[SCM] Samba Shared Repository - branch v3-3-test updated - release-3-2-0pre2-5359-g032bf7a
Karolin Seeger
kseeger at samba.org
Thu Oct 1 06:27:43 MDT 2009
The branch, v3-3-test has been updated
via 032bf7afa7d9dcac3a22e2ad70d442e12a6d5f95 (commit)
via 61b22f4009e7519214ef867e88a0e29c9fa87d5a (commit)
via 7ba27bc1ed8542d2e2999a4331abe93d6b8a0703 (commit)
via 4e44cf1419747c178ce76deaefb8cb1dfca20865 (commit)
via 5942b8b3aca131510d0efc0288144ce82d87443c (commit)
via b056f86f8668f117068e32bea84447cf50597f7a (commit)
via 42fc1f2d083f60482b4f4dfe30becf239a5811ff (commit)
from 457cbb36700cf460375cdbea85ada5676e03aa45 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-3-test
- Log -----------------------------------------------------------------
commit 032bf7afa7d9dcac3a22e2ad70d442e12a6d5f95
Author: Jeremy Allison <jra at samba.org>
Date: Wed Sep 30 14:27:26 2009 +0200
Fix for CVE-2009-2906.
Summary:
Specially crafted SMB requests on
authenticated SMB connections can send smbd
into a 100% CPU loop, causing a DoS on the
Samba server.
(cherry picked from commit 5f1f1c47623f846909481073d56bc909d13e5e37)
commit 61b22f4009e7519214ef867e88a0e29c9fa87d5a
Author: Karolin Seeger <kseeger at samba.org>
Date: Wed Sep 30 13:55:06 2009 +0200
WHATSNEW: Update release notes.
Karolin
(cherry picked from commit 7fbee9050d08335c6a3dbf6e267c823b33e928c4)
commit 7ba27bc1ed8542d2e2999a4331abe93d6b8a0703
Author: Jeremy Allison <jra at samba.org>
Date: Mon Sep 28 13:44:12 2009 +0200
Fix for CVE-2009-2813.
===========================================================
== Subject: Misconfigured /etc/passwd file may share folders unexpectedly
==
== CVE ID#: CVE-2009-2813
==
== Versions: All versions of Samba later than 3.0.11
==
== Summary: If a user in /etc/passwd is misconfigured to have
== an empty home directory then connecting to the home
== share of this user will use the root of the filesystem
== as the home directory.
===========================================================
(cherry picked from commit 8afa10ad7d7e81bcae27b6a913210ef8a1ee4426)
commit 4e44cf1419747c178ce76deaefb8cb1dfca20865
Author: Jeff Layton <jlayton at redhat.com>
Date: Fri Sep 25 07:01:59 2009 -0400
mount.cifs: don't leak passwords with verbose option
When running mount.cifs with the --verbose option, it'll print out the
option string that it passes to the kernel...including the mount
password if there is one. Print a placeholder string instead to help
ensure that this info can't be used for nefarious purposes.
Also, the --verbose option printed the option string before it was
completely assembled anyway. This patch should also make sure that
the complete option string is printed out.
Finally, strndup passwords passed in on the command line to ensure that
they aren't shown by --verbose as well. Passwords used this way can
never be truly kept private from other users on the machine of course,
but it's simple enough to do it this way for completeness sake.
Reported-by: Ronald Volgers <r.c.volgers at student.utwente.nl>
Signed-off-by: Jeff Layton <jlayton at redhat.com>
Acked-by: Steve French <sfrench at us.ibm.com>
Part 2/2 of a fix for CVE-2009-2948.
(cherry picked from commit ec0ee6753818d546ad5817bdb09cdd3b7c5673af)
commit 5942b8b3aca131510d0efc0288144ce82d87443c
Author: Jeff Layton <jlayton at redhat.com>
Date: Fri Sep 25 07:00:18 2009 -0400
mount.cifs: check access of credential files before opening
It's possible for an unprivileged user to pass a setuid mount.cifs a
credential or password file to which he does not have access. This can cause
mount.cifs to open the file on his behalf and possibly leak the info in the
first few lines of the file.
Check the access permissions of the file before opening it.
Reported-by: Ronald Volgers <r.c.volgers at student.utwente.nl>
Signed-off-by: Jeff Layton <jlayton at redhat.com>
Acked-by: Steve French <sfrench at us.ibm.com>
Part 1/2 of a fix for CVE-2009-2948.
