[SCM] Samba Shared Repository - branch v3-4-stable updated - release-3-4-1-8-g7439cd5
Karolin Seeger
kseeger at samba.org
Thu Oct 1 06:16:09 MDT 2009
The branch, v3-4-stable has been updated
via 7439cd5efa50058741c57857109690e4a104f9f0 (commit)
via 9851a27b2f73e16c730983f60f7d580de897da95 (commit)
via cc0829c00d527ba0e707efe0f57d637a38b03dee (commit)
via ac075bd679fd59e93ea13780f6651a431002edd0 (commit)
via 2a422f453dd3ad9978e6ec0ac40c122163c028ed (commit)
via 42351937b00f6aa013d16c2a4dbd0b37e7e9ed11 (commit)
via 53ba0b36d0d3bb2fb4b2fc5335920487060ed284 (commit)
via d805592d6fb1fa841a74c547945226a916494a2d (commit)
from d7b06955393e92255f807db0ef4786e9037d31ec (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-4-stable
- Log -----------------------------------------------------------------
commit 7439cd5efa50058741c57857109690e4a104f9f0
Author: Jeremy Allison <jra at samba.org>
Date: Wed Sep 30 14:17:40 2009 +0200
Fix for CVE-2009-2906.
Summary:
Specially crafted SMB requests on
authenticated SMB connections can send smbd
into a 100% CPU loop, causing a DoS on the
Samba server.
commit 9851a27b2f73e16c730983f60f7d580de897da95
Author: Karolin Seeger <kseeger at samba.org>
Date: Wed Sep 30 13:54:22 2009 +0200
WHATSNEW: Update release notes.
Karolin
commit cc0829c00d527ba0e707efe0f57d637a38b03dee
Author: Karolin Seeger <kseeger at samba.org>
Date: Mon Sep 28 13:38:32 2009 +0200
WHATSNEW: Update release date.
Karolin
commit ac075bd679fd59e93ea13780f6651a431002edd0
Author: Jeremy Allison <jra at samba.org>
Date: Mon Sep 28 13:26:37 2009 +0200
Fix for CVE-2009-2813.
===========================================================
== Subject: Misconfigured /etc/passwd file may share folders unexpectedly
==
== CVE ID#: CVE-2009-2813
==
== Versions: All versions of Samba later than 3.0.11
==
== Summary: If a user in /etc/passwd is misconfigured to have
== an empty home directory then connecting to the home
== share of this user will use the root of the filesystem
== as the home directory.
===========================================================
commit 2a422f453dd3ad9978e6ec0ac40c122163c028ed
Author: Jeff Layton <jlayton at redhat.com>
Date: Fri Sep 25 07:03:07 2009 -0400
mount.cifs: don't leak passwords with verbose option
When running mount.cifs with the --verbose option, it'll print out the
option string that it passes to the kernel...including the mount
password if there is one. Print a placeholder string instead to help
ensure that this info can't be used for nefarious purposes.
Also, the --verbose option printed the option string before it was
completely assembled anyway. This patch should also make sure that
the complete option string is printed out.
Finally, strndup passwords passed in on the command line to ensure that
they aren't shown by --verbose as well. Passwords used this way can
never be truly kept private from other users on the machine of course,
but it's simple enough to do it this way for completeness sake.
Reported-by: Ronald Volgers <r.c.volgers at student.utwente.nl>
Signed-off-by: Jeff Layton <jlayton at redhat.com>
Acked-by: Steve French <sfrench at us.ibm.com>
Part 2/2 of a fix for CVE-2009-2948.
commit 42351937b00f6aa013d16c2a4dbd0b37e7e9ed11
Author: Jeff Layton <jlayton at redhat.com>
Date: Fri Sep 25 06:51:01 2009 -0400
mount.cifs: check access of credential files before opening
It's possible for an unprivileged user to pass a setuid mount.cifs a
credential or password file to which he does not have access. This can cause
mount.cifs to open the file on his behalf and possibly leak the info in the
first few lines of the file.
Check the access permissions of the file before opening it.
Reported-by: Ronald Volgers <r.c.volgers at student.utwente.nl>
Signed-off-by: Jeff Layton <jlayton at redhat.com>
Acked-by: Steve French <sfrench at us.ibm.com>
Part 1/2 of a fix for CVE-2009-2948.
commit 53ba0b36d0d3bb2fb4b2fc5335920487060ed284
Author: Karolin Seeger <kseeger at samba.org>
Date: Mon Sep 28 13:21:07 2009 +0200
WHATSNEW: Prepare release notes for 3.4.2.
