[SCM] Samba Shared Repository - branch v3-4-test updated - release-4-0-0alpha7-1306-g9cdc203
Karolin Seeger
kseeger at samba.org
Thu Oct 1 06:28:38 MDT 2009
The branch, v3-4-test has been updated
via 9cdc203b0a2663b9b60fce89e17bc4c5b02b2a33 (commit)
via 7705d2f962bb6378fb804f30818b00c3ebe504e7 (commit)
via 91f37d4fe8e6d66db4acd666ad2d39610b4df758 (commit)
via a1e08163c3a90e5e6b16474cb81180a51dfa1b60 (commit)
via fbfc121ea1da5dd0156734226410fa07fdf51fad (commit)
via 34f6fd0d086e03d2b6cfb14c262ca98c362ace42 (commit)
via 065243eaf468171fafa3456454912ceb11f6d9a7 (commit)
via 38bd3663bb7a410132ae065b54994f9645cbc59c (commit)
from f142ae80e344f098fb01a4c154a9fe46ed9a4eae (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-4-test
- Log -----------------------------------------------------------------
commit 9cdc203b0a2663b9b60fce89e17bc4c5b02b2a33
Author: Jeremy Allison <jra at samba.org>
Date: Wed Sep 30 14:17:40 2009 +0200
Fix for CVE-2009-2906.
Summary:
Specially crafted SMB requests on
authenticated SMB connections can send smbd
into a 100% CPU loop, causing a DoS on the
Samba server.
(cherry picked from commit 7439cd5efa50058741c57857109690e4a104f9f0)
commit 7705d2f962bb6378fb804f30818b00c3ebe504e7
Author: Karolin Seeger <kseeger at samba.org>
Date: Wed Sep 30 13:54:22 2009 +0200
WHATSNEW: Update release notes.
Karolin
(cherry picked from commit 9851a27b2f73e16c730983f60f7d580de897da95)
commit 91f37d4fe8e6d66db4acd666ad2d39610b4df758
Author: Karolin Seeger <kseeger at samba.org>
Date: Mon Sep 28 13:38:32 2009 +0200
WHATSNEW: Update release date.
Karolin
(cherry picked from commit cc0829c00d527ba0e707efe0f57d637a38b03dee)
commit a1e08163c3a90e5e6b16474cb81180a51dfa1b60
Author: Jeremy Allison <jra at samba.org>
Date: Mon Sep 28 13:26:37 2009 +0200
Fix for CVE-2009-2813.
===========================================================
== Subject: Misconfigured /etc/passwd file may share folders unexpectedly
==
== CVE ID#: CVE-2009-2813
==
== Versions: All versions of Samba later than 3.0.11
==
== Summary: If a user in /etc/passwd is misconfigured to have
== an empty home directory then connecting to the home
== share of this user will use the root of the filesystem
== as the home directory.
===========================================================
(cherry picked from commit ac075bd679fd59e93ea13780f6651a431002edd0)
commit fbfc121ea1da5dd0156734226410fa07fdf51fad
Author: Jeff Layton <jlayton at redhat.com>
Date: Fri Sep 25 07:03:07 2009 -0400
mount.cifs: don't leak passwords with verbose option
When running mount.cifs with the --verbose option, it'll print out the
option string that it passes to the kernel...including the mount
password if there is one. Print a placeholder string instead to help
ensure that this info can't be used for nefarious purposes.
Also, the --verbose option printed the option string before it was
completely assembled anyway. This patch should also make sure that
the complete option string is printed out.
Finally, strndup passwords passed in on the command line to ensure that
they aren't shown by --verbose as well. Passwords used this way can
never be truly kept private from other users on the machine of course,
but it's simple enough to do it this way for completeness sake.
Reported-by: Ronald Volgers <r.c.volgers at student.utwente.nl>
Signed-off-by: Jeff Layton <jlayton at redhat.com>
Acked-by: Steve French <sfrench at us.ibm.com>
Part 2/2 of a fix for CVE-2009-2948.
(cherry picked from commit 2a422f453dd3ad9978e6ec0ac40c122163c028ed)
commit 34f6fd0d086e03d2b6cfb14c262ca98c362ace42
Author: Jeff Layton <jlayton at redhat.com>
Date: Fri Sep 25 06:51:01 2009 -0400
mount.cifs: check access of credential files before opening
It's possible for an unprivileged user to pass a setuid mount.cifs a
credential or password file to which he does not have access. This can cause
mount.cifs to open the file on his behalf and possibly leak the info in the
first few lines of the file.
Check the access permissions of the file before opening it.
