[SCM] Samba Shared Repository - branch v3-3-stable updated - release-3-3-6

Karolin Seeger kseeger at samba.org
Tue Jun 23 13:23:03 GMT 2009 

The branch, v3-3-stable has been updated
       via  b09440c77b93ff6088c2fd474d6b24c081054812 (commit)
       via  a71fdf8189154cd8949016be725c8319671ba587 (commit)
       via  c4e515314fa82739936380d11550fc531d624596 (commit)
      from  aa97504f0358dcc23de7a65f39a1c4d24f0709b7 (commit)

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-3-stable


- Log -----------------------------------------------------------------
commit b09440c77b93ff6088c2fd474d6b24c081054812
Author: Karolin Seeger <kseeger at samba.org>
Date:   Tue Jun 23 11:35:13 2009 +0200

    VERSION: Raise version number up to 3.3.6.
    
    Karolin

commit a71fdf8189154cd8949016be725c8319671ba587
Author: Karolin Seeger <kseeger at samba.org>
Date:   Tue Jun 23 11:33:44 2009 +0200

    WHATSNEW: Update changes since 3.3.5.
    
    Karolin

commit c4e515314fa82739936380d11550fc531d624596
Author: Jeremy Allison <jra at samba.org>
Date:   Fri Jun 19 11:00:41 2009 +0200

    Bug 6488: acl_group_override() call in posix acls references an uninitialized variable.
    (cherry picked from commit f92195e3a1baaddda47a5d496f9488c8445b41ad)

-----------------------------------------------------------------------

Summary of changes:
 WHATSNEW.txt             |   54 ++++++++++++++++++++++++++++++++++++++++++++-
 source/VERSION           |    2 +-
 source/smbd/posix_acls.c |   22 ++++++++----------
 3 files changed, 63 insertions(+), 15 deletions(-)


Changeset truncated at 500 lines:

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 70fdb8e..58bb038 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,55 @@
                    =============================
+                   Release Notes for Samba 3.3.6
+			  June, 23  2009
+                   =============================
+
+
+This is a security release in order to address CVE-2009-1888.
+
+   o CVE-2009-1888:
+     In Samba 3.0.31 to 3.3.5 (inclusive), an uninitialized read of a
+     data value can potentially affect access control when "dos filemode"
+     is set to "yes".
+
+
+######################################################################
+Changes
+#######
+
+
+Changes since 3.3.5:
+--------------------
+
+
+o   Jeremy Allison <jra at samba.org>
+    * BUG 6488: Fix for CVE-2009-1888.
+
+
+######################################################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the Samba 3.3 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+
+                   =============================
                    Release Notes for Samba 3.3.5
 			  June, 16  2009
                    =============================
@@ -117,8 +168,7 @@ database (https://bugzilla.samba.org/).
 ======================================================================
 
 
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
 
 
                    =============================
diff --git a/source/VERSION b/source/VERSION
index 8eb5331..7c5eaab 100644
--- a/source/VERSION
+++ b/source/VERSION
@@ -25,7 +25,7 @@
 ########################################################
 SAMBA_VERSION_MAJOR=3
 SAMBA_VERSION_MINOR=3
-SAMBA_VERSION_RELEASE=5
+SAMBA_VERSION_RELEASE=6
 
 ########################################################
 # Bug fix releases use a letter for the patch revision #
diff --git a/source/smbd/posix_acls.c b/source/smbd/posix_acls.c
index 93bc44b..1afd48e 100644
--- a/source/smbd/posix_acls.c
+++ b/source/smbd/posix_acls.c
@@ -2384,24 +2384,22 @@ static bool current_user_in_group(gid_t gid)
 ****************************************************************************/
 
 static bool acl_group_override(connection_struct *conn,
-				gid_t prim_gid,
+				SMB_STRUCT_STAT *psbuf,
 				const char *fname)
 {
-	SMB_STRUCT_STAT sbuf;
-
 	if ((errno != EPERM) && (errno != EACCES)) {
 		return false;
 	}
 