Karolin
commit d805592d6fb1fa841a74c547945226a916494a2d
Author: Karolin Seeger <kseeger at samba.org>
Date: Thu Sep 24 14:29:43 2009 +0200
Raise version number up to 3.4.2.
Karolin
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 70 +++++++++++++++++++++++++++++++++++++++++--
source3/VERSION | 2 +-
source3/client/mount.cifs.c | 65 +++++++++++++++++++++++++++------------
source3/include/smb.h | 1 +
source3/param/loadparm.c | 7 ++++-
source3/smbd/process.c | 30 +++++++++++++++---
source3/smbd/service.c | 6 +++-
7 files changed, 150 insertions(+), 31 deletions(-)
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index c066e4b..f1c9d50 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,70 @@
=============================
+ Release Notes for Samba 3.4.2
+ October 1, 2009
+ =============================
+
+
+This is a security release in order to address CVE-2009-2813, CVE-2009-2948
+and CVE-2009-2906.
+
+ o CVE-2009-2813:
+ In all versions of Samba later than 3.0.11, connecting to the home
+ share of a user will use the root of the filesystem
+ as the home directory if this user is misconfigured to have
+ an empty home directory in /etc/passwd.
+
+ o CVE-2009-2948:
+ If mount.cifs is installed as a setuid program, a user can pass it a
+ credential or password path to which he or she does not have access and
+ then use the --verbose option to view the first line of that file.
+ All known Samba versions are affected.
+
+ o CVE-2009-2906:
+ Specially crafted SMB requests on authenticated SMB connections can
+ send smbd into a 100% CPU loop, causing a DoS on the Samba server.
+
+
+######################################################################
+Changes
+#######
+
+Changes since 3.4.1
+-------------------
+
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 6763: Fix for CVE-2009-2813.
+ * BUG 6768: Fix for CVE-2009-2906.
+
+
+o Jeff Layton <jlayton at redhat.com>
+ * Fix for CVE-2009-2948.
+
+
+######################################################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 3.4 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older versions follow:
+----------------------------------------
+
+ =============================
Release Notes for Samba 3.4.1
September 9, 2009
=============================
@@ -134,9 +200,7 @@ database (https://bugzilla.samba.org/).
== The Samba Team
======================================================================
-
-Release notes for older versions follow:
-----------------------------------------
+----------------------------------------------------------------------
=============================
Release Notes for Samba 3.4.0
diff --git a/source3/VERSION b/source3/VERSION
index 5ea32ae..6a6ab01 100644
--- a/source3/VERSION
+++ b/source3/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=3
SAMBA_VERSION_MINOR=4
-SAMBA_VERSION_RELEASE=1
+SAMBA_VERSION_RELEASE=2
########################################################
# Bug fix releases use a letter for the patch revision #
diff --git a/source3/client/mount.cifs.c b/source3/client/mount.cifs.c
index 0c551cc..43dc7f6 100644
--- a/source3/client/mount.cifs.c
+++ b/source3/client/mount.cifs.c
@@ -198,6 +198,11 @@ static int open_cred_file(char * file_name)
char * temp_val;
FILE * fs;
int i, length;
+
+ i = access(file_name, R_OK);
+ if (i)
+ return i;
+
fs = fopen(file_name,"r");
if(fs == NULL)
return errno;
@@ -320,6 +325,12 @@ static int get_password_from_file(int file_descript, char * filename)
}
if(filename != NULL) {
+ rc = access(filename, R_OK);
+ if (rc) {
+ fprintf(stderr, "mount.cifs failed: access check of %s failed: %s\n",
+ filename, strerror(errno));
+ exit(EX_SYSERR);
+ }
file_descript = open(filename, O_RDONLY);
if(file_descript < 0) {
printf("mount.cifs failed. %s attempting to open password file %s\n",