Reported-by: Ronald Volgers <r.c.volgers at student.utwente.nl>
Signed-off-by: Jeff Layton <jlayton at redhat.com>
Acked-by: Steve French <sfrench at us.ibm.com>
Part 1/2 of a fix for CVE-2009-2948.
(cherry picked from commit 42351937b00f6aa013d16c2a4dbd0b37e7e9ed11)
commit 065243eaf468171fafa3456454912ceb11f6d9a7
Author: Karolin Seeger <kseeger at samba.org>
Date: Mon Sep 28 13:21:07 2009 +0200
WHATSNEW: Prepare release notes for 3.4.2.
Karolin
(cherry picked from commit 53ba0b36d0d3bb2fb4b2fc5335920487060ed284)
commit 38bd3663bb7a410132ae065b54994f9645cbc59c
Author: Karolin Seeger <kseeger at samba.org>
Date: Thu Sep 24 14:29:43 2009 +0200
Raise version number up to 3.4.2.
Karolin
(cherry picked from commit d805592d6fb1fa841a74c547945226a916494a2d)
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 70 +++++++++++++++++++++++++++++++++++++++++--
source3/VERSION | 2 +-
source3/client/mount.cifs.c | 65 +++++++++++++++++++++++++++------------
source3/include/smb.h | 1 +
source3/param/loadparm.c | 7 ++++-
source3/smbd/process.c | 30 +++++++++++++++---
source3/smbd/service.c | 6 +++-
7 files changed, 150 insertions(+), 31 deletions(-)
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index c066e4b..f1c9d50 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,70 @@
=============================
+ Release Notes for Samba 3.4.2
+ October 1, 2009
+ =============================
+
+
+This is a security release in order to address CVE-2009-2813, CVE-2009-2948
+and CVE-2009-2906.
+
+ o CVE-2009-2813:
+ In all versions of Samba later than 3.0.11, connecting to the home
+ share of a user will use the root of the filesystem
+ as the home directory if this user is misconfigured to have
+ an empty home directory in /etc/passwd.
+
+ o CVE-2009-2948:
+ If mount.cifs is installed as a setuid program, a user can pass it a
+ credential or password path to which he or she does not have access and
+ then use the --verbose option to view the first line of that file.
+ All known Samba versions are affected.
+
+ o CVE-2009-2906:
+ Specially crafted SMB requests on authenticated SMB connections can
+ send smbd into a 100% CPU loop, causing a DoS on the Samba server.
+
+
+######################################################################
+Changes
+#######
+
+Changes since 3.4.1
+-------------------
+
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 6763: Fix for CVE-2009-2813.
+ * BUG 6768: Fix for CVE-2009-2906.
+
+
+o Jeff Layton <jlayton at redhat.com>
+ * Fix for CVE-2009-2948.
+
+
+######################################################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 3.4 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older versions follow:
+----------------------------------------
+
+ =============================
Release Notes for Samba 3.4.1
September 9, 2009
=============================
@@ -134,9 +200,7 @@ database (https://bugzilla.samba.org/).
== The Samba Team
======================================================================
-
-Release notes for older versions follow:
-----------------------------------------
+----------------------------------------------------------------------
=============================
Release Notes for Samba 3.4.0
diff --git a/source3/VERSION b/source3/VERSION
index 9f77867..f1febc9 100644
--- a/source3/VERSION
+++ b/source3/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=3
SAMBA_VERSION_MINOR=4
-SAMBA_VERSION_RELEASE=1
+SAMBA_VERSION_RELEASE=2
########################################################
# Bug fix releases use a letter for the patch revision #
diff --git a/source3/client/mount.cifs.c b/source3/client/mount.cifs.c
index 0c551cc..43dc7f6 100644
--- a/source3/client/mount.cifs.c
+++ b/source3/client/mount.cifs.c
@@ -198,6 +198,11 @@ static int open_cred_file(char * file_name)
char * temp_val;
FILE * fs;
int i, length;
+
+ i = access(file_name, R_OK);
+ if (i)
+ return i;
+
fs = fopen(file_name,"r");
if(fs == NULL)
return errno;
