[SCM] Samba Shared Repository - branch v3-0-stable updated - release-3-0-36-7-gdff54f7
Karolin Seeger
kseeger at samba.org
Thu Oct 1 06:24:15 MDT 2009
The branch, v3-0-stable has been updated
via dff54f716bdd76e3d167dc96bba6e168ef58cadd (commit)
via 42c537c845f48149cb8492cb0eaa114fe64694f1 (commit)
via c1a4a99f8cc5803682a94060efee1adf330c4f02 (commit)
via 1c2a816df9fd9e3a3839a679a72b3041b0217dc3 (commit)
via 87fe29ca3239492126a99e1562db673ea7ca208b (commit)
via 493ee2c888c4eb54dfa4063ac9fb3f19323a7b4c (commit)
via 4e6a1f8a6b1382504699b94e24809704dd3952bb (commit)
from 9fae819cd93e56d68facc51586c5fb3bd228a5bc (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-0-stable
- Log -----------------------------------------------------------------
commit dff54f716bdd76e3d167dc96bba6e168ef58cadd
Author: Jeremy Allison <jra at samba.org>
Date: Wed Sep 30 14:21:56 2009 +0200
Fix for CVE-2009-2906.
Summary:
Specially crafted SMB requests on
authenticated SMB connections can send smbd
into a 100% CPU loop, causing a DoS on the
Samba server.
commit 42c537c845f48149cb8492cb0eaa114fe64694f1
Author: Karolin Seeger <kseeger at samba.org>
Date: Wed Sep 30 13:55:57 2009 +0200
WHATSNEW: Update release notes.
Karolin
commit c1a4a99f8cc5803682a94060efee1adf330c4f02
Author: Karolin Seeger <kseeger at samba.org>
Date: Mon Sep 28 20:36:29 2009 +0200
Fix for CVE-2009-2813.
===========================================================
== Subject: Misconfigured /etc/passwd file may share folders unexpectedly
==
== CVE ID#: CVE-2009-2813
==
== Versions: All versions of Samba later than 3.0.11
==
== Summary: If a user in /etc/passwd is misconfigured to have
== an empty home directory then connecting to the home
== share of this user will use the root of the filesystem
== as the home directory.
===========================================================
commit 1c2a816df9fd9e3a3839a679a72b3041b0217dc3
Author: Jeff Layton <jlayton at redhat.com>
Date: Fri Sep 25 07:05:00 2009 -0400
mount.cifs: don't leak passwords with verbose option
When running mount.cifs with the --verbose option, it'll print out the
option string that it passes to the kernel...including the mount
password if there is one. Print a placeholder string instead to help
ensure that this info can't be used for nefarious purposes.
Also, the --verbose option printed the option string before it was
completely assembled anyway. This patch should also make sure that
the complete option string is printed out.
Finally, strndup passwords passed in on the command line to ensure that
they aren't shown by --verbose as well. Passwords used this way can
never be truly kept private from other users on the machine of course,
but it's simple enough to do it this way for completeness sake.
Reported-by: Ronald Volgers <r.c.volgers at student.utwente.nl>
Signed-off-by: Jeff Layton <jlayton at redhat.com>
Acked-by: Steve French <sfrench at us.ibm.com>
Part 2/2 of a fix for CVE-2009-2948.
commit 87fe29ca3239492126a99e1562db673ea7ca208b
Author: Jeff Layton <jlayton at redhat.com>
Date: Fri Sep 25 07:05:00 2009 -0400
mount.cifs: check access of credential files before opening
It's possible for an unprivileged user to pass a setuid mount.cifs a
credential or password file to which he does not have access. This can cause
mount.cifs to open the file on his behalf and possibly leak the info in the
first few lines of the file.
Check the access permissions of the file before opening it.
Reported-by: Ronald Volgers <r.c.volgers at student.utwente.nl>
Signed-off-by: Jeff Layton <jlayton at redhat.com>
Acked-by: Steve French <sfrench at us.ibm.com>
Part 1/2 of a fix for CVE-2009-2948.
commit 493ee2c888c4eb54dfa4063ac9fb3f19323a7b4c
Author: Karolin Seeger <kseeger at samba.org>
Date: Mon Sep 28 20:33:23 2009 +0200
WHATSNEW: Prepare release notes for Samba 3.0.37.