@@ -379,9 +390,6 @@ static int parse_options(char ** optionsp, int * filesys_flags)
return 1;
data = *optionsp;
- if(verboseflag)
- printf("parsing options: %s\n", data);
-
/* BB fixme check for separator override BB */
if (getuid()) {
@@ -470,18 +478,27 @@ static int parse_options(char ** optionsp, int * filesys_flags)
} else if (strncmp(data, "pass", 4) == 0) {
if (!value || !*value) {
if(got_password) {
- printf("\npassword specified twice, ignoring second\n");
+ fprintf(stderr, "\npassword specified twice, ignoring second\n");
} else
got_password = 1;
- } else if (strnlen(value, 17) < 17) {
- if(got_password)
- printf("\nmount.cifs warning - password specified twice\n");
- got_password = 1;
+ } else if (strnlen(value, MOUNT_PASSWD_SIZE) < MOUNT_PASSWD_SIZE) {
+ if (got_password) {
+ fprintf(stderr, "\nmount.cifs warning - password specified twice\n");
+ } else {
+ mountpassword = strndup(value, MOUNT_PASSWD_SIZE);
+ if (!mountpassword) {
+ fprintf(stderr, "mount.cifs error: %s", strerror(ENOMEM));
+ SAFE_FREE(out);
+ return 1;
+ }
+ got_password = 1;
+ }
} else {
- printf("password too long\n");
+ fprintf(stderr, "password too long\n");
SAFE_FREE(out);
return 1;
}
+ goto nocopy;
} else if (strncmp(data, "sec", 3) == 0) {
if (value) {
if (!strncmp(value, "none", 4) ||
@@ -1384,15 +1401,6 @@ mount_retry:
strlcat(options,domain_name,options_size);
}
}
- if(mountpassword) {
- /* Commas have to be doubled, or else they will
- look like the parameter separator */
-/* if(sep is not set)*/
- if(retry == 0)
- check_for_comma(&mountpassword);
- strlcat(options,",pass=",options_size);
- strlcat(options,mountpassword,options_size);
- }
strlcat(options,",ver=",options_size);
strlcat(options,MOUNT_CIFS_VERSION_MAJOR,options_size);
@@ -1405,8 +1413,6 @@ mount_retry:
strlcat(options,",prefixpath=",options_size);
strlcat(options,prefixpath,options_size); /* no need to cat the / */
}
- if(verboseflag)
- printf("\nmount.cifs kernel mount options %s \n",options);
/* convert all '\\' to '/' in share portion so that /proc/mounts looks pretty */
replace_char(dev_name, '\\', '/', strlen(share_name));
@@ -1438,6 +1444,25 @@ mount_retry:
}
}
+ if(verboseflag)
+ fprintf(stderr, "\nmount.cifs kernel mount options: %s", options);
+
+ if (mountpassword) {
+ /*
+ * Commas have to be doubled, or else they will
+ * look like the parameter separator
+ */
+ if(retry == 0)
+ check_for_comma(&mountpassword);
+ strlcat(options,",pass=",options_size);
+ strlcat(options,mountpassword,options_size);
+ if (verboseflag)
+ fprintf(stderr, ",pass=********");
+ }
+
+ if (verboseflag)
+ fprintf(stderr, "\n");
+
if (!fakemnt && mount(dev_name, mountpoint, "cifs", flags, options)) {
switch (errno) {
case ECONNREFUSED:
diff --git a/source3/include/smb.h b/source3/include/smb.h
index b20a8ef..6e03dd5 100644
--- a/source3/include/smb.h
+++ b/source3/include/smb.h
@@ -725,6 +725,7 @@ struct pending_message_list {
struct timed_event *te;
struct smb_perfcount_data pcd;
bool encrypted;
+ bool processed;
DATA_BLOB buf;
DATA_BLOB private_data;
};
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 553938f..4fd25c1 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -6091,6 +6091,11 @@ bool lp_add_home(const char *pszHomename, int iDefaultService,
{
int i;
+ if (pszHomename == NULL || user == NULL || pszHomedir == NULL ||
+ pszHomedir[0] == '\0') {
+ return false;
+ }
+
i = add_a_service(ServicePtrs[iDefaultService], pszHomename);
if (i < 0)
@@ -8062,7 +8067,7 @@ static void lp_add_auto_services(char *str)
home = get_user_home_dir(talloc_tos(), p);
- if (home && homes >= 0)
+ if (home && home[0] && homes >= 0)
lp_add_home(p, homes, p, home);
TALLOC_FREE(home);
diff --git a/source3/smbd/process.c b/source3/smbd/process.c
index caf9241..b4976f7 100644