@@ -320,6 +325,12 @@ static int get_password_from_file(int file_descript, char * filename)
}
if(filename != NULL) {
+ rc = access(filename, R_OK);
+ if (rc) {
+ fprintf(stderr, "mount.cifs failed: access check of %s failed: %s\n",
+ filename, strerror(errno));
+ exit(EX_SYSERR);
+ }
file_descript = open(filename, O_RDONLY);
if(file_descript < 0) {
printf("mount.cifs failed. %s attempting to open password file %s\n",
@@ -379,9 +390,6 @@ static int parse_options(char ** optionsp, int * filesys_flags)
return 1;
data = *optionsp;
- if(verboseflag)
- printf("parsing options: %s\n", data);
-
/* BB fixme check for separator override BB */
if (getuid()) {
@@ -470,18 +478,27 @@ static int parse_options(char ** optionsp, int * filesys_flags)
} else if (strncmp(data, "pass", 4) == 0) {
if (!value || !*value) {
if(got_password) {
- printf("\npassword specified twice, ignoring second\n");
+ fprintf(stderr, "\npassword specified twice, ignoring second\n");
} else
got_password = 1;
- } else if (strnlen(value, 17) < 17) {
- if(got_password)
- printf("\nmount.cifs warning - password specified twice\n");
- got_password = 1;
+ } else if (strnlen(value, MOUNT_PASSWD_SIZE) < MOUNT_PASSWD_SIZE) {
+ if (got_password) {
+ fprintf(stderr, "\nmount.cifs warning - password specified twice\n");
+ } else {
+ mountpassword = strndup(value, MOUNT_PASSWD_SIZE);
+ if (!mountpassword) {
+ fprintf(stderr, "mount.cifs error: %s", strerror(ENOMEM));
+ SAFE_FREE(out);
+ return 1;
+ }
+ got_password = 1;
+ }
} else {
- printf("password too long\n");
+ fprintf(stderr, "password too long\n");
SAFE_FREE(out);
return 1;
}
+ goto nocopy;
} else if (strncmp(data, "sec", 3) == 0) {
if (value) {
if (!strncmp(value, "none", 4) ||
@@ -1384,15 +1401,6 @@ mount_retry:
strlcat(options,domain_name,options_size);
}
}
- if(mountpassword) {
- /* Commas have to be doubled, or else they will
- look like the parameter separator */
-/* if(sep is not set)*/
- if(retry == 0)
- check_for_comma(&mountpassword);
- strlcat(options,",pass=",options_size);
- strlcat(options,mountpassword,options_size);
- }
strlcat(options,",ver=",options_size);
strlcat(options,MOUNT_CIFS_VERSION_MAJOR,options_size);
@@ -1405,8 +1413,6 @@ mount_retry:
strlcat(options,",prefixpath=",options_size);
strlcat(options,prefixpath,options_size); /* no need to cat the / */
}
- if(verboseflag)
- printf("\nmount.cifs kernel mount options %s \n",options);
/* convert all '\\' to '/' in share portion so that /proc/mounts looks pretty */
replace_char(dev_name, '\\', '/', strlen(share_name));
@@ -1438,6 +1444,25 @@ mount_retry:
}
}
+ if(verboseflag)
+ fprintf(stderr, "\nmount.cifs kernel mount options: %s", options);
+
+ if (mountpassword) {
+ /*
+ * Commas have to be doubled, or else they will
+ * look like the parameter separator
+ */
+ if(retry == 0)
+ check_for_comma(&mountpassword);
+ strlcat(options,",pass=",options_size);
+ strlcat(options,mountpassword,options_size);
+ if (verboseflag)
+ fprintf(stderr, ",pass=********");
+ }
+
+ if (verboseflag)
+ fprintf(stderr, "\n");
+
if (!fakemnt && mount(dev_name, mountpoint, "cifs", flags, options)) {
switch (errno) {
case ECONNREFUSED:
diff --git a/source3/include/smb.h b/source3/include/smb.h
index 7cb8e95..2a3c455 100644
--- a/source3/include/smb.h
+++ b/source3/include/smb.h
@@ -729,6 +729,7 @@ struct pending_message_list {
struct timed_event *te;
struct smb_perfcount_data pcd;
bool encrypted;
+ bool processed;
DATA_BLOB buf;
DATA_BLOB private_data;
};
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 72c9950..4bd48ab 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -6095,6 +6095,11 @@ bool lp_add_home(const char *pszHomename, int iDefaultService,
{
int i;
+ if (pszHomename == NULL || user == NULL || pszHomedir == NULL ||
+ pszHomedir[0] == '\0') {
+ return false;
+ }
+
i = add_a_service(ServicePtrs[iDefaultService], pszHomename);
if (i < 0)
@@ -8066,7 +8071,7 @@ static void lp_add_auto_services(char *str)
home = get_user_home_dir(talloc_tos(), p);
- if (home && homes >= 0)
+ if (home && home[0] && homes >= 0)