Karolin
commit 4e6a1f8a6b1382504699b94e24809704dd3952bb
Author: Karolin Seeger <kseeger at samba.org>
Date: Thu Sep 24 14:27:19 2009 +0200
Raise version number up to 3.0.37.
Karolin
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 66 ++++++++++++++++++++++++++++++++++++++++++-
source/VERSION | 2 +-
source/client/mount.cifs.c | 65 ++++++++++++++++++++++++++++++-------------
source/include/smb.h | 1 +
source/param/loadparm.c | 7 ++++-
source/smbd/process.c | 20 ++++++++++--
source/smbd/service.c | 11 ++++++-
7 files changed, 143 insertions(+), 29 deletions(-)
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 2ad423a..21701c5 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,66 @@
==============================
+ Release Notes for Samba 3.0.37
+ October, 1 2009
+ ==============================
+
+
+This is a security release in order to address CVE-2009-2813, CVE-2009-2948
+and CVE-2009-2906.
+Please note that Samba 3.0 is not maintained any longer. This security
+release is shipped on a voluntary basis.
+
+ o CVE-2009-2813:
+ In all versions of Samba later than 3.0.11, connecting to the home
+ share of a user will use the root of the filesystem
+ as the home directory if this user is misconfigured to have
+ an empty home directory in /etc/passwd.
+
+ o CVE-2009-2948:
+ If mount.cifs is installed as a setuid program, a user can pass it a
+ credential or password path to which he or she does not have access and
+ then use the --verbose option to view the first line of that file.
+
+ o CVE-2009-2906:
+ Specially crafted SMB requests on authenticated SMB connections can
+ send smbd into a 100% CPU loop, causing a DoS on the Samba server.
+
+
+######################################################################
+Changes
+#######
+
+Changes since 3.0.36
+--------------------
+
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 6763: Fix for CVE-2009-2813.
+ * BUG 6768: Fix for CVE-2009-2906.
+
+
+o Jeff Layton <jlayton at redhat.com>
+ * Fix for CVE-2009-2948.
+
+
+######################################################################
+Reporting bugs & Development Discussion
+#######################################
+
+As 3.0 bugs will not be fixed any longer, it does not make sense to
+create bug reports for this version. If there are any issues, please
+retry with the latest Samba version and file a bug report for that
+version if the issue still exists.
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+-------------------------------------------------
+
+ ==============================
Release Notes for Samba 3.0.36
August, 5 2009
==============================
@@ -100,8 +162,8 @@ version if the issue still exists.
======================================================================
-Release notes for older releases follow:
--------------------------------------------------
+----------------------------------------------------------------------
+
==============================
Release Notes for Samba 3.0.35
diff --git a/source/VERSION b/source/VERSION
index ae54185..db4d0ce 100644
--- a/source/VERSION
+++ b/source/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=3
SAMBA_VERSION_MINOR=0
-SAMBA_VERSION_RELEASE=36
+SAMBA_VERSION_RELEASE=37
########################################################
# Bug fix releases use a letter for the patch revision #
diff --git a/source/client/mount.cifs.c b/source/client/mount.cifs.c
index d05115b..a947dd1 100644
--- a/source/client/mount.cifs.c
+++ b/source/client/mount.cifs.c
@@ -199,6 +199,11 @@ static int open_cred_file(char * file_name)
char * temp_val;
FILE * fs;
int i, length;
+
+ i = access(file_name, R_OK);
+ if (i)
+ return i;
+
fs = fopen(file_name,"r");
if(fs == NULL)
return errno;
@@ -321,6 +326,12 @@ static int get_password_from_file(int file_descript, char * filename)
}
if(filename != NULL) {
+ rc = access(filename, R_OK);
+ if (rc) {
+ fprintf(stderr, "mount.cifs failed: access check of %s failed: %s\n",
+ filename, strerror(errno));
+ exit(EX_SYSERR);
+ }
file_descript = open(filename, O_RDONLY);
if(file_descript < 0) {
printf("mount.cifs failed. %s attempting to open password file %s\n",
@@ -380,9 +391,6 @@ static int parse_options(char ** optionsp, int * filesys_flags)
return 1;
data = *optionsp;
- if(verboseflag)