(cherry picked from commit 8f0af2ed4f330be558987dd52c32b32e4b8ed95f)
commit b056f86f8668f117068e32bea84447cf50597f7a
Author: Karolin Seeger <kseeger at samba.org>
Date: Mon Sep 28 13:39:23 2009 +0200
WHATSNEW: Prepare release notes for 3.3.8.
Karolin
(cherry picked from commit f9d71be5013dd8903d39645b6a03332ae18646ed)
commit 42fc1f2d083f60482b4f4dfe30becf239a5811ff
Author: Karolin Seeger <kseeger at samba.org>
Date: Thu Sep 24 14:28:54 2009 +0200
Raise version up to 3.3.8.
Karolin
(cherry picked from commit c353ad6d63dc884566cc11df12d9461577031634)
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 70 ++++++++++++++++++++++++++++++++++++++++++-
source/VERSION | 2 +-
source/client/mount.cifs.c | 65 ++++++++++++++++++++++++++++------------
source/include/smb.h | 1 +
source/param/loadparm.c | 7 ++++-
source/smbd/process.c | 28 +++++++++++++++--
source/smbd/service.c | 6 +++-
7 files changed, 151 insertions(+), 28 deletions(-)
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index faf8f75..0d9aaac 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,70 @@
=============================
+ Release Notes for Samba 3.3.8
+ October, 1 2009
+ =============================
+
+
+This is a security release in order to address CVE-2009-2813, CVE-2009-2948
+and CVE-2009-2906.
+
+ o CVE-2009-2813:
+ In all versions of Samba later than 3.0.11, connecting to the home
+ share of a user will use the root of the filesystem
+ as the home directory if this user is misconfigured to have
+ an empty home directory in /etc/passwd.
+
+ o CVE-2009-2948:
+ If mount.cifs is installed as a setuid program, a user can pass it a
+ credential or password path to which he or she does not have access and
+ then use the --verbose option to view the first line of that file.
+ All known Samba versions are affected.
+
+ o CVE-2009-2906:
+ Specially crafted SMB requests on authenticated SMB connections can
+ send smbd into a 100% CPU loop, causing a DoS on the Samba server.
+
+
+######################################################################
+Changes
+#######
+
+Changes since 3.3.7
+-------------------
+
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 6763: Fix for CVE-2009-2813.
+ * BUG 6768: Fix for CVE-2009-2906.
+
+
+o Jeff Layton <jlayton at redhat.com>
+ * Fix for CVE-2009-2948.
+
+
+######################################################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 3.3 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+ =============================
Release Notes for Samba 3.3.7
July, 29 2009
=============================
@@ -72,8 +138,8 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
=============================
Release Notes for Samba 3.3.6
diff --git a/source/VERSION b/source/VERSION
index 5123a41..26c39fc 100644
--- a/source/VERSION
+++ b/source/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=3
SAMBA_VERSION_MINOR=3
-SAMBA_VERSION_RELEASE=7
+SAMBA_VERSION_RELEASE=8
########################################################
# Bug fix releases use a letter for the patch revision #
diff --git a/source/client/mount.cifs.c b/source/client/mount.cifs.c
index 8b62ef7..c78aee0 100644
--- a/source/client/mount.cifs.c
+++ b/source/client/mount.cifs.c
@@ -199,6 +199,11 @@ static int open_cred_file(char * file_name)
char * temp_val;
FILE * fs;
int i, length;
+
+ i = access(file_name, R_OK);
+ if (i)
+ return i;
+
fs = fopen(file_name,"r");
if(fs == NULL)
return errno;
@@ -321,6 +326,12 @@ static int get_password_from_file(int file_descript, char * filename)
}
if(filename != NULL) {
+ rc = access(filename, R_OK);
+ if (rc) {
+ fprintf(stderr, "mount.cifs failed: access check of %s failed: %s\n",
+ filename, strerror(errno));
+ exit(EX_SYSERR);
+ }
file_descript = open(filename, O_RDONLY);
if(file_descript < 0) {
printf("mount.cifs failed. %s attempting to open password file %s\n",
@@ -380,9 +391,6 @@ static int parse_options(char ** optionsp, int * filesys_flags)
return 1;
data = *optionsp;
- if(verboseflag)
- printf("parsing options: %s\n", data);
-
/* BB fixme check for separator override BB */
if (getuid()) {
@@ -471,18 +479,27 @@ static int parse_options(char ** optionsp, int * filesys_flags)
} else if (strncmp(data, "pass", 4) == 0) {
if (!value || !*value) {
if(got_password) {
- printf("\npassword specified twice, ignoring second\n");
+ fprintf(stderr, "\npassword specified twice, ignoring second\n");