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -412,6 +412,7 @@ static void smbd_deferred_open_timer(struct event_context *ev,
struct pending_message_list *msg = talloc_get_type(private_data,
struct pending_message_list);
TALLOC_CTX *mem_ctx = talloc_tos();
+ uint16_t mid = SVAL(msg->buf.data,smb_mid);
uint8_t *inbuf;
inbuf = (uint8_t *)talloc_memdup(mem_ctx, msg->buf.data,
@@ -424,11 +425,21 @@ static void smbd_deferred_open_timer(struct event_context *ev,
/* We leave this message on the queue so the open code can
know this is a retry. */
DEBUG(5,("smbd_deferred_open_timer: trigger mid %u.\n",
- (unsigned int)SVAL(msg->buf.data,smb_mid)));
+ (unsigned int)mid));
+
+ /* Mark the message as processed so this is not
+ * re-processed in error. */
+ msg->processed = true;
process_smb(smbd_server_conn, inbuf,
msg->buf.length, 0,
msg->encrypted, &msg->pcd);
+
+ /* If it's still there and was processed, remove it. */
+ msg = get_open_deferred_message(mid);
+ if (msg && msg->processed) {
+ remove_deferred_open_smb_message(mid);
+ }
}
/****************************************************************************
@@ -460,6 +471,7 @@ static bool push_queued_message(struct smb_request *req,
msg->request_time = request_time;
msg->encrypted = req->encrypted;
+ msg->processed = false;
SMB_PERFCOUNT_DEFER_OP(&req->pcd, &msg->pcd);
if (private_data) {
@@ -501,7 +513,7 @@ void remove_deferred_open_smb_message(uint16 mid)
for (pml = deferred_open_queue; pml; pml = pml->next) {
if (mid == SVAL(pml->buf.data,smb_mid)) {
- DEBUG(10,("remove_sharing_violation_open_smb_message: "
+ DEBUG(10,("remove_deferred_open_smb_message: "
"deleting mid %u len %u\n",
(unsigned int)mid,
(unsigned int)pml->buf.length ));
@@ -531,6 +543,15 @@ void schedule_deferred_open_smb_message(uint16 mid)
if (mid == msg_mid) {
struct timed_event *te;
+ if (pml->processed) {
+ /* A processed message should not be
+ * rescheduled. */
+ DEBUG(0,("schedule_deferred_open_smb_message: LOGIC ERROR "
+ "message mid %u was already processed\n",
+ msg_mid ));
+ continue;
+ }
+
DEBUG(10,("schedule_deferred_open_smb_message: scheduling mid %u\n",
mid ));
@@ -557,7 +578,7 @@ void schedule_deferred_open_smb_message(uint16 mid)
}
/****************************************************************************
- Return true if this mid is on the deferred queue.
+ Return true if this mid is on the deferred queue and was not yet processed.
****************************************************************************/
bool open_was_deferred(uint16 mid)
@@ -565,7 +586,7 @@ bool open_was_deferred(uint16 mid)
struct pending_message_list *pml;
for (pml = deferred_open_queue; pml; pml = pml->next) {
- if (SVAL(pml->buf.data,smb_mid) == mid) {
+ if (SVAL(pml->buf.data,smb_mid) == mid && !pml->processed) {
return True;
}
}
@@ -1300,7 +1321,6 @@ static connection_struct *switch_message(uint8 type, struct smb_request *req, in
if (!change_to_user(conn,session_tag)) {
reply_nterror(req, NT_STATUS_DOS(ERRSRV, ERRbaduid));
- remove_deferred_open_smb_message(req->mid);
return conn;
}
diff --git a/source3/smbd/service.c b/source3/smbd/service.c
index fc59744..902a7c4 100644
--- a/source3/smbd/service.c
+++ b/source3/smbd/service.c
@@ -56,6 +56,10 @@ bool set_conn_connectpath(connection_struct *conn, const char *connectpath)
const char *s = connectpath;
bool start_of_name_component = true;
+ if (connectpath == NULL || connectpath[0] == '\0') {
+ return false;
+ }
+
destname = SMB_STRDUP(connectpath);
if (!destname) {
return false;
@@ -259,7 +263,7 @@ int add_home_service(const char *service, const char *username, const char *home
{
int iHomeService;
- if (!service || !homedir)
+ if (!service || !homedir || homedir[0] == '\0')
return -1;
if ((iHomeService = lp_servicenumber(HOMES_NAME)) < 0) {
--
Samba Shared Repository
More information about the samba-cvs
mailing list