- printf("parsing options: %s\n", data);
-
/* BB fixme check for separator override BB */
if (getuid()) {
@@ -471,18 +479,27 @@ static int parse_options(char ** optionsp, int * filesys_flags)
} else if (strncmp(data, "pass", 4) == 0) {
if (!value || !*value) {
if(got_password) {
- printf("\npassword specified twice, ignoring second\n");
+ fprintf(stderr, "\npassword specified twice, ignoring second\n");
} else
got_password = 1;
- } else if (strnlen(value, 17) < 17) {
- if(got_password)
- printf("\nmount.cifs warning - password specified twice\n");
- got_password = 1;
+ } else if (strnlen(value, MOUNT_PASSWD_SIZE) < MOUNT_PASSWD_SIZE) {
+ if (got_password) {
+ fprintf(stderr, "\nmount.cifs warning - password specified twice\n");
+ } else {
+ mountpassword = strndup(value, MOUNT_PASSWD_SIZE);
+ if (!mountpassword) {
+ fprintf(stderr, "mount.cifs error: %s", strerror(ENOMEM));
+ SAFE_FREE(out);
+ return 1;
+ }
+ got_password = 1;
+ }
} else {
- printf("password too long\n");
+ fprintf(stderr, "password too long\n");
SAFE_FREE(out);
return 1;
}
+ goto nocopy;
} else if (strncmp(data, "sec", 3) == 0) {
if (value) {
if (!strncmp(value, "none", 4) ||
@@ -1370,15 +1387,6 @@ mount_retry:
strlcat(options,domain_name,options_size);
}
}
- if(mountpassword) {
- /* Commas have to be doubled, or else they will
- look like the parameter separator */
-/* if(sep is not set)*/
- if(retry == 0)
- check_for_comma(&mountpassword);
- strlcat(options,",pass=",options_size);
- strlcat(options,mountpassword,options_size);
- }
strlcat(options,",ver=",options_size);
strlcat(options,MOUNT_CIFS_VERSION_MAJOR,options_size);
@@ -1391,8 +1399,6 @@ mount_retry:
strlcat(options,",prefixpath=",options_size);
strlcat(options,prefixpath,options_size); /* no need to cat the / */
}
- if(verboseflag)
- printf("\nmount.cifs kernel mount options %s \n",options);
/* convert all '\\' to '/' in share portion so that /proc/mounts looks pretty */
replace_char(dev_name, '\\', '/', strlen(share_name));
@@ -1424,6 +1430,25 @@ mount_retry:
}
}
+ if(verboseflag)
+ fprintf(stderr, "\nmount.cifs kernel mount options: %s", options);
+
+ if (mountpassword) {
+ /*
+ * Commas have to be doubled, or else they will
+ * look like the parameter separator
+ */
+ if(retry == 0)
+ check_for_comma(&mountpassword);
+ strlcat(options,",pass=",options_size);
+ strlcat(options,mountpassword,options_size);
+ if (verboseflag)
+ fprintf(stderr, ",pass=********");
+ }
+
+ if (verboseflag)
+ fprintf(stderr, "\n");
+
if (!fakemnt && mount(dev_name, mountpoint, "cifs", flags, options)) {
switch (errno) {
case ECONNREFUSED:
diff --git a/source/include/smb.h b/source/include/smb.h
index 7484efd..e512add 100644
--- a/source/include/smb.h
+++ b/source/include/smb.h
@@ -759,6 +759,7 @@ struct pending_message_list {
struct pending_message_list *next, *prev;
struct timeval request_time; /* When was this first issued? */
struct timeval end_time; /* When does this time out? */
+ bool processed;
DATA_BLOB buf;
DATA_BLOB private_data;
};
diff --git a/source/param/loadparm.c b/source/param/loadparm.c
index 4fc0c06..71a0e7b 100644
--- a/source/param/loadparm.c
+++ b/source/param/loadparm.c
@@ -2655,6 +2655,11 @@ BOOL lp_add_home(const char *pszHomename, int iDefaultService,
int i;
pstring newHomedir;
+ if (pszHomename == NULL || user == NULL || pszHomedir == NULL ||
+ pszHomedir[0] == '\0') {
+ return False;
+ }
+
i = add_a_service(ServicePtrs[iDefaultService], pszHomename);
if (i < 0)
@@ -4135,7 +4140,7 @@ static void lp_add_auto_services(char *str)
if (lp_servicenumber(p) >= 0)
continue;
- if (home && homes >= 0)
+ if (home && home[0] && homes >= 0)
lp_add_home(p, homes, p, home);
}
SAFE_FREE(s);
diff --git a/source/smbd/process.c b/source/smbd/process.c
index cf29886..e861e16 100644
--- a/source/smbd/process.c
+++ b/source/smbd/process.c
@@ -93,6 +93,7 @@ static BOOL push_queued_message(char *buf, int msg_len,
msg->request_time = request_time;
msg->end_time = end_time;
+ msg->processed = false;
if (private_data) {
msg->private_data = data_blob_talloc(msg, private_data,
@@ -162,7 +163,7 @@ void schedule_deferred_open_smb_message(uint16 mid)
}
/****************************************************************************
- Return true if this mid is on the deferred queue.