} else
got_password = 1;
- } else if (strnlen(value, 17) < 17) {
- if(got_password)
- printf("\nmount.cifs warning - password specified twice\n");
- got_password = 1;
+ } else if (strnlen(value, MOUNT_PASSWD_SIZE) < MOUNT_PASSWD_SIZE) {
+ if (got_password) {
+ fprintf(stderr, "\nmount.cifs warning - password specified twice\n");
+ } else {
+ mountpassword = strndup(value, MOUNT_PASSWD_SIZE);
+ if (!mountpassword) {
+ fprintf(stderr, "mount.cifs error: %s", strerror(ENOMEM));
+ SAFE_FREE(out);
+ return 1;
+ }
+ got_password = 1;
+ }
} else {
- printf("password too long\n");
+ fprintf(stderr, "password too long\n");
SAFE_FREE(out);
return 1;
}
+ goto nocopy;
} else if (strncmp(data, "sec", 3) == 0) {
if (value) {
if (!strncmp(value, "none", 4) ||
@@ -1370,15 +1387,6 @@ mount_retry:
strlcat(options,domain_name,options_size);
}
}
- if(mountpassword) {
- /* Commas have to be doubled, or else they will
- look like the parameter separator */
-/* if(sep is not set)*/
- if(retry == 0)
- check_for_comma(&mountpassword);
- strlcat(options,",pass=",options_size);
- strlcat(options,mountpassword,options_size);
- }
strlcat(options,",ver=",options_size);
strlcat(options,MOUNT_CIFS_VERSION_MAJOR,options_size);
@@ -1391,8 +1399,6 @@ mount_retry:
strlcat(options,",prefixpath=",options_size);
strlcat(options,prefixpath,options_size); /* no need to cat the / */
}
- if(verboseflag)
- printf("\nmount.cifs kernel mount options %s \n",options);
/* convert all '\\' to '/' in share portion so that /proc/mounts looks pretty */
replace_char(dev_name, '\\', '/', strlen(share_name));
@@ -1424,6 +1430,25 @@ mount_retry:
}
}
+ if(verboseflag)
+ fprintf(stderr, "\nmount.cifs kernel mount options: %s", options);
+
+ if (mountpassword) {
+ /*
+ * Commas have to be doubled, or else they will
+ * look like the parameter separator
+ */
+ if(retry == 0)
+ check_for_comma(&mountpassword);
+ strlcat(options,",pass=",options_size);
+ strlcat(options,mountpassword,options_size);
+ if (verboseflag)
+ fprintf(stderr, ",pass=********");
+ }
+
+ if (verboseflag)
+ fprintf(stderr, "\n");
+
if (!fakemnt && mount(dev_name, mountpoint, "cifs", flags, options)) {
switch (errno) {
case ECONNREFUSED:
diff --git a/source/include/smb.h b/source/include/smb.h
index 56d9461..327f212 100644
--- a/source/include/smb.h
+++ b/source/include/smb.h
@@ -715,6 +715,7 @@ struct pending_message_list {
struct timeval request_time; /* When was this first issued? */
struct timeval end_time; /* When does this time out? */
bool encrypted;
+ bool processed;
DATA_BLOB buf;
DATA_BLOB private_data;
};
diff --git a/source/param/loadparm.c b/source/param/loadparm.c
index 3908aef..491264e 100644
--- a/source/param/loadparm.c
+++ b/source/param/loadparm.c
@@ -5875,6 +5875,11 @@ bool lp_add_home(const char *pszHomename, int iDefaultService,
{
int i;
+ if (pszHomename == NULL || user == NULL || pszHomedir == NULL ||
+ pszHomedir[0] == '\0') {
+ return false;
+ }
+
i = add_a_service(ServicePtrs[iDefaultService], pszHomename);
if (i < 0)
@@ -7848,7 +7853,7 @@ static void lp_add_auto_services(char *str)
home = get_user_home_dir(talloc_tos(), p);
- if (home && homes >= 0)
+ if (home && home[0] && homes >= 0)
lp_add_home(p, homes, p, home);
TALLOC_FREE(home);
diff --git a/source/smbd/process.c b/source/smbd/process.c
index 365c972..446b868 100644
--- a/source/smbd/process.c
+++ b/source/smbd/process.c
@@ -438,6 +438,7 @@ static bool push_queued_message(struct smb_request *req,
msg->request_time = request_time;
msg->end_time = end_time;
msg->encrypted = req->encrypted;
+ msg->processed = false;
if (private_data) {
msg->private_data = data_blob_talloc(msg, private_data,
@@ -493,6 +494,16 @@ void schedule_deferred_open_smb_message(uint16 mid)
DEBUG(10,("schedule_deferred_open_smb_message: [%d] msg_mid = %u\n", i++,
(unsigned int)msg_mid ));
if (mid == msg_mid) {
+
+ if (pml->processed) {
+ /* A processed message should not be
+ * rescheduled. */
+ DEBUG(0,("schedule_deferred_open_smb_message: LOGIC ERROR "
+ "message mid %u was already processed\n",
+ (unsigned int)msg_mid ));
+ continue;
+ }
+
DEBUG(10,("schedule_deferred_open_smb_message: scheduling mid %u\n",
mid ));
pml->end_time.tv_sec = 0;
@@ -507,7 +518,7 @@ void schedule_deferred_open_smb_message(uint16 mid)
}
/****************************************************************************
- Return true if this mid is on the deferred queue.