 	/* file primary group == user primary or supplementary group */
 	if (lp_acl_group_control(SNUM(conn)) &&
-			current_user_in_group(prim_gid)) {
+			current_user_in_group(psbuf->st_gid)) {
 		return true;
 	}
 
 	/* user has writeable permission */
 	if (lp_dos_filemode(SNUM(conn)) &&
-			can_write_to_file(conn, fname, &sbuf)) {
+			can_write_to_file(conn, fname, psbuf)) {
 		return true;
 	}
 
@@ -2412,7 +2410,7 @@ static bool acl_group_override(connection_struct *conn,
  Attempt to apply an ACL to a file or directory.
 ****************************************************************************/
 
-static bool set_canon_ace_list(files_struct *fsp, canon_ace *the_ace, bool default_ace, gid_t prim_gid, bool *pacl_set_support)
+static bool set_canon_ace_list(files_struct *fsp, canon_ace *the_ace, bool default_ace, SMB_STRUCT_STAT *psbuf, bool *pacl_set_support)
 {
 	connection_struct *conn = fsp->conn;
 	bool ret = False;
@@ -2591,7 +2589,7 @@ static bool set_canon_ace_list(files_struct *fsp, canon_ace *the_ace, bool defau
 				*pacl_set_support = False;
 			}
 
-			if (acl_group_override(conn, prim_gid, fsp->fsp_name)) {
+			if (acl_group_override(conn, psbuf, fsp->fsp_name)) {
 				int sret;
 
 				DEBUG(5,("set_canon_ace_list: acl group control on and current user in file %s primary group.\n",
@@ -2622,7 +2620,7 @@ static bool set_canon_ace_list(files_struct *fsp, canon_ace *the_ace, bool defau
 				*pacl_set_support = False;
 			}
 
-			if (acl_group_override(conn, prim_gid, fsp->fsp_name)) {
+			if (acl_group_override(conn, psbuf, fsp->fsp_name)) {
 				int sret;
 
 				DEBUG(5,("set_canon_ace_list: acl group control on and current user in file %s primary group.\n",
@@ -3618,7 +3616,7 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, const SEC_DESC
 		if (set_acl_as_root) {
 			become_root();
 		}
-		ret = set_canon_ace_list(fsp, file_ace_list, False, sbuf.st_gid, &acl_set_support);
+		ret = set_canon_ace_list(fsp, file_ace_list, False, &sbuf, &acl_set_support);
 		if (set_acl_as_root) {
 			unbecome_root();
 		}
@@ -3635,7 +3633,7 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, const SEC_DESC
 			if (set_acl_as_root) {
 				become_root();
 			}
-			ret = set_canon_ace_list(fsp, dir_ace_list, True, sbuf.st_gid, &acl_set_support);
+			ret = set_canon_ace_list(fsp, dir_ace_list, True, &sbuf, &acl_set_support);
 			if (set_acl_as_root) {
 				unbecome_root();
 			}
@@ -3660,7 +3658,7 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, const SEC_DESC
 				unbecome_root();
 			}
 			if (sret == -1) {
-				if (acl_group_override(conn, sbuf.st_gid, fsp->fsp_name)) {
+				if (acl_group_override(conn, &sbuf, fsp->fsp_name)) {
 					DEBUG(5,("set_nt_acl: acl group control on and "
 						"current user in file %s primary group. Override delete_def_acl\n",
 						fsp->fsp_name ));
@@ -3720,7 +3718,7 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, const SEC_DESC
 				unbecome_root();
 			}
 			if(sret == -1) {
-				if (acl_group_override(conn, sbuf.st_gid, fsp->fsp_name)) {
+				if (acl_group_override(conn, &sbuf, fsp->fsp_name)) {
 					DEBUG(5,("set_nt_acl: acl group control on and "
 						"current user in file %s primary group. Override chmod\n",
 						fsp->fsp_name ));


-- 
Samba Shared Repository

More information about the samba-cvs mailing list