+ Return true if this mid is on the deferred queue and was not yet processed.
****************************************************************************/
BOOL open_was_deferred(uint16 mid)
@@ -170,7 +171,7 @@ BOOL open_was_deferred(uint16 mid)
struct pending_message_list *pml;
for (pml = deferred_open_queue; pml; pml = pml->next) {
- if (SVAL(pml->buf.data,smb_mid) == mid) {
+ if (SVAL(pml->buf.data,smb_mid) == mid && !pml->processed) {
return True;
}
}
@@ -409,6 +410,10 @@ static BOOL receive_message_or_smb(char *buffer, int buffer_len, int timeout)
/* We leave this message on the queue so the open code can
know this is a retry. */
DEBUG(5,("receive_message_or_smb: returning deferred open smb message.\n"));
+
+ /* Mark the message as processed so this is not
+ * re-processed in error. */
+ msg->processed = true;
return True;
}
}
@@ -967,8 +972,6 @@ static int switch_message(int type,char *inbuf,char *outbuf,int size,int bufsize
}
if (!change_to_user(conn,session_tag)) {
- remove_deferred_open_smb_message(
- SVAL(inbuf, smb_mid));
return(ERROR_NT(NT_STATUS_DOS(ERRSRV,ERRbaduid)));
}
@@ -1017,9 +1020,11 @@ static int switch_message(int type,char *inbuf,char *outbuf,int size,int bufsize
static int construct_reply(char *inbuf,char *outbuf,int size,int bufsize)
{
+ struct pending_message_list *pml = NULL;
int type = CVAL(inbuf,smb_com);
int outsize = 0;
int msg_type = CVAL(inbuf,0);
+ uint16_t mid = SVAL(inbuf, smb_mid);
chain_size = 0;
file_chain_reset();
@@ -1032,6 +1037,13 @@ static int construct_reply(char *inbuf,char *outbuf,int size,int bufsize)
outsize = switch_message(type,inbuf,outbuf,size,bufsize);
+ /* If this was a deferred message and it's still there and
+ * was processed, remove it. */
+ pml = get_open_deferred_message(mid);
+ if (pml && pml->processed) {
+ remove_deferred_open_smb_message(mid);
+ }
+
outsize += chain_size;
if(outsize > 4)
diff --git a/source/smbd/service.c b/source/smbd/service.c
index bfe9649..390e606 100644
--- a/source/smbd/service.c
+++ b/source/smbd/service.c
@@ -224,7 +224,7 @@ int add_home_service(const char *service, const char *username, const char *home
{
int iHomeService;
- if (!service || !homedir)
+ if (!service || !homedir || homedir[0] == '\0')
return -1;
if ((iHomeService = lp_servicenumber(HOMES_NAME)) < 0)
@@ -801,6 +801,15 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser,
get_current_username(),
current_user_info.domain,
s, sizeof(s));
+
+ if (s[0] == '\0') {
+ DEBUG(6, ("service [%s] did not resolve to a path\n",
+ lp_servicename(snum)));
+ conn_free(conn);
+ *status = NT_STATUS_BAD_NETWORK_NAME;
+ return NULL;
+ }
+
set_conn_connectpath(conn,s);
DEBUG(3,("Connect path is '%s' for service [%s]\n",s,
lp_servicename(snum)));
--
Samba Shared Repository
More information about the samba-cvs
mailing list