+ Return true if this mid is on the deferred queue and was not yet processed.
****************************************************************************/
bool open_was_deferred(uint16 mid)
@@ -515,7 +526,7 @@ bool open_was_deferred(uint16 mid)
struct pending_message_list *pml;
for (pml = deferred_open_queue; pml; pml = pml->next) {
- if (SVAL(pml->buf.data,smb_mid) == mid) {
+ if (SVAL(pml->buf.data,smb_mid) == mid && !pml->processed) {
return True;
}
}
@@ -784,6 +795,10 @@ static NTSTATUS receive_message_or_smb(TALLOC_CTX *mem_ctx, char **buffer,
/* We leave this message on the queue so the open code can
know this is a retry. */
DEBUG(5,("receive_message_or_smb: returning deferred open smb message.\n"));
+
+ /* Mark the message as processed so this is not
+ * re-processed in error. */
+ msg->processed = true;
return NT_STATUS_OK;
}
}
@@ -1428,7 +1443,6 @@ static connection_struct *switch_message(uint8 type, struct smb_request *req, in
if (!change_to_user(conn,session_tag)) {
reply_nterror(req, NT_STATUS_DOS(ERRSRV, ERRbaduid));
- remove_deferred_open_smb_message(req->mid);
return conn;
}
@@ -1493,6 +1507,7 @@ static connection_struct *switch_message(uint8 type, struct smb_request *req, in
static void construct_reply(char *inbuf, int size, size_t unread_bytes, bool encrypted)
{
+ struct pending_message_list *pml = NULL;
uint8 type = CVAL(inbuf,smb_com);
connection_struct *conn;
struct smb_request *req;
@@ -1508,6 +1523,13 @@ static void construct_reply(char *inbuf, int size, size_t unread_bytes, bool enc
conn = switch_message(type, req, size);
+ /* If this was a deferred message and it's still there and
+ * was processed, remove it. */
+ pml = get_open_deferred_message(req->mid);
+ if (pml && pml->processed) {
+ remove_deferred_open_smb_message(req->mid);
+ }
+
if (req->unread_bytes) {
/* writeX failed. drain socket. */
if (drain_socket(smbd_server_fd(), req->unread_bytes) !=
diff --git a/source/smbd/service.c b/source/smbd/service.c
index 4724dd7..2a1ef20 100644
--- a/source/smbd/service.c
+++ b/source/smbd/service.c
@@ -55,6 +55,10 @@ bool set_conn_connectpath(connection_struct *conn, const char *connectpath)
const char *s = connectpath;
bool start_of_name_component = true;
+ if (connectpath == NULL || connectpath[0] == '\0') {
+ return false;
+ }
+
destname = SMB_STRDUP(connectpath);
if (!destname) {
return false;
@@ -331,7 +335,7 @@ int add_home_service(const char *service, const char *username, const char *home
{
int iHomeService;
- if (!service || !homedir)
+ if (!service || !homedir || homedir[0] == '\0')
return -1;
if ((iHomeService = lp_servicenumber(HOMES_NAME)) < 0) {
--
Samba Shared Repository
More information about the samba-cvs
mailing list