lp_add_home(p, homes, p, home);
TALLOC_FREE(home);
diff --git a/source3/smbd/process.c b/source3/smbd/process.c
index caf9241..b4976f7 100644
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -412,6 +412,7 @@ static void smbd_deferred_open_timer(struct event_context *ev,
struct pending_message_list *msg = talloc_get_type(private_data,
struct pending_message_list);
TALLOC_CTX *mem_ctx = talloc_tos();
+ uint16_t mid = SVAL(msg->buf.data,smb_mid);
uint8_t *inbuf;
inbuf = (uint8_t *)talloc_memdup(mem_ctx, msg->buf.data,
@@ -424,11 +425,21 @@ static void smbd_deferred_open_timer(struct event_context *ev,
/* We leave this message on the queue so the open code can
know this is a retry. */
DEBUG(5,("smbd_deferred_open_timer: trigger mid %u.\n",
- (unsigned int)SVAL(msg->buf.data,smb_mid)));
+ (unsigned int)mid));
+
+ /* Mark the message as processed so this is not
+ * re-processed in error. */
+ msg->processed = true;
process_smb(smbd_server_conn, inbuf,
msg->buf.length, 0,
msg->encrypted, &msg->pcd);
+
+ /* If it's still there and was processed, remove it. */
+ msg = get_open_deferred_message(mid);
+ if (msg && msg->processed) {
+ remove_deferred_open_smb_message(mid);
+ }
}
/****************************************************************************
@@ -460,6 +471,7 @@ static bool push_queued_message(struct smb_request *req,
msg->request_time = request_time;
msg->encrypted = req->encrypted;
+ msg->processed = false;
SMB_PERFCOUNT_DEFER_OP(&req->pcd, &msg->pcd);
if (private_data) {
@@ -501,7 +513,7 @@ void remove_deferred_open_smb_message(uint16 mid)
for (pml = deferred_open_queue; pml; pml = pml->next) {
if (mid == SVAL(pml->buf.data,smb_mid)) {
- DEBUG(10,("remove_sharing_violation_open_smb_message: "
+ DEBUG(10,("remove_deferred_open_smb_message: "
"deleting mid %u len %u\n",
(unsigned int)mid,
(unsigned int)pml->buf.length ));
@@ -531,6 +543,15 @@ void schedule_deferred_open_smb_message(uint16 mid)
if (mid == msg_mid) {
struct timed_event *te;
+ if (pml->processed) {
+ /* A processed message should not be
+ * rescheduled. */
+ DEBUG(0,("schedule_deferred_open_smb_message: LOGIC ERROR "
+ "message mid %u was already processed\n",
+ msg_mid ));
+ continue;
+ }
+
DEBUG(10,("schedule_deferred_open_smb_message: scheduling mid %u\n",
mid ));
@@ -557,7 +578,7 @@ void schedule_deferred_open_smb_message(uint16 mid)
}
/****************************************************************************
- Return true if this mid is on the deferred queue.
+ Return true if this mid is on the deferred queue and was not yet processed.
****************************************************************************/
bool open_was_deferred(uint16 mid)
@@ -565,7 +586,7 @@ bool open_was_deferred(uint16 mid)
struct pending_message_list *pml;
for (pml = deferred_open_queue; pml; pml = pml->next) {
- if (SVAL(pml->buf.data,smb_mid) == mid) {
+ if (SVAL(pml->buf.data,smb_mid) == mid && !pml->processed) {
return True;
}
}
@@ -1300,7 +1321,6 @@ static connection_struct *switch_message(uint8 type, struct smb_request *req, in
if (!change_to_user(conn,session_tag)) {
reply_nterror(req, NT_STATUS_DOS(ERRSRV, ERRbaduid));
- remove_deferred_open_smb_message(req->mid);
return conn;
}
diff --git a/source3/smbd/service.c b/source3/smbd/service.c
index fc59744..902a7c4 100644
--- a/source3/smbd/service.c
+++ b/source3/smbd/service.c
@@ -56,6 +56,10 @@ bool set_conn_connectpath(connection_struct *conn, const char *connectpath)
const char *s = connectpath;
bool start_of_name_component = true;
+ if (connectpath == NULL || connectpath[0] == '\0') {
+ return false;
+ }
+
destname = SMB_STRDUP(connectpath);
if (!destname) {
return false;
@@ -259,7 +263,7 @@ int add_home_service(const char *service, const char *username, const char *home
{
int iHomeService;
- if (!service || !homedir)
+ if (!service || !homedir || homedir[0] == '\0')
return -1;
if ((iHomeService = lp_servicenumber(HOMES_NAME)) < 0) {
--
Samba Shared Repository
More information about the samba-cvs
mailing list