: Bad access "
+- "attempt: %s is a symlink outside the "
+- "share path\n", fname));
+- DEBUGADD(2, ("conn_rootdir =%s\n", conn_rootdir));
+- DEBUGADD(2, ("resolved_name=%s\n", resolved_name));
+- SAFE_FREE(resolved_name);
+- return NT_STATUS_ACCESS_DENIED;
++
++ /*
++ * In the case of rootdir_len == 1, we know that
++ * conn_rootdir is "/", and we also know that
++ * resolved_name starts with a slash. So, in this
++ * corner case, resolved_name is automatically a
++ * sub-directory of the conn_rootdir. Thus we can skip
++ * the string comparison and the next character checks
++ * (which are even wrong in this case).
++ */
++ if (rootdir_len != 1) {
++ bool matched;
++
++ matched = (strncmp(conn_rootdir, resolved_name,
++ rootdir_len) == 0);
++ if (!matched || (resolved_name[rootdir_len] != '/' &&
++ resolved_name[rootdir_len] != '\0')) {
++ DEBUG(2, ("check_reduced_name: Bad access "
++ "attempt: %s is a symlink outside the "
++ "share path\n", fname));
++ DEBUGADD(2, ("conn_rootdir =%s\n",
++ conn_rootdir));
++ DEBUGADD(2, ("resolved_name=%s\n",
++ resolved_name));
++ SAFE_FREE(resolved_name);
++ return NT_STATUS_ACCESS_DENIED;
++ }
+ }
+
+ /* Extra checks if all symlinks are disallowed. */
diff --git a/debian/patches/series b/debian/patches/series
index bbec167..564222d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -33,3 +33,8 @@ security-CVE-2014-0178.patch
security-CVE-2014-0244.patch
security-CVE-2014-3493.patch
security-CVE-2015-0240.patch
+CVE-2015-5252-v3-6-bso11395.patch
+CVE-2015-5299-v3-6-bso11529.patch
+CVE-2015-5296-v3-6-bso11536.patch
+s3-smbd-fix-a-corner-case-of-the-symlink-verificatio.patch
+CVE-2015-7560-v3-6.patch
diff --git a/debian/patches/waf-as-source.patch b/debian/patches/waf-as-source.patch
index 3ba7d23..985ed5a 100644
--- a/debian/patches/waf-as-source.patch
+++ b/debian/patches/waf-as-source.patch
@@ -44,10 +44,6 @@ index 9ef8a1f..0000000
-You can get a svn copy of the upstream source with:
-
- svn checkout http://waf.googlecode.com/svn/trunk/ waf-read-only
-diff --git a/buildtools/bin/waf-svn b/buildtools/bin/waf-svn
-deleted file mode 100755
-index 6d54d5f..0000000
-Binary files a/buildtools/bin/waf-svn and /dev/null differ
diff --git a/buildtools/update-waf.sh b/buildtools/update-waf.sh
new file mode 100755
index 0000000..bb3a4bf
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-samba/samba.git
More information about the Pkg-samba-maint
